Skip to main content

Concepts

Authorization in MyCreditApp revolves around the organization entity. Each API client you create belongs to a specific organization. By default, every API client has full access to its own organization. Another key concept is connections. Connections allow one organization to interact with another. To collaborate, one organization must invite another organization (or accept an invitation). Once the invitation is accepted and the invited organization creates its own organization entity, a connection between the two organizations is established.
Not all endpoints require authorization - only those that operate on organization-related data.

Scenarios

There are three authorization scenarios when calling the API. These scenarios describe how organizations interact.
  • Guest – your organization accesses resources of another organization that invited you.
  • Host – your organization accesses resources of a connected Guest organization.
  • Self – your organization accesses its own resources.
Any organization api client with sufficient permissions can perform a Self call.
These scenarios define how the Requester-Organization-ID and Target-Organization-ID headers must be set.

Headers

Requester-Organization-ID

The organization that makes the request.
  • Always set to your organization ID;
  • The scenario (Guest, Host, or Self) depends on the relationship with the target organization.

Target-Organization-ID

The organization that the request is directed at:
  • Self – same value as Requester-Organization-ID;
  • Host → Guest – Guest organization ID;
  • Guest → Host – Host organization ID.
These headers are mandatory for all endpoints that require authorization. They ensure that requests are correctly routed according to organization relationships and established connections.
Not all endpoints require authorization - only those that operate on organization-related data.

Examples

  1. Host request: get data of a connected Guest organization
    org_id
    uuid
    required
    Guest’s organization ID
    token
    string
    required
    Your API client access token
    requester-organization-id
    uuid
    required
    Your organization ID
    target-organization-id
    uuid
    required
    Guest’s organization ID
        curl --request GET \
      --url https://api.mycreditapp.ai/v1/organizations/{org_id} \
      --header 'Authorization: Bearer <token>' \
      --header 'Requester-Organization-ID: <requester-organization-id>' \
      --header 'Target-Organization-ID: <target-organization-id>'
  2. Self request: upload a financial file of your organization
    org_id
    uuid
    required
    Your organization ID
    token
    string
    required
    Your API client access token
    requester-organization-id
    uuid
    required
    Your organization ID
    target-organization-id
    uuid
    required
    Your organization ID
    currency
    string
    required
    ISO 4217 currency
    file
    file
    required
    Financial File
        curl --request POST \
      --url https://api.mycreditapp.ai/v1/organizations/{org_id}/financial-files \
      --header 'Authorization: Bearer <token>' \
      --header 'Content-Type: multipart/form-data' \
      --header 'Requester-Organization-ID: <requester-organization-id>' \
      --header 'Target-Organization-ID: <target-organization-id>' \
      --form 'currency=<string>' \
      --form file='@example-file'

Errors

During authorization, the following errors may occur:
  • organization_being_deleted – The Requester-Organization-ID or Target-Organization-ID refers to an organization that is currently being deleted. 
        {
      "loc": [],
      "msg": "The organization is in the process of being deleted! The removal process may take up to 24 hours.",
      "type": "request",
      "code": "organization_being_deleted"
    }
  • unsupported_crud_operation – This error occurs when the HTTP method used is not valid for the requested endpoint. It is not a common error but may appear in such cases. 
        {
      "loc": [],
      "msg": "Unsupported CRUD operation!",
      "type": "request",
      "code": "unsupported_crud_operation"
    }
  • access_denied – This indicates that the API client does not have permission to perform the requested action. Possible reasons include:
    • Invalid API client credentials.
    • No active connection exists between the organizations.
    • The API client does not have access to the requested resource or operation. 
      {
  "loc": [],
  "msg": "Access denied!",
  "type": "request",
  "code": "access_denied"
}