Dwolla OAuth 2.0
Dwolla utilizes the OAuth 2 protocol to facilitate authorization. OAuth is an authorization framework that enables a third-party application to obtain access to protected resources (Transfers, Funding Sources, etc.) in the Dwolla API. Access to the Dwolla API can be granted to an application either on behalf of a user or on behalf of the application itself. The following guide will walk through Dwolla’s implementation of OAuth 2 and the various flows that can be leveraged by your application depending on your use case.
- Resource Server (Dwolla): The Dwolla server hosting protected resources (Transfers, Funding Sources, etc.) and responding to requests from an authorized application.
- Authorization Server (Dwolla): The Dwolla server issuing access tokens to an authorized application.
- Client (application): The application making requests to access protected resources after it has obtained authorization.
- Resource Owner (user/application): A user with an existing Dwolla account who grants permission to an application to act on their behalf or an application acting on its own behalf.
Creating an application
Before you can get started with making OAuth requests, you’ll need to first register an application with Dwolla by logging in and navigating to the applications page. Once an application is registered you will obtain your
client_secret (aka client credentials), which will be used to identify your application when calling the Dwolla API. The Sandbox environment provides you with a created application once you have signed up for an account. Learn more in our getting started guide. Remember: Your client_secret should be kept a secret! Be sure to store your client credentials securely.
Dwolla’s authorization flows
The OAuth 2 protocol defines four main authorization grant types, more commonly referred to as OAuth flows. Dwolla implements two of the four grant types depending on how your application accesses data within the API.
- Flow 1 (Co-branded): - Using the authorization code grant flow, your application will redirect the user to Dwolla (typically via a web browser) to authenticate and authorize your application. If the user grants permission, your application will be issued an access token that is used to make requests to the API on the user’s behalf. This is a browser-based flow with interaction between an end-user, a third-party application, and the Dwolla API; also known as 3-legged OAuth.
- Flow 2 (Access API and/or Webhooks): - Using the client credentials grant flow, your application will obtain authorization to interact with the API on its own behalf. This is a server-to-server flow with interaction between an application and the Dwolla API; also known as 2-legged OAuth.
Financial institutions play an important role in the Dwolla network.
Dwolla, Inc. is an agent of Veridian Credit Union and Compass Bank and all funds associated with your account in the Dwolla network are held in pooled accounts at Veridian Credit Union and Compass Bank. These funds are not eligible for individual insurance, including FDIC insurance and may not be eligible for share insurance by the National Credit Union Share Insurance Fund. Dwolla, Inc. is the operator of a software platform that communicates user instructions for funds transfers to Veridian Credit Union and Compass Bank.