API ReferenceStable v1

Authentication

OAuth 2.0 bearer authentication and webhook-signature conventions for AMLOK.

Last updated Mar 8, 2026

Authentication Model

All API requests require a bearer token in the Authorization header.

Obtain Access Token

POST/auth/tokenPublic client credentials

Obtain an OAuth 2.0 bearer token.

{
  "client_id": "amlok_client_xxxxxxxxx",
  "client_secret": "sk_live_xxxxxxxxxxxxxxxxx",
  "grant_type": "client_credentials",
  "scope": "verify dealcards funders routing deploy govern"
}

Refresh Token

POST/auth/refreshRefresh token

Refresh a bearer token.

Usage

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Webhook Signing

Webhook payloads are signed with HMAC-SHA256:

X-AMLOK-Signature: sha256=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-AMLOK-Timestamp: 1709913000

Permission Scopes

Scope	Access
`verify`	KYB verification, revenue verification, fraud checks
`dealcards`	Create, read, and update Deal Cards
`funders`	Funder management and policy configuration
`routing`	Capital routing and matching
`deploy`	Funding execution and disbursement
`collections`	Payment collection and PAD management
`govern`	Audit logs, exports, and reporting
`investors`	Investor portfolio and distribution access
`admin`	Full platform access

Key Point

Use OAuth bearer tokens for API requests and HMAC verification for webhook deliveries.