To use the Treasury Systems API via tools, scripting/code, and/or integration platforms, you must authenticate using JWT Bearer tokens. 

General steps to access the API

The steps to acquire a JSON Web Token (JWT) might depend on the Identity Provider used and the integration platform of choice. Below, you will find the general steps required:

Preparations (One-time)

1. Set up credentials to access the API.
   The exact steps depend on your Identity Provider. For a guideline on how to set up credentials in Entra ID, see Register an Application in Microsoft Entra ID to enable TS API Authentication. The Entra ID "Application" may be called service identity or similar if you use another Identity Provider.
2. After step 1, you will know: 

1. the client id and client secret for the application.
2. the identity provider token endpoint (e.g. https://login.microsoftonline.com/[YOUR_TENANT_ID]/oauth2/v2.0/token for Microsoft Entra ID login)

API call

1. Use the client id and client secret to obtain a JWT token using OAuth “client credentials” flow, which uses your Identity Provider’s token endpoint.
2. Make a call to the API with the JWT token
   1. Set the HTTP Header “Authorization” to “Bearer [YOUR_TOKEN]" (where you replace “[YOUR_TOKEN]“ with the token acquired from step 1.)
   2. NOTE: The first attempt will fail with error code (403) since the user has not been assigned access to the API.
3. Grant the client permission to access the API (One-time setup)
   1. Login to Treasury Systems as a user with “user manager” permission and open Roles and Permissions.
   2. Find the Treasury Systems user corresponding to the application/credentials used to call the API and grant it "Public API Access" (choose the user with the highest ID if you have registered more than one application).
      Once granted, return to step 2 and call the API again; this time, it should succeed.

Examples using Tools, Scripting or Integration Platforms

The examples assume you have followed the steps above to set up an application. You will need your tenant Id, client Id, and secret from the registration.

The endpoint https://ts.treasurysystems.com/tenants/[CUSTOMERNAME]/api/marketdata/ir/v1?dateCode=20240312 is used in the below examples. For information about more endpoints, see Overview of Using the TS Report and Market Data API.

cURL tool using Microsoft Entra ID authentication

The following example shows how to use cURL to get an access token from Microsoft Entra ID and call the API.

Get the access token 

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=[YOUR_CLIENT_ID]&scope=https://ts.treasurysystems.com/.default&client_secret=[YOUR_CLIENT_SECRET]&grant_type=client_credentials' 'https://login.microsoftonline.com/[YOUR_TENANT_ID]/oauth2/v2.0/token'

Replace [YOUR_CLIENT_ID], [YOUR_CLIENT_SECRET] and [YOUR_TENANT_ID] with your own values.

Get data using the access token

curl -X GET -H "Authorization: Bearer [YOUR_TOKEN]" 'https://ts.treasurysystems.com/tenants/[CUSTOMERNAME]/api/marketdata/ir/v1?dateCode=20240312 '

Replace [YOUR_TOKEN] & [CUSTOMERNAME] with your own values.

The request will fail the first time.

If you get this message, somebody must log in to the TS application and add the permission ”Public API Access” to the newly created user. The user name consists of numbers; please see step 3 above, General steps to access the API, for instructions on how to grant access.

PowerShell scripting to download files using Microsoft Entra ID authentication

The following example shows how to use PowerShell to get an access token from Microsoft Entra ID and call the API. 

# Define the OAuth2 endpoint and the form data

# TODO: replace [YOUR_TENANT_ID] with your tenant ID (or replace the URL with your own token endpoint if using another Identity Provider than Entra ID)

$tokenEndpoint = "https://login.microsoftonline.com/[YOUR_TENANT_ID]/oauth2/v2.0/token" 

$body = @{

    # TODO: Enter client ID from app registration

    client_id     = "[YOUR_CLIENT_ID]"

    # TODO: Enter client secret from app registration

    client_secret = "[YOUR_CLIENT_SECRET]" 

    grant_type    = "client_credentials"

    # Use the scope below when using Microsoft Entra ID for login. 

    # If you use another Identity Provider you might need to change it

    scope         = "https://ts.treasurysystems.com/.default" 

}

# Authenticate using the OAuth2 token endpoint above

$response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body

# Set headers to use when calling the API

$headers = @{ Authorization = "Bearer $($response.access_token)"}

# Download the file

# TODO: Change [CUSTOMERNAME] in the API call AND choose the destination file path and name

$loginUri = "ts.treasurysystems.com" 

$apiCall ="/tenants/[CUSTOMERNAME]/api/marketdata/ir/v1?dateCode=20240312"

$destinationFile = "%TEMP%\ir.json"

Invoke-RestMethod -Method GET -Uri "https://$($loginUri)/$($apiCall)" -Headers $headers -OutFile $destinationFile

Logic Apps integration platform using Microsoft Entra ID authentication

The following example shows how to integrate a Logic App with the TS Data API using Microsoft Entra ID. 

1. Create a new logic app in Microsoft Azure
2. Add a new “HTTP” step
   1. Enter the Uri for the API call
   2. Click “Show all" at advanced parameters at the bottom and 
   3. Enter the following settings under Authentication
      1. Authentication Type: “Active Directory OAuth”
      2. Tenant: your tenant id
      3. Audience: https://ts.treasurysystems.com 
      4. Client ID: your client ID
      5. Credential Type: Secret
      6. Secret: your client's secret
          

For more details, you can look at How to use Oauth 2.0 Authorization in Logic App's HTTP connector? - Microsoft Q&A or the Logic Apps documentation

Troubleshooting

When acquiring the token, you might get an error

“AADSTS501051 _invalid_client: AADSTS501051: Application \<application name\> isn't assigned to a role for the \<web API\>”.