TS Report & Marketdata API Authentication

Created by Pontus Klämfeldt, Modified on Thu, 26 Sep at 5:04 PM by Pontus Klämfeldt

API Authentication

To use the Treasury Systems API you need to authenticate using JWT Bearer tokens

You first need to obtain a JWT token from the Identity Provider you use to log in to the system, using OAuth2/OpenId 

Accessing the API from Excel

Please see Use Excel for TS Report and Marketdata API


Accessing the API from scripts and integration Platforms

General steps to access the API

The steps to acquire a JWT token might depend on the IdentityProvider used and the integration platform of choice. Below you will find the general steps required:

  1. Preparations (One time)
    Setup credentials to use for accessing the API.
    The exact step depends on your IdentityProvider. Please see API authentication: Register Application in Microsoft Entra Id for more info. This is commonly called an application, service identity or similar.
  1. Use the client id, client secret to obtain an JWT token using OAuth “client credentials” flow using your IdentityProvider’s token endpoint.
  2. Make a call to the API with the JWT token
    1. Set the HTTP Header “"Authorization” to “Bearer {JWT TOKEN}" (where you replace “{JWT TOKEN}“ with the token acquired from step 1.)
    2. NOTE: The first attempt will fail with error code (403) since the user has not been assigned access to the API.
  3. Grant the client permission to access the API (One time setup)
    1. Login to Treasury Systems as a user with “user manager” permission and open Roles and Permissions.
    2. Find the Treasury Systems user corresponding to the application/credentials used to call the API and grant it access (when using Microsoft Entra Id the login and name will be equal to the application’s “Object Id”).
       Once granted go back to step 2 and call the API again, this time it should succeed.

En bild som visar text, skärmbild, programvara, Webbsida

Automatiskt genererad beskrivning

En bild som visar text, skärmbild, Teckensnitt

Automatiskt genererad beskrivning 

 

Examples

 

PowerShell code to download file using Microsoft Entra Id authentication

This sample requires that you have first registered a new “Application” in the Entra Id  See  API authentication: Register Application in Microsoft Entra Id. You will need your tenant Id, client Id, and secret from the registration.

   

# Define the OAuth2 endpoint and the form data

# TODO: replace your_client_id with current tenant id (or replace with your own token endpoint if using another IdentityProvider)

$tokenEndpoint = "https://login.microsoftonline.com/your_client_id/oauth2/v2.0/token" 

$body = @{

    # TODO: Enter client id from app registration

    client_id     = "your_client_id"

    # TODO: Enter client secret from app registration

    client_secret = "your_client_secret" 

    grant_type    = "client_credentials"

    # Use below scope for when using Microsoft Entra Id for login, if you use another IdentityProvider you might need to change it

    scope         = "https://app.treasurysystems.com/.default" 

}

 

# Authenticate using to the OAuth2 endpoint using client_credentials

$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body

 

# Set headers to use when calling the API

$Aheaders = @{ Authorization = "Bearer $($response.access_token)"}

 

# Download the file

# TODO: Change TENANT the API call AND destination file name

$loginUri = "TENANT.treasurysystems.com" 

$apiCall ="api/marketdata/ir/v1?dateCode=20240312"

$destinationFile = "%TEMP%\ir.json"

Invoke-RestMethod -Method GET -Uri "https://$($loginUri)/$($apiCall)" -Headers $headers -OutFile $destinationFile


 

 

Logic Apps – using Microsoft Entra Id authentication

This sample requires that you have first registered a new “Application” in the Entra Id, see API authentication: Register Application in Microsoft Entra Id.

  You will need your tenant Id, client Id, and secret from the registration. 

  1. Create a new logic app in Microsoft Azure
  2. Add a new “HTTP” step
    1. Enter the Uri for the API call
    2. Click “Show all" at advanced parameters at the bottom and 
    3. Enter the following settings under Authentication
      1. Authentication Type: “Active Directory OAuth”
      2. Tenant: your tenant id
      3. Audience: https://app.treasurysystems.com 
      4. Client ID: your client id
      5. Credential Type: Secret
      6. Secret: your client secret

         

 

For more details you can look at How to use Oauth 2.0 Authorization in Logic App's HTTP connector? - Microsoft Q&A or he Logic apps documentation

 


Use CURL

The following example show how CURL can be used to get an access token from Microsoft Entra Id and call the API.


 This assumes you have followed the steps to setup an application.

Get the access token 

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id={UseYourClientId}&scope=https://app.treasurysystems.com/.default&client_secret={UseYourSecret}&grant_type=client_credentials' 'https://login.microsoftonline.com/{UseYourTenantId}/oauth2/v2.0/token'

Replace {UseYourClientId},{UseYourSecret} and {UseYourTenantId} with your own values.

Get data using the accesstoken

curl -X GET -H "Authorization: Bearer {UseYourToken}" 'https://{CustumerName}.treasurysystems.com/api/marketdata/ir/v1?dateCode=20240312 '

Replace {UseYourToken} & {CustumerName} with your own values.

This will fail the first time.

If you get this message then somebody has to login to the TS application and add the permission ”Public API Access” to the newly created user. The name consists of numbers (matching the Object Id  from the application registration), please see step 4 above General steps to access the API for instructions on how to grant access.


Troubleshooting

When acquiring the token you might get an error

“AADSTS501051 _invalid_client: AADSTS501051: Application \<application name\> isn't assigned to a role for the \<web API\>”.

This happens in case you have chosen to limit access to Treasury Systems SaaS under “Enterprise Applications” in Entra.
If this happens you need to either remove assignment required or explicitly grant the registered application access to Treasury Systems SaaS.
The later cannot requires scripting since it is not, at the time of writing, available in the UI. For instructions see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=aad-powershell 

 

En bild som visar text, skärmbild, programvara, Datorikon

Automatiskt genererad beskrivning


 

 



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article