OAuth Configuration
Before users can transfer points to your platform, they need to link their Bankroll account to their account on your platform. This is done via OAuth 2.0 with OpenID Connect.How It Works
User initiates account linking
A Bankroll user chooses to connect to your platform. Bankroll redirects the user to your OAuth authorization endpoint.
User authenticates on your platform
The user logs in on your platform and authorizes the connection. Your OAuth server redirects back to Bankroll with an authorization code.
Bankroll exchanges the code for tokens
Bankroll exchanges the authorization code for an access token and ID token using PKCE. The
sub claim from the ID token becomes the user’s externalId used in transfer webhooks.Setup
Configure OAuth in the Partner Portal under Settings. You’ll need to provide:| Field | Description | Example |
|---|---|---|
| Client ID | Your OAuth application’s client ID | abc123 |
| Client Secret | Your OAuth application’s client secret | secret_xyz |
| Authorize URL | Your OAuth authorization endpoint | https://example.com/oauth/authorize |
| Token URL | Your OAuth token endpoint | https://example.com/oauth/token |
Requirements
Your OAuth server must support:- Authorization Code flow with PKCE (S256 challenge method)
- OpenID Connect — the token response must include an
id_token(JWT) with at least asubclaim
ID Token Claims
Bankroll reads the following claims from theid_token:
| Claim | Required | Description |
|---|---|---|
sub | Yes | Unique user identifier on your platform. Becomes externalId in transfer webhooks. |
preferred_username | No | User’s display name. Falls back to name. Becomes externalName in transfer webhooks. |
name | No | User’s full name (fallback for display name) |
email | No | User’s email address (stored but not used in transfers) |
Security
Bankroll uses the following security measures during the OAuth flow:- PKCE (S256) — prevents authorization code interception attacks
- State parameter — a random token verified on callback to prevent CSRF attacks. Expires after 10 minutes.
- HTTPS only — all token exchanges happen server-to-server over TLS
Scopes
Bankroll requests the following scopes by default:id_token with identity claims.
User Identity in Transfers
Once a user links their accounts, theexternalId and externalName from the OAuth connection are included in every transfer webhook sent to your platform. Use externalId to identify which user on your platform should receive the transferred value.