Skip to main content

Getting started

Introduction

The Spiko investor API supports two authentication methods:

  • API key: This is suitable for internal tools and direct integrations. Best for server-side applications and automated processes where you have complete control over the integration.
  • OAuth 2.0: This is the preferred method for third-party integrations with Spiko for fintechs, SaaS companies, automation providers, etc. Recommended for scenarios where end-users need to grant access to their data.

Both authentication methods provide full access to all investor API endpoints, but OAuth 2.0 offers additional security benefits for third-party integrations through scoped access and revocable tokens.

API Key

Create an API client

Go to the integrations page of the investor App (you need to sign-in). You will be able to create API keys and get your client_id and client_secret. Make sure to store them securely, you won't be able to see the client_secret after it's generated.

Send API Calls

Our API uses Basic authentication with client_id as username and client_secret as password.

Here is an example using curl:

curl -X GET https://investor-api.spiko.finance/v1/investors/ \
-u "client_id:client_secret"

Third Party App via OAuth2

Create an API client

Spiko Investor API use the OAuth 2.0 protocol for authentication and authorization with authorization code method for third party application.

info

Don't have an Investor API client credentials ? Get in touch with us

Send API calls with OAuth2 authentication flow

You can launch the OAuth2 authentication flow by redirecting to the given URL:

https://investor-auth.spiko.finance/oauth2/auth?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code&scope=offline&state=STATE

#### STATE should be random string more than 8 characters

With the code you have retrieved, you can get an accessToken and a refreshToken with a POST request on this URL with:

curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ENCODE_BASE_64(CLIENT_ID:CLIENT_SECRET)" \
-d "grant_type=authorization_code&code=CODE&redirect_uri=REDIRECT_URI" \
https://investor-auth.spiko.finance/oauth2/token

With the refreshToken you have retrieved, you can refresh the accessToken with a POST request on this URL with:

curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ENCODE_BASE_64(CLIENT_ID:CLIENT_SECRET)" \
-d "grant_type=refresh_token&refresh_token=REFRESH_TOKEN&redirect_uri=REDIRECT_URI" \
https://investor-auth.spiko.finance/oauth2/token

All the API routes should be called with the appropriate bearer authorization header. Here is an example using curl:

curl -X GET \
-H 'Authorization: Bearer ACCESS_TOKEN' \
https://investor-api.spiko.finance/v1/investors/