LMS and Secure Payments authentication
This article explains the differences between the LMS and Secure Payments API authentication.
Key Differences in API Authentication
The primary differences are the type of credentials used and token rotations:
| Feature | Loan Management System (LMS) API | Secure Payments API |
|---|---|---|
| Credential Type | API Bearer Token and Tenant ID | Token and Secret pair |
| Expiration/Lifecycle | Tokens are subject to rotation policies and can be automatically rotated. | The Token and Secret do not expire. |
| Management Location | Managed in the LMS UI: Settings > Company > API > Overview. | Managed on the ‘Profile’ tab in Secure Payments, but password changes (which affect API access) must be done via LMS. |
Secure Payments Token Rotation Requirement
While the Secure Payments token and secret do not expire, rotation is indirectly required due to linked security protocols:
- The Secure Payments account password enforces expiration after 90 days (PCI compliance standard,
- If this password expires, API requests using the valid token/secret will fail with a
401 Unauthorizedresponse - To maintain access, the password must be reset, ideally through LMS to preserve the linked connection
Step-by-Step Guide for Automatic Token Rotation (LMS API)
For the LMS API, automatic rotation is a built-in feature managed in the UI, enhancing security:
- Navigate to
Settings > Company > API > Overview - Identify the desired API key.
- Click the "rotate icon" next to the key entry to automatically generate a new key, replacing the old one
For Secure Payments, rotation involves generating a completely new pair via the API if the existing credentials are lost or compromised, by sending a POST request to the /api/authenticate endpoint with the current username and password in the payload
Updated 1 day ago