When you sign up for finAPI, you receive two sets of client credentials, one for an "app client" and one for a "mandator admin" client. This article explains the difference between those two.
A mandator in finAPI defines the user base and all data that comes with it. Multiple finAPI app clients can access the data of one mandator.
- The app client can call all services allowed for the client role in finAPI, except for the services in the "Mandator Administration" section.
- You need this client for creating users, verifying users, or changing user passwords, as well as for calling other client-roled services like "Get banks", etc.
- Also, this client must be used to get/refresh/revoke user access_tokens.
- In short: This client is definitely required for your application and the one that your application will use for most of its API calls.
Mandator Admin Client:
- An admin client can call only the services in the "Mandator Administration" section of finAPI (aside of course from also being able to get or revoke an access token for itself).
- It cannot call any other client-roled services, and it cannot be used for anything that gives access to sensitive user data (including getting/refreshing/revoking user access_tokens).
- Depending on what your business logic is (i.e. whether you need the services from the Mandator Administration section), this client may be optional for your application.
Why is there even a Mandator Admin client?
The Mandator Administration Client exists for two reasons:
1. finAPI allows you as a customer (we use the term "Mandator") to have mutliple finAPI App clients, which - while all sharing the same user base - can have different configurations (See "Client Configuration" section of finAPI). The Mandator Administration section of finAPI is designed to provide cross-app / mandator services, it makes sense from a design point of view to have a unqiue, separate client for accessing these services.
2. The Mandator Administration section provides services which allow you to receive user-related data relevant for administration tasks without the need to have any user-specific information at hand (e.g. "Get user list" returns a list of user IDs without any required input parameters).
In the scenario that an intruder gets hold of your admin client's credentials, he will be able to get user IDs, but he won't be able to compromise a user's account and get hold of sensitive data, because the admin client cannot be used to receive any tokens for the user, nor for resetting the user's password.
Similarly, when an intruder gets hold of your regular client's credentials, he might technically be able to compromise individual user accounts, but he won't know which users even exist as he cannot get the user list with the regular client. Thus the concept of separating the Mandator Administration from all other services also adds to the security of finAPI.