Skip to main content
Meridian Accounts uses two authentication layers that serve different purposes:
  • Partner HMAC authentication proves that your backend is an entitled Meridian integrator
  • JWT bearer authentication carries Meridian user context after a token has already been minted
These are not competing end-user options. In a typical integration, your backend first authenticates with partner credentials and HMAC, then receives a Meridian access token, and later uses that JWT on behalf of the target user.

Which authentication method to use

Use this decision tree for each request:

Authentication matrix

ScenarioCallerCredential typeRequired auth fieldsTypical endpoints
Backend proves partner identityYour serverMeridian API Key + HMAC signatureX-Meridian-Api-Key, X-Meridian-Program-Id, X-Meridian-Timestamp, X-Meridian-Signature, and X-Meridian-User-Id for MULTI_USERPOST /v1/auth/token, partner-key endpoints supported by the API
User-scoped API accessYour client or serverMeridian bearer tokenAuthorization: Bearer {token}GET /v1/enrollment, GET /v1/virtual-accounts, GET /v1/transactions

How the flow fits together

  1. Your backend sends a partner-authenticated request signed with HMAC.
  2. Meridian issues a JWT access token for the target user.
  3. Your client or backend uses Authorization: Bearer {token} on later API requests.
Keep your Meridian API Secret on the server only. Do not try to generate HMAC signatures from a browser or mobile client.