Testing Authentication

As described in the Authentication section, all MoneyMoov API calls (except for the /metadata/version endpoint) are authenticated using JWT access tokens.

You can verify successful authentication of your user access token using the /metadata/whoami GET action:

curl <<SANDBOX_URL>>metadata/whoami -H "Authorization: Bearer eyJhbGciOiJSUzI1N...."
using System.Net.Http.Json;

const string url = "<<SANDBOX_URL>>metadata/whoami";

var jwtToken = Environment.GetEnvironmentVariable("NOFRIXION_USER_TOKEN");

var client = new HttpClient();
client.DefaultRequestHeaders.Add("Accept", "application/json");
client.DefaultRequestHeaders.Add("Authorization", $"Bearer {jwtToken}");
    var response = await client.GetAsync(url);
    if (response.IsSuccessStatusCode)
        // returns user profile object
        var user = await response.Content.ReadFromJsonAsync<UserProfile>();
        if (user != null)
        // HTTP error codes will return a MoneyMoov API problem object
        Console.WriteLine(await response.Content.ReadFromJsonAsync<ApiProblem>());
catch (Exception e)
    Console.WriteLine($"Error: {e.Message}");

// Type definitions for returned data
record UserProfile(string id, string firstName, string lastName, string emailAddress);
record ApiProblem(string type, string title, int status, string detail);
// These packages allow the script to run on node.js, they are not required for browser use.
const fetch = require('cross-fetch');

// Remember, the JWT access token must be securely store - this example uses an environment variable
const jwtToken = process.env.NOFRIXION_USER_TOKEN;

const options = { method: 'GET', headers: { Accept: 'application/json', Authorization: 'Bearer ' + jwtToken } };

fetch('<<SANDBOX_URL>>metadata/whoami', options)
    .then(response => response.json())
    // The UserID (in UUID form) should appear in console.
    .then(responseJson => console.log(responseJson))
    .catch(err => console.error(err));
# The 'requests' library for Python can be used to make calls to the MoneyMoov API in
# popular python frameworks such as Django and Flask.

import requests
import os

# Remember, the JWT access token must be securely stored ('os' module above allows storage in environment variable)
jwtToken = os.environ['NOFRIXION_USER_TOKEN']

baseUrl = "<<SANDBOX_URL>>metadata/whoami"

headers = {
    "Accept": "application/json",
    "Authorization": f"Bearer {jwtToken}"

response = requests.request("GET", baseUrl, headers=headers)

# Response object contains details of currently authenticated user.


Merchant tokens don't have a user

The /metadata/whoami endpoint can only be used with User access tokens. merchant access tokens do not have a user associated and will always get an authentication failed response from it.

See Authentication for an explanation of the different token types used by the API.

If your token was valid, your profile information will be returned in JSON format. For example:

   "emailAddress":"[email protected]"

If your token could not be authenticated, including if it has expired, an unauthorised JSON response will be returned. For example:

   "detail":"Authentication failed.",

The recommended steps for troubleshooting an authentication failure are:

  1. Verify the access token. JWT tokens can be long and it's easy to miss a character from the end when copy and pasting.

  2. Create a new access token through the NoFrixion Portal.