- 18 May 2022
- 2 Minutes To Read
- Print
- DarkLight
- PDF
Making Requests with Mambu Apps
- Updated On 18 May 2022
- 2 Minutes To Read
- Print
- DarkLight
- PDF
The application that communicates with a Mambu App may need to be able to do the following to complete requests:
- Authenticate requests that come from the Mambu App.
- If the application needs data from the Mambu Banking Engine, make API calls to the Mambu API.
When these actions are possible, Mambu App requests are submitted as a web form and the returning results from the application are rendered in the App’s iframe window in the Mambu UI.
We recommend always using HTTPS for all endpoints. This ensures that the signed request is secure in transit.
Authenticating requests
To ensure that communication between the Mambu App and the application is secure, an App Key is used to sign requests. Both the Mambu App and your application need to have the same secret App Key to be able to hash and authenticate requests.
How request are authenticated
When an App communicates with an application, a signed request is sent to the URL listed as an endpoint. This request has two parts separated by a period using the following template:
<PART1>.<PART2>
Both parts contain a JSON of the request parameters, which are contextual information about where the Mambu App sent the request from. This information may include which client the Mambu App is in, which tenant sent the request for multi-tenant Apps, and other contextual information to help complete the request on the application end. The difference in the parts is in how they are encoded or hashed:
PART1
of the request contains the JSON in a HMACSHA256 hashed signature, created using the App Key.PART2
contains the Base64-encoded JSON of the request parameters.
To check that PART1
and PART2
match, you need to hash PART2
using HMACSHA256 and compare it to PART1
. If PART1
matches PART2
, the application can be sure the request was made by an authenticated Mambu App. PART2
can be decoded using Base64 to get extra parameters from it.
Getting Mambu data using the Mambu API
Some applications may require data from the Mambu Banking Engine. For example, an application that returns credit scoring information from third-party providers would need to know the name of the client and their details to return their credit score to the Mambu App window. In this case, they should fetch information from the Mambu API - for more information, see our API Reference.
To access the Mambu API, we recommend using API consumers to generate API keys. Your application can then store the API key details and use them in its logic to complete the request.