Security
This document outlines the security mechanisms employed by Moneyhub widgets to ensure secure initialization, data access, and request handling.
Moneyhub widgets utilise OpenID Connect Dynamic Client Registration to create a separate API client for each instance of a widget. This client is restricted to a specific set of scopes and can only access data directly associated with it. Following the authentication flow, the client can only redirect to an address within the specified domain set during widget creation.
When a widget is initialised, it creates a new JSON Web Key (JWK) stored locally in the browser. This JWK is associated with the client and is used to sign each request. Since no user credentials are required for registration, the JWK is deleted when the browser session ends, making it impossible to use the client for subsequent requests.
For widgets such as the Affordability widget, which allows users to link their accounts, we provide enterprise customers with access to the shared data via a separate API client.
If you are unsure how to access your data via the API, please get in touch with your customer success manager
Updated about 1 month ago