Authentication

All API requests are authenticated using a Bearer JWT token obtained via OAuth client credentials.

1. Obtain Client Credentials

Navigate to IAM → OAuth Clients in the Floodlight AML dashboard and create a new client application. You will receive a client_id and client_secret.

2. Get an Access Token

Use the client login endpoint to obtain a JWT access token:

cURL

curl -X 'POST' \
  'AUTH_URL/auth/api/v1/client-login' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
  "clientId": "YOUR_CLIENT_ID",
  "clientSecret": "YOUR_CLIENT_SECRET"
}'

3. Use the Token

Include the returned token in the Authorization header of all API requests:

cURL

curl -X POST AML_CORE/amlcore/api/v1/screen-entity \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "entityType": "INDIVIDUAL",
    "name": "Jane Smith",
    "countryCode": "US"
  }'

Token Response

The token is returned inside the standard ApiResponse envelope:

JSON

{
  "timestamp": "2026-06-01T14:12:22.942Z",
  "status": 200,
  "message": "Client authenticated",
  "correlationId": "df6a9da7-156f-466f-845a-d888ca25885c",
  "data": {
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
    "token_type": "Bearer",
    "expire_in": 3600,
    "roles": ["ROLE_CLIENT"],
    "permissions": ["screen:read", "screen:write"]
  }
}

Security Best Practices

Never hardcode credentials in source code
Rotate client secrets regularly via the dashboard
Use environment variables: export FL_CLIENT_SECRET="..."
Restrict client scopes to the minimum permissions required

Rate Limits

All authenticated requests count toward your rate limit. Using OAuth tokens with shorter lifetimes can help manage usage.

3. Use the Token

Include the returned token in the Authorization header of all API requests:

cURL

curl -X POST AML_CORE/amlcore/api/v1/screen-entity \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "entityType": "INDIVIDUAL",
    "name": "Jane Smith",
    "countryCode": "US"
  }'

Token Response

The token is returned inside the standard ApiResponse envelope:

JSON

{
  "timestamp": "2026-06-01T14:12:22.942Z",
  "status": 200,
  "message": "Client authenticated",
  "correlationId": "df6a9da7-156f-466f-845a-d888ca25885c",
  "data": {
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
    "token_type": "Bearer",
    "expire_in": 3600,
    "roles": ["ROLE_CLIENT"],
    "permissions": ["screen:read", "screen:write"]
  }
}

Security Best Practices

Never hardcode credentials in source code
Rotate client secrets regularly via the dashboard
Use environment variables: export FL_CLIENT_SECRET="..."
Restrict client scopes to the minimum permissions required

Rate Limits

All authenticated requests count toward your rate limit. Using OAuth tokens with shorter lifetimes can help manage usage.