# Authentication

## OAuth2
We follow the standard **Authorization Code** grant flow from OAuth2 to authenticate a TPP acting on behalf of a PSU.

As an example, in production our URLs are:
  - Authorization URL: https://client.memo.bank/authorize
  - Token URL: https://api.memo.bank/nextgenpsd2/oauth2/token
  - Refresh URL: https://api.memo.bank/nextgenpsd2/oauth2/token

We strongly recommend that you send your requests to these endpoints using `application/json` or `application/x-www-form-urlencoded` as content type since query params are considered unsafe.

The `access_token` has a TTL of **2 hours** and the `refresh_token` has a TTL of **2 weeks**.

## HTTP Signature
Requests must be signed by TPPs using the private key associated to the certificate provided during  the onboarding process.

We follow the [draft-cavage-http-signatures-12](https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12) to authenticate a TPP.

Here is an exhaustive list of headers that must be signed:
  - `(request-target)` (mandatory)
  - `authorization` (mandatory)
  - `date` (mandatory)
  - `digest` (only if the request has a body)
  - `host` (mandatory)
  - `psu-corporate-id` (only if included in the request)
  - `psu-id` (only if included in the request)
  - `tpp-redirect-uri` (only if included in the request)
  - `x-request-id` (only if included in the request)