Confirma Finance Integrations API
    • Introduction
    • Authentication
    • Environments
    • Data validation
    • Contact information
    • Go Live & Deployment Guide
    • Services
      • Services
      • Invoice Intermediation service
      • Invoice Lifecycle Service
      • Debt Collection Services
      • Accounting integrations
    • Core endpoints
      • Onboarding
        • Introduction to onboarding
        • Create a new client
        • Validate access token
        • Renew access token
      • Invoices
        • Introduction to Invoices
        • Create an invoice
        • Create an Invoice Action
        • Retrieve case details
        • Retrieve distribution Information
      • Payments
        • Introduction to Payments
        • Retrieve Payments
        • Retrieve settlements
      • Accounting
        • Introduction to accounting
        • Invoice
          • Invoice
        • Ledger
          • Ledger
          • Ledger
        • Payment
          • Payment
          • Payment
    Need help?

    Authentication

    This page describes how to authenticate to the Confirma Finance Integration Solutions (CFIS) and how to use it safely.

    Transport security (HTTPS and TLS)#

    Send all requests only over HTTPS to the base URL of the environment you are using, as listed on Environments
    Configure your HTTP client to verify TLS server certificates (do not disable certificate verification in production).

    How requests are authenticated#

    All requests to the CFIS must include a valid access token in the request header.
    Tokens are issued separately for staging and production environments and are tied to a client account.
    Header format:
    Example Request (cURL):
    curl -X GET "https://integrations.confirmafinance.com/api/v1/partner/invoice/case" \
     -H "X-Api-Key: your-access-token" \
     -H "Accept: application/json"
    Key Points:
    Use HTTPS for all requests to ensure secure transmission.
    Tokens are valid only for the environment in which they were issued. Do not use a staging token in production.
    Include the token in every request to authenticate successfully.
    Invalid or missing tokens will result in 401 Unauthorized responses.

    Obtaining access tokens#

    Tokens are created separately for the production and staging environments.
    Start by contacting our Deployment team with a request to access.
    We will produce both staging and production access tokens for you, and submit them to you in a secure PDF document for safe-keeping.
    Important notice!
    Store tokens securely and rotate them periodically to maintain best security practices.

    Authentication flow#

    authentication_flow.svg
    Authentication flow

    API Key Rotation#

    Establish and maintain a process for periodically rotating client API keys.
    Regular rotation ensures your team knows where each key is in use and can replace it on short notice if needed.
    Contingency Plan
    It is strongly recommended to document a contingency plan so that if a key is ever exposed or compromised, the client access token can be renewed promptly before any damage occurs.

    Token Expiration#

    Individual client access tokens can optionally be configured with an expiration date, after which the token must be renewed to remain functional.
    When a token has expired, the service will return an appropriate status code and message.
    To renew an expired token, use the master key in combination with the current access token.

    Partner Provisioning Token#

    Administrative access to the Partner API Service is restricted exclusively to Confirma Software partners.
    Authorized partners are issued a Partner Provisioning Token, which grants elevated privileges for onboarding new clients to the service.
    Obtaining the token
    To obtain Partner Provisioning Token, please contact Deployment Services, and the token will be submitted to you.
    Previous
    Introduction
    Next
    Environments
    Built with