Skip to main content

Concepts

Authorization in MyCreditApp revolves around the organization entity. Each API client you create belongs to a specific organization. By default, every API client has full access to its own organization. Another key concept is connections. Connections allow one organization to interact with another. To collaborate, one organization must invite another organization (or accept an invitation). Once the invitation is accepted and the invited organization creates its own organization entity, a connection between the two organizations is established.
Not all endpoints require authorization - only those that operate on organization-related data.

Scenarios

There are three authorization scenarios when calling the API. These scenarios describe how organizations interact.
  • Guest – your organization accesses resources of another organization that invited you.
  • Host – your organization accesses resources of a connected Guest organization.
  • Self – your organization accesses its own resources.
Any organization api client with sufficient permissions can perform a Self call.
These scenarios define how the Requester-Organization-ID and Target-Organization-ID headers must be set.

Path params

org_id

The org_id path parameter identifies the specific organization whose data is being accessed or manipulated. Its value depends on the endpoint group and the ownership of the resource.

1. General Organization Data

Endpoint groups: In these groups, the resource owner is the organization identified by org_id.
  • Self: org_id is your own ID.
  • Host accessing Guest: org_id is the Guest’s ID.
  • Guest accessing Host: org_id is the Host’s ID.
  • Requirement: org_id must exactly match the Target-Organization-ID header.

2. Host-Owned Resources

Endpoint groups: In these groups, the logic for org_id changes based on who is asking: Scenario A: Host requesting data about their Guest If you are a Host looking at your Guest’s analytics or managing their documents:
  • Requester-Organization-ID: Host ID (Your ID)
  • Target-Organization-ID: Host ID (Your ID, because you own the analytics)
  • org_id (path): Guest ID
  • Logic: You are targeting your own “analytics engine” to get data about a specific guest from your list.
Scenario B: Guest requesting their own data from a Host If you are a Guest looking at the analytics a Host has generated for you:
  • Requester-Organization-ID: Guest ID (Your ID)
  • Target-Organization-ID: Host ID (The organization that invited you)
  • org_id (path): Guest ID (Must match your own ID)
  • Constraint: A Guest can only specify their own ID in the path. You cannot access data about other guests of the same Host.

Headers

Requester-Organization-ID

The organization that makes the request.
  • Always set to your organization ID;
  • The scenario (Guest, Host, or Self) depends on the relationship with the target organization.

Target-Organization-ID

The organization that the request is directed at:
  • Self – same value as Requester-Organization-ID;
  • Host → Guest – Guest organization ID;
  • Guest → Host – Host organization ID.
These headers are mandatory for all endpoints that require authorization. They ensure that requests are correctly routed according to organization relationships and established connections.
Not all endpoints require authorization - only those that operate on organization-related data.

Examples

  1. Host request: get data of a connected Guest organization
    org_id
    uuid
    required
    Guest’s organization ID
    token
    string
    required
    Your API client access token
    requester-organization-id
    uuid
    required
    Your organization ID
    target-organization-id
    uuid
    required
    Guest’s organization ID
        curl --request GET \
      --url https://api.mycreditapp.ai/v1/organizations/{org_id} \
      --header 'Authorization: Bearer <token>' \
      --header 'Requester-Organization-ID: <requester-organization-id>' \
      --header 'Target-Organization-ID: <target-organization-id>'
  2. Self request: upload a financial file of your organization
    org_id
    uuid
    required
    Your organization ID
    token
    string
    required
    Your API client access token
    requester-organization-id
    uuid
    required
    Your organization ID
    target-organization-id
    uuid
    required
    Your organization ID
    currency
    string
    required
    ISO 4217 currency
    file
    file
    required
    Financial File
        curl --request POST \
      --url https://api.mycreditapp.ai/v1/organizations/{org_id}/financial-files \
      --header 'Authorization: Bearer <token>' \
      --header 'Content-Type: multipart/form-data' \
      --header 'Requester-Organization-ID: <requester-organization-id>' \
      --header 'Target-Organization-ID: <target-organization-id>' \
      --form 'currency=<string>' \
      --form file='@example-file'

Errors

During authorization, the following errors may occur:
  • organization_being_deleted – The Requester-Organization-ID or Target-Organization-ID refers to an organization that is currently being deleted. 
        {
      "loc": [],
      "msg": "The organization is in the process of being deleted! The removal process may take up to 24 hours.",
      "type": "request",
      "code": "organization_being_deleted"
    }
  • unsupported_crud_operation – This error occurs when the HTTP method used is not valid for the requested endpoint. It is not a common error but may appear in such cases. 
        {
      "loc": [],
      "msg": "Unsupported CRUD operation!",
      "type": "request",
      "code": "unsupported_crud_operation"
    }
  • access_denied – This indicates that the API client does not have permission to perform the requested action. Possible reasons include:
    • Invalid API client credentials.
    • No active connection exists between the organizations.
    • The API client does not have access to the requested resource or operation. 
      {
  "loc": [],
  "msg": "Access denied!",
  "type": "request",
  "code": "access_denied"
}