Skip to main content
Version: 2.0.0

Authentication

UCW includes a built-in authentication system that can be enabled via environment variables.

When AUTHENTICATION_ENABLE=true and the required variables are configured, all express endpoints defined after the useAuthentication call will require a Bearer token and optional scopes. This requires an external authorization system like Auth0.

info

If you need more control over authentication, you can fork the repository.

Widget Authentication

When AUTHENTICATION_ENABLE=true, you must pass the authorization header (Bearer token) in your POST request to the /widgetUrl endpoint. The server will append a token to the returned widgetUrl and handle widget authentication automatically.

See the authentication variables for configuration options.

Disabled Endpoints

By default, these endpoints are disabled:

  • UCW Data endpoints & VC endpoints that retrieve data from aggregators
  • The Delete User endpoint associated with connections

Enable UCW Data Endpoints

We recommend using our data endpoints to get data back from the aggregators in the FDX v5.3 format.

warning

A user must not have direct access to these endpoints because these endpoints have access to every other user's data.

You should create an endpoint that calls these endpoints using machine-to-machine authentication after ensuring that it only retrieves data the user should have access to.

To authenticate these endpoints, you'll need to set up the data endpoint variables in apps/server/env/(staging|production).env.

Delete Endpoints

There are endpoints for deleting users and connections. Just as with the data endpoints mentioned above, these delete endpoints are turned off by default. These endpoints should be well-protected with machine-to-machine authentication and should have authorization layers to ensure they are only called with IDs that the user should have access to.

Delete User

Make a DELETE request to /api/user with the userId as a query parameter:

DELETE /api/user?userId=user123

Delete Connection

Make a DELETE request to /api/connection with the connectionId passed via the secure UCW-Connection-Id HTTP header:

DELETE /api/connection
UCW-Connection-Id: access-sandbox-111111-22222-33333-44444-555555

For more info, see the Delete user endpoint variables.