Getting started
Introduction
The Spiko investor API supports two authentication methods:
- API key: This is suitable for internal tools and direct integrations. Best for server-side applications and automated processes where you have complete control over the integration.
- OAuth 2.0: This is the preferred method for third-party integrations with Spiko for fintechs, SaaS companies, automation providers, etc. Recommended for scenarios where end-users need to grant access to their data.
Both authentication methods provide full access to all investor API endpoints, but OAuth 2.0 offers additional security benefits for third-party integrations through scoped access and revocable tokens.
API Key
Create an API client
Go to the integrations page of the investor App (you need to sign-in).
You will be able to create API keys and get your client_id
and client_secret
.
Make sure to store them securely, you won't be able to see the client_secret
after it's generated.
Send API Calls
Our API uses Basic authentication with client_id
as username and client_secret
as password.
Here is an example using curl
:
curl -X GET https://investor-api.spiko.finance/v1/investors/ \
-u "client_id:client_secret"
Third Party App via OAuth2
Create an API client
Spiko Investor API use the OAuth 2.0 protocol for authentication and authorization with authorization code method for third party application.
Don't have an Investor API client credentials ? Get in touch with us
Send API calls with OAuth2 authentication flow
You can launch the OAuth2 authentication flow by redirecting to the given URL:
https://investor-auth.spiko.finance/oauth2/auth?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&scope=offline&state=STATE
#### STATE should be random string more than 8 characters
With the code
you have retrieved, you can get an accessToken
and a refreshToken
with a POST request on this URL with:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ENCODE_BASE_64(CLIENT_ID:CLIENT_SECRET)" \
-d "grant_type=authorization_code&code=CODE&redirect_uri=REDIRECT_URI" \
https://investor-auth.spiko.finance/oauth2/token
With the refreshToken
you have retrieved, you can refresh the accessToken
with a POST request on this URL with:
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ENCODE_BASE_64(CLIENT_ID:CLIENT_SECRET)" \
-d "grant_type=refresh_token&refresh_token=REFRESH_TOKEN&redirect_uri=REDIRECT_URI" \
https://investor-auth.spiko.finance/oauth2/token
All the API routes should be called with the appropriate bearer authorization header. Here is an example using curl
:
curl -X GET \
-H 'Authorization: Bearer ACCESS_TOKEN' \
https://investor-api.spiko.finance/v1/investors/