Authentication overview

Yodlee (Envestnet) employs a robust authentication framework designed to secure access to its financial data aggregation APIs. The system primarily relies on a combination of API keys, client credentials, and the OAuth 2.0 authorization framework. This multi-layered approach ensures that both the application and the end-user are properly authenticated and authorized before any financial data can be accessed or processed. The authentication flow is critical for maintaining the security and privacy of sensitive financial information, aligning with compliance standards such as SOC 2 Type II, GDPR, and CCPA.

Developers integrating with Yodlee (Envestnet) must establish application identity and then manage user consent for data access. The process typically involves obtaining developer credentials, configuring an application within the Yodlee (Envestnet) developer portal, and then implementing the OAuth 2.0 flow to facilitate secure user consent and token exchange. This structure provides granular control over data access, allowing users to grant or revoke permissions for specific financial institutions and data types, as detailed in the Yodlee API documentation.

Supported authentication methods

Yodlee (Envestnet) supports several authentication mechanisms to accommodate various integration patterns and security requirements. The core of its authentication strategy is built around OAuth 2.0, supplemented by API keys and client credentials for application-level identification. Understanding when to use each method is crucial for a secure and efficient integration.

OAuth 2.0

OAuth 2.0 is the primary authorization framework used by Yodlee (Envestnet) to enable secure delegated access to user financial data without sharing user credentials directly with the application. This protocol facilitates a secure handshake between the user, the application, and the Yodlee (Envestnet) platform. The typical flow involves:

  1. Application Registration: Registering your application in the Yodlee (Envestnet) developer portal to obtain a clientId and clientSecret.
  2. User Authorization: Directing users to a Yodlee (Envestnet) hosted login page (FastLink) where they authenticate with their financial institution credentials and grant consent for data access.
  3. Authorization Code Exchange: Yodlee (Envestnet) redirects the user back to your application with an authorization code.
  4. Access Token Request: Your application exchanges the authorization code for an accessToken and refreshToken using your clientId and clientSecret.
  5. API Calls: Using the accessToken to make authenticated API requests on behalf of the user.

This flow aligns with the standard OAuth 2.0 authorization code grant type, which is recommended for web applications.

API Keys and Client Credentials

While OAuth 2.0 handles user-level authorization, API keys and client credentials are used for application-level authentication and to secure initial interactions with the Yodlee (Envestnet) platform. These credentials identify your application to Yodlee (Envestnet) and are essential for obtaining the necessary tokens to initiate the OAuth flow or perform administrative tasks.

  • API Key: Used for identifying the application in certain requests, typically for initial setup or specific utility APIs.
  • Client ID and Client Secret: These are paired credentials used to authenticate your application when requesting access tokens from the OAuth 2.0 token endpoint. The clientSecret must be kept confidential and never exposed client-side.

Authentication Methods Summary

Method When to Use Security Level
OAuth 2.0 (Authorization Code Grant) Accessing user-specific financial data with user consent (e.g., PFM apps, lending platforms). High (delegated access, no credential sharing)
API Key Application identification, initial setup, or specific administrative API calls. Moderate (identifies application, not user-specific)
Client ID & Client Secret Authenticating the application to obtain OAuth 2.0 tokens. High (identifies application for token exchange, secret must be protected)

Getting your credentials

To begin integrating with Yodlee (Envestnet), you must first obtain developer credentials. This process typically starts with creating a developer account and registering your application within the Yodlee (Envestnet) Developer Portal.

  1. Sign Up for a Developer Account: Navigate to the Yodlee Developer Portal and sign up for a free developer account. This provides access to the sandbox environment and essential tools.
  2. Create an Application: Once logged in, you will need to create a new application. During this process, you will define application-specific details such as its name, description, and redirect URIs. The redirect URIs are crucial for the OAuth 2.0 flow, as Yodlee (Envestnet) will redirect users back to these URLs after successful authentication.
  3. Retrieve API Key, Client ID, and Client Secret: Upon successful application creation, the Developer Portal will provide you with your unique API Key, Client ID, and Client Secret. These credentials are vital for authenticating your application. The Client Secret, in particular, should be treated as highly confidential and stored securely.
  4. Configure Redirect URIs: Ensure that your application's redirect URIs are correctly configured in the Developer Portal. These must exactly match the URIs your application uses to receive authorization codes during the OAuth flow.

The developer account also grants access to sandboxes for testing integrations before deploying to production. The Yodlee documentation provides detailed step-by-step guides for credential setup and application configuration.

Authenticated request example

After obtaining an OAuth 2.0 access token, subsequent API requests to Yodlee (Envestnet) resources must include this token in the Authorization header. The access token typically has a limited lifespan, and you will need to use the refresh token to obtain new access tokens periodically.

Here's a conceptual example of an authenticated request to retrieve account details using Node.js, assuming you have already completed the OAuth 2.0 flow and obtained an accessToken:


const axios = require('axios');

async function getAccounts(accessToken) {
  const apiUrl = 'https://api.yodlee.com/ysl/v1/accounts'; // Example API endpoint

  try {
    const response = await axios.get(apiUrl, {
      headers: {
        'Authorization': `Bearer ${accessToken}`,
        'Api-Version': '1.1',
        'Content-Type': 'application/json'
      }
    });
    console.log('Account Details:', response.data);
    return response.data;
  } catch (error) {
    console.error('Error fetching accounts:', error.response ? error.response.data : error.message);
    throw error;
  }
}

// Example usage (assuming accessToken is already available)
// const myAccessToken = 'YOUR_OBTAINED_ACCESS_TOKEN';
// getAccounts(myAccessToken);

This example demonstrates how the accessToken is included in the Authorization header with the Bearer scheme, which is a standard practice for OAuth 2.0 token usage, as described in RFC 6750 for Bearer Token Usage. The Api-Version header is also important for specifying the desired API version.

Security best practices

Securing your integration with Yodlee (Envestnet) is paramount due to the sensitive nature of financial data. Adhering to security best practices helps protect both your application and your users.

Credential Management

  • Protect Client Secret: Your Client Secret must be stored securely and never exposed in client-side code (e.g., JavaScript in a browser) or publicly accessible repositories. It should only be used by your backend server.
  • Rotate Credentials: Regularly rotate your API keys and client secrets according to your organization's security policies.
  • Environment Variables: Store credentials in environment variables or a secure vault system (e.g., AWS Secrets Manager, Azure Key Vault) rather than hardcoding them directly into your application code.

OAuth 2.0 Implementation

  • Validate Redirect URIs: Always use exact match redirect URIs configured in the Yodlee (Envestnet) Developer Portal. This prevents malicious actors from intercepting authorization codes.
  • Use HTTPS: All communication with Yodlee (Envestnet) APIs and your application's endpoints must occur over HTTPS to protect data in transit.
  • State Parameter: Implement the OAuth state parameter to prevent Cross-Site Request Forgery (CSRF) attacks. The state parameter should be a unique, unguessable value generated by your application before initiating the OAuth flow and validated upon callback.
  • Secure Token Storage: Store access and refresh tokens securely on your backend. Avoid storing them in local storage or session storage on the client side, as these are vulnerable to XSS attacks.
  • Token Expiration and Refresh: Implement proper handling for token expiration. Use refresh tokens to obtain new access tokens without requiring the user to re-authenticate, but ensure refresh tokens are also securely stored and managed.

API Security

  • Least Privilege: Request only the minimum necessary permissions (scopes) from users during the OAuth flow.
  • Input Validation: Implement robust input validation for all data sent to and received from Yodlee (Envestnet) APIs to prevent injection attacks and other vulnerabilities.
  • Error Handling: Implement secure error handling that avoids leaking sensitive information in error messages.
  • Logging and Monitoring: Implement comprehensive logging and monitoring for all API interactions and authentication events to detect and respond to suspicious activity promptly.

By adhering to these best practices, developers can create secure and resilient integrations with Yodlee (Envestnet), safeguarding sensitive financial data and maintaining user trust. For more detailed security guidelines, refer to the Yodlee (Envestnet) security documentation.