User Management

Second Use Case - Ongoing Access

Create A User

To create a new user you need to take some preliminary authentication steps first. The /user endpoint wants to see an client-credentials token with the scope of user:create.

Obtaining A Token

To get your new client-credentials token we will need to POST /oidc/token to our identity endpoint:

The token endpoint is very versatile and offers lots of functionality, information on this can be found here: token

For your purposes you want to send this information:

client_assertion=<JWT Explained Below>

If you are following along with the guide you should have your token_endpoint_auth_method set to private_key_jwt and so this next part will apply. If you haven't chosen this method then you will need to explore our authentication docs found here: Authentication

For client_assertion above you will need to generate a JWT signed by your private JWKS. As mentioned in creating a client guide, your JWT library should allow all this functionality. Your JWT needs to have these properties:

  "iss": "your client id",
  "sub": "your client id",
  "jti": "A unique identifier for the token, which can be used to prevent reuse",
  "aud": "our token endpoint, i.e.(",
  "iat": "the time at which the token was issued",
  "exp": "the time at which the token will expire"

You may find that your JWT library handles values like jti, iat, exp for you automatically.

Put this all together and you have this request:

curl --location --request POST '' \
--header 'Content-T: application/x-www-form-urlencoded' \
--form 'scope="user:create"' \
--form 'grant_type="client_credentials"' \
--form 'client_assertion_type="urn:ietf:params:oauth:client-assertion-type:jwt-bearer"' \
--form 'client_assertion="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ5b3VyIGNsaWVudCBpZCIsInN1YiI6InlvdXIgY2xpZW50IGlkIiwianRpIjoiaGVsbG8gd29ybGQiLCJhdWQiOiJodHRwczovL2lkZW50aXR5Lm1vbmV5aHViLmNvLnVrL29pZGMvdG9rZW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTUxNjIzOTA1Mn0.TGKAnFafnSoiCCP5Wt_ZSAU0I3d7c9nplqPR-iECrbcj67pytz902H_NyM1KwpGTl0GoKhm43jMBfE-GgjcMTWqdNuOGL84EnE0iuZpn_qtucuw3wBzhPo0dXjA-F6HWjcqcfe__sca7SwxihLRQsyfv_Vz-zyULWXorruT5rCTKsp03Y5eR_f0rVet5AIxovc-N1jtXrNTC3MbzGpTUY8WZgO0e7rwSP3Trs4aT557k07XzAPPiZX58gXIIppwp7ambwpZ70J7lk53LXOwqLAHlX0L-tiRVYOovYeGC_fDoIsiJWmh59eUMulQxMxLh-gRgKl9J-sufCDouii29Jw"'

Once successful, you should receive this response:

  "access_token": "The client credentials access token",
  "expires_in": "The expiry of this token",
  "token_type": "The type of token this is (client credentials)"

Now you have a token, with the ability to create a new user! Let's do this now.

Posting A User

Creating a user is very simple, using the same identity url you will make this request: POST /usersand you can optionally include a clientUserIdin the body to specify our own unique id for this user. The request will look something like this:

curl --location --request POST '' \
--header 'Authorization: Bearer <client_credentials_access_token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "clientUserId": "my-id"

You will then get back your new user in a response like this:

  "userId": "The Moneyhub user id",
  "clientUserId": "Your optionally specified id",
  "clientId": "Your client id",
  "createdAt": "Date of creation",
  "updatedAt": "Last date of any updates",
  "scopes": "The scopes specified",
  "managedBy": "Who this user is managed by (client in this case)",
  "lastAccessed": "When the user was last accessed",
  "deletedAt": "If the user was deleted, this would be the date",
  "userType": "The type of user",
  "clientName": "Name of your client",
  "connectionIds": "An array of any connections the user has"

If you need specifics for this endpoint the documentation can be found here: Post Users

Manage Users

API users are an important resource for the ongoing access use case and as such we also have GET, GET ALL and DELETE endpoints for these. The documentation for these can be found here: Users endpoints

What’s Next

You have a new API user and are ready to take the next step - consent.