Skip to main content
FinCode provides two complementary security mechanisms for integration:
  1. Encryption Keys - Public/private key pairs for encrypting sensitive data in API payloads
  2. API Tokens - Long-lived authentication tokens for server-to-server communication
Both are managed from your dashboard and available immediately upon onboarding.

Encryption Keys

Overview

When integrating with FinCode, you may need to send sensitive information such as passwords, PINs, or other secrets. To protect this data during transmission, we provide RSA public key encryption.
Your public and private key pair is automatically generated when your organization is onboarded and is always available on the settings area of your dashboard.

How It Works

Key Management

Access Keys

Your encryption keys are available on your dashboard underSettings → API Connections → Encryption Keys.

Key Rotation

You can rotate your key pair at any time from the dashboard.After rotation, the previous keys are immediately invalidated.

When to Use Encryption

Encrypt any sensitive fields before including them in your API request payload:
Field TypeExamplesEncryption Required
PasswordscurrentPassword, newPassword✅ Yes
PINstransactionPin, userPin✅ Yes
Security AnswerssecurityAnswer✅ Yes
Regular Dataemail, firstName, amount❌ No

Implementation

The encryption uses RSA with OAEP padding (SHA-256). Here’s a quick reference:
  1. Obtain your RSA public key from the dashboard (Base64 encoded)
  2. Decode the Base64 key into an RSA PublicKey object
  3. Initialize the cipher with RSA/ECB/OAEPWithSHA-256AndMGF1Padding
  4. Encrypt the plaintext and Base64-encode the result
  5. Send the encrypted value in your API request
public static String encryptPayload(String payload, String publicKeyBase64) {
    try {
        byte[] keyBytes = Base64.getDecoder().decode(publicKeyBase64);
        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
        PublicKey publicKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);

        Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);

        byte[] encryptedBytes = cipher.doFinal(payload.getBytes(StandardCharsets.UTF_8));

        return Base64.getEncoder().encodeToString(encryptedBytes);
    } catch (Exception e) {
        throw new IllegalStateException("RSA encryption failed", e);
    }
}
You can see the payload encryption guide here or download it below.

Download Full Encryption Guide

Download our comprehensive encryption guide with detailed code sample and best practices.
Important Security Notes:
  • Never share your private key—only use the public key for encryption
  • Ensure payload size does not exceed RSA key limits
  • Only encrypt sensitive fields, not entire request bodies

API Tokens

Overview

For server-to-server integrations, FinCode provides long-lived API tokens that allow you to authenticate without going through the login flow. These tokens are generated from your dashboard and can be used directly in API requests.
API tokens are different from the JWT access tokens received from the login endpoint. They provide a simpler authentication method for backend services.

Token vs JWT Authentication

FeatureAPI TokenJWT (Login)
Obtained fromDashboardLogin endpoint
Expiry options24 hours, 1 month, 3 months, 6 months, 1 year1 hour (with refresh)
Use caseServer-to-server, scheduled jobs, integrationsUser sessions, real-time apps
RotationManual from dashboardAutomatic via refresh token
Multiple tokens✅ Yes (different services)❌ No

Token Management

1

Create a Token

Navigate to Settings → API Connections → API Tokens on your dashboard. Click Create New Token and select your desired expiry period.
2

Set Expiry

Choose from the available expiry options:
  • 24 Hours – For temporary or testing purposes
  • 1 Month – Short-term integrations
  • 3 Months – Standard integrations
  • 6 Months – Extended integrations
  • 1 Year – Long-term production services
3

Cashier Email & Password

Enter cashier email and password. You’d need this for generating any token.
4

Copy and Store

Copy the generated token immediately. For security, the full token is only shown once.
5

Use in Requests

Include the token in the X-Auth-Token header of your API requests.

Token Operations

Create

Create multiple tokens for different services or environments (dev, staging, production).

Rotate

Generate a new token to replace an existing one without service interruption.

Invalidate

Immediately revoke or delete a token if compromised or no longer needed.

Using API Tokens

Include your API token in the X-Auth-Token header: 
curl -X GET "https://{domain}.fincode.software/api/v6/services/your-endpoint" \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: your-api-token-here" \
  -H "platform: fincode" \
  -H "uuid: 200"

Best Practices

Never hardcode API tokens in your source code. Store them in environment variables or a secrets manager.
// ✅ Good
const token = process.env.FINCODE_API_TOKEN;

// ❌ Bad
const token = "fc_live_abc123...";
Create separate tokens for each service or environment. This limits the blast radius if a token is compromised.
  • FINCODE_TOKEN_PROD – Production services
  • FINCODE_TOKEN_STAGING – Staging environment
  • FINCODE_TOKEN_CRON – Scheduled jobs
Regularly review which tokens are active and when they were last used. Revoke unused or dormant tokens.
Set reminders before tokens expire. Implement graceful rotation to avoid service interruptions.

Summary

FeatureEncryption KeysAPI Tokens
PurposeProtect sensitive payload dataAuthenticate API requests
LocationDashboard → API Connections → Encryption KeysDashboard → API Connections → API Tokens
RotationAvailable anytimeAvailable anytime
When to useSending passwords, PINs, secretsServer-to-server calls, webhooks, etc

Next Steps

Authentication

Learn about user authentication and JWT tokens

Security

Deep dive into FinCode’s security architecture

Testing

Test your integration in the sandbox environment

Go Live

Complete your integration checklist