DriveWealth authenticates your API requests using your partner specific dw-auth-token and dw-client-app-key. To use any DriveWealth API, you must include these two headers with each request. If you do not include either token when making an API request, or use a token that is incorrect or invalid, you will receive an error response.

When architecting your system please be aware that auth tokens have a 12 hour expiry time, as indicated by the expiresAt response attribute. Partners can request additional API username and passwords if this would create a road block, for example using a serverless framework.

Your app key is static, whereas your auth token will rotate on a scheduled basis. When API access is provided, DriveWealth will include this static dw-app-key, as well as an API username and password that will be used to generate a valid dw-auth-token.

We require that all requests are sent server-to-server. Your app or website should never be directly communicating with the DriveWealth APIs, as your private connection keys may be exposed in transit. All requests are required to be made via an HTTPS connection; requests made over plain HTTP will fail.

Protecting your API tokens

  • Do not store API tokens inside your applications source control: If you store API tokens in property or configuration files, keep these files outside your source control systems. This is especially important if you use a public source code management system such as GitHub. You may want to rely on environment variables or similar runtime injection techniques rather than keeping sensitive keys on disk.
  • Do not embed API keys directly in code: Instead of embedding API keys in your application's code, put them in environment variables or include files that are stored separately from the bulk of your code – outside the source repository of your application.
  • Limit employee access to production API keys: While keys to access our sandbox environment will likely be shared by many developers, access to production keys (when provided) should be limited to only necessary personnel.