Skip to main content
The Meridian JWT is the access token returned by POST /v1/auth/token. After your backend mints that token, your client or backend can send it on later Meridian Accounts requests by using:
Authorization: Bearer {token}

Intended flow

JWT authentication is the second step in the Meridian Accounts authentication model:
  1. Your backend authenticates to Meridian with partner HMAC credentials.
  2. Meridian returns an access token for the target user.
  3. Your client or backend uses that JWT on later user-scoped API requests.
Use this flow when you need to call Meridian on behalf of a specific user after you have already established that user context.

What JWT-authenticated requests need

JWT-authenticated requests use the bearer token in the Authorization header. They do not need partner authentication headers such as:
  • X-Meridian-Api-Key
  • X-Meridian-Program-Id
  • X-Meridian-Timestamp
  • X-Meridian-Signature
  • X-Meridian-User-Id
The access token already carries the user context for the request.

Typical JWT use cases

Use JWT bearer authentication for user-scoped operations such as:
  • checking the current enrollment with GET /v1/enrollment
  • reading information requests and submitting onboarding data
  • listing balances
  • reading transaction history
For frontend-facing account experiences, JWT bearer authentication is the recommended model because it avoids exposing partner HMAC credentials to the client.

Refreshing tokens

When the current access token expires, your backend can exchange a previously issued refresh token by calling POST /v1/auth/token with the refresh_token grant. Meridian derives the user from the refresh token in that flow, so the request does not depend on a new client-side HMAC signature. Keep the refresh-token exchange on the backend together with your other partner-authenticated token management logic.

Security notes

  • never mint Meridian JWTs directly from a browser or mobile client
  • keep the Meridian API Secret on the backend only
  • issue or refresh access tokens from trusted server-side code, then pass the resulting bearer token to the component that needs to call Meridian