- Partner HMAC authentication proves that your backend is an entitled Meridian integrator
- JWT bearer authentication carries Meridian user context after a token has already been minted
Which authentication method to use
Use this decision tree for each request:- If your backend is calling Meridian directly with your partner API Key and Secret, use server-to-server authentication with HMAC
- If you already have a Meridian access token and are making a user-scoped API call, use client-server authentication with JWT
Authentication matrix
| Scenario | Caller | Credential type | Required auth fields | Typical endpoints |
|---|---|---|---|---|
| Backend proves partner identity | Your server | Meridian API Key + HMAC signature | X-Meridian-Api-Key, X-Meridian-Program-Id, X-Meridian-Timestamp, X-Meridian-Signature, and X-Meridian-User-Id for MULTI_USER | POST /v1/auth/token, partner-key endpoints supported by the API |
| User-scoped API access | Your client or server | Meridian bearer token | Authorization: Bearer {token} | GET /v1/enrollment, GET /v1/virtual-accounts, GET /v1/transactions |
How the flow fits together
- Your backend sends a partner-authenticated request signed with HMAC.
- Meridian issues a JWT access token for the target user.
- Your client or backend uses
Authorization: Bearer {token}on later API requests.