HomeGuidesAPI ReferenceChangelogDiscussions
GuidesAPI ReferenceDiscussions

Blend's API Authentication and Authorization Details


Blend's API follows the Auth+Access Token Exchange model over TLS to ensure the security of our APIs and our customer’s data.

External Requests to Blend's API Gateway

For incoming external requests, Blend supports API Secret Key Authentication over TLS. An IP Whitelist, Target Instance Header and Rate Limiting all provide additional levels of security.

API Secret Key Generation

The API Secret Keys are generated by base64 encoding 80 characters that are generated by a cryptographically secure randomness generator.

API Secret Keys are meant to be treated as a shared secret and stored in a secure secrets store once received. An exchange of TLS certificates often requires handing off the cert information through many people in order to get them into the appropriate secret store on both sides.

However, in the case of Blend's API Secret Keys, no one at Blend ever sees the API Secret Key that is generated for a customer -- the secure email that delivers the token is programmatically triggered and requires a second factor of authentication to access the Secret Key once the email is received.

Validating the API Secret Keys

Access via API Secret Keys is also restricted to an IP whitelist provided by the customer and every API call to Blend’s system must include the blend-target-instance header.

Even if a token is recognized by Blend, it will only be authorized if the target instance header matches a tenant that token has access to, and the request originates from an IP on the whitelist.

Additionally, Blend’s API significantly restricts the access of non-authenticated users via low rate limiting levels, which further reduces the ability to brute force discover a valid Secret Key, and increases Blend’s ability to identify and respond to an attack of that nature.

TLS Connection

Finally, Blend’s API is secured with an SSL certificate and can only be accessed over HTTPS.

This SSL certificate both ensures the identity of Blend’s API to the system calling our APIs, and offers the additional security of a private connection and ability to encrypt all data -- including the API Secret Key and Target Instance Header -- while it’s on the wire.

Requests within Blend's API Gateway

At the API Gateway, External API Secret Keys are exchanged for short-lived, JWT tokens scopes for that specific request. These JWT tokens are used over TLS to communicate between all services within Blend's architecture.