Login
Contents x
Making Requests with Mambu Apps
  • 18 May 2022
  • 2 Minutes To Read
  • Print
  • Dark
    Light
  • PDF
Contents

Making Requests with Mambu Apps

  • Updated On 18 May 2022
  • 2 Minutes To Read
  • Print
  • Dark
    Light
  • PDF
Article summary

The application communicating with a Mambu App must authenticate requests and make API calls to the Mambu API for data. Authentication involves using an App Key to sign requests. Requests are sent as a signed request to an endpoint URL, with two parts containing JSON of request parameters. The application hashes and compares the parts to authenticate the request. To access Mambu data, applications can use the Mambu API by storing API key details. This allows applications to fetch information from the Mambu Banking Engine, such as credit scoring information, and return it to the Mambu App window.

The application that communicates with a Mambu App may need to be able to do the following to complete requests:

  • Authenticate requests that come from the Mambu App.
  • If the application needs data from the Mambu Banking Engine, make API calls to the Mambu API.

When these actions are possible, Mambu App requests are submitted as a web form and the returning results from the application are rendered in the App’s iframe window in the Mambu UI.

Please Note

We recommend always using HTTPS for all endpoints. This ensures that the signed request is secure in transit.

Authenticating requests

To ensure that communication between the Mambu App and the application is secure, an App Key is used to sign requests. Both the Mambu App and your application need to have the same secret App Key to be able to hash and authenticate requests.

The input field where you add the App Key

How request are authenticated

When an App communicates with an application, a signed request is sent to the URL listed as an endpoint. This request has two parts separated by a period using the following template:

<PART1>.<PART2>

Both parts contain a JSON of the request parameters, which are contextual information about where the Mambu App sent the request from. This information may include which client the Mambu App is in, which tenant sent the request for multi-tenant Apps, and other contextual information to help complete the request on the application end. The difference in the parts is in how they are encoded or hashed:

  • PART1 of the request contains the JSON in a HMACSHA256 hashed signature, created using the App Key.
  • PART2 contains the Base64-encoded JSON of the request parameters.

To check that PART1 and PART2 match, you need to hash PART2 using HMACSHA256 and compare it to PART1. If PART1 matches PART2, the application can be sure the request was made by an authenticated Mambu App. PART2 can be decoded using Base64 to get extra parameters from it.

Getting Mambu data using the Mambu API

Some applications may require data from the Mambu Banking Engine. For example, an application that returns credit scoring information from third-party providers would need to know the name of the client and their details to return their credit score to the Mambu App window. In this case, they should fetch information from the Mambu API - for more information, see our API Reference.

To access the Mambu API, we recommend using API consumers to generate API keys. Your application can then store the API key details and use them in its logic to complete the request.

Was this article helpful?
What's Next
Mambu
Documentation
Links
Existing Users
Connect With Us
Support
Copyright © 2023 Mambu B.V. All Rights Reserved
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout