Akoya uses the OAuth 2.0 framework to enable fintech applications to obtain access via http to end-user data at participating financial institutions.

OAuth 2 puts the end-user in control of the authentication workflow. Users must grant permission via Akoya directly to their banks' authorization servers before any data is sent back to the application. No user credentials are ever exposed to either Akoya or the application.

After the authentication process is complete, the financial institution needs to send the protected financial data somewhere so the application can consume it.

This “somewhere” is a redirect URI, also referred to as a callback or a redirection endpoint. See the “Website/Webapp” section of our OAuth implementation guide for more details.

Why registration is important

Because the user’s financial institution is returning sensitive data, you must register at least one redirect URI for your application in the Data Recipient Hub (the Hub). This is a security measure which prevents malicious redirects to rogue servers. Only authorization requests with Akoya-registered redirect URIs are accepted.

After you register your redirect URI(s) in the Hub, you’ll receive a client ID and client secret, which are used for authentication purposes when requesting tokens. The client ID is public information; however it should be protected. The client secret is effectively the password for your application and must be protected.


You may use a localhost address only when testing in our sandbox environment. Otherwise, you should use an externally-accessible address.

You must provide an absolute path for your redirect URI, both when you register it in the Hub and when you include it in your application code.


The redirect URI in your code must be identical to the one registered in the Hub.

See our OAuth guide for more details on implementing OAuth for web, mobile, and desktop.


Change log