POST /v1/auth/token.
After your backend mints that token, your client or backend can send it on later Meridian Accounts requests by using:
Intended flow
JWT authentication is the second step in the Meridian Accounts authentication model:- Your backend authenticates to Meridian with partner HMAC credentials.
- Meridian returns an access token for the target user.
- Your client or backend uses that JWT on later user-scoped API requests.
What JWT-authenticated requests need
JWT-authenticated requests use the bearer token in theAuthorization header.
They do not need partner authentication headers such as:
X-Meridian-Api-KeyX-Meridian-Program-IdX-Meridian-TimestampX-Meridian-SignatureX-Meridian-User-Id
Typical JWT use cases
Use JWT bearer authentication for user-scoped operations such as:- checking the current enrollment with
GET /v1/enrollment - reading information requests and submitting onboarding data
- listing balances
- reading transaction history
Refreshing tokens
When the current access token expires, your backend can exchange a previously issued refresh token by callingPOST /v1/auth/token with the refresh_token grant.
Meridian derives the user from the refresh token in that flow, so the request does not depend on a new client-side HMAC signature. Keep the refresh-token exchange on the backend together with your other partner-authenticated token management logic.
Security notes
- never mint Meridian JWTs directly from a browser or mobile client
- keep the Meridian API Secret on the backend only
- issue or refresh access tokens from trusted server-side code, then pass the resulting bearer token to the component that needs to call Meridian