Using API Key on User's Behalf


#1

Hi there,

May a user of our site give us their revolut PRODUCTION key to store in encrypted form in our DB, which they can decrypt in the browser and make calls to revolut to perform transactions?

So, to describe in a bit more detail:

  1. User registers at our site
  2. links their revolut account by giving us their PRODUCTION key encrypted by their password, say, using AES
  3. Wants to pay another user, key is decrypted by JS in browser and needed revolut API calls are performed to perform needed transactions

Any legal issues one can think of?


#2

read about oauth2

20


#3

thanks for the answer. surprisingly I am aware of oauth2. however I don’t see any mentioning of it in https://revolutdev.github.io/business-api, which is why the question above.

Do you have an idea how to use oauth2 with revolut API?


#4

you are absolutely right! I couldn’t find how to get an application specific token and do the application authorisation. there is only one token.

@rafael_revolut/@AndreasK/@olga_revolut can you point us to the right documentation to allow a user to authorize an application to act on their behalf without actually sharing a token? thank you!


#5

thank you, @alejandro.mery!


#6

Hello!

API keys are meant for personal use only and it is not advisable sharing them to anyone, it is strictly confidential.
At the same time though, we are working on a developer portal and on implementing an OAuth2 authentication system to securely allow operations as above.

Best regards,
Rafael


#7

hi @rafael_revolut, any guesstimate when the oauth2 portal would be available?


#8

Hi @alejandro.mery !

I tried to gather some more information regarding that and what I know at the moment that work is in progress but I have not been updated at what stage exactly are we. I am sure we will let you guys know when all is ready. :r:

Rafael