Authentication
OAuth 2.0 client credentials for the Bre-B Participant API.
The Bre-B Participant API uses OAuth 2.0 client credentials for authentication. Unlike Banking and Core, which use static API keys, Bre-B requires you to exchange a client ID and secret for a short-lived access token, and then attach that token to every API call. The token expires; your code refreshes it automatically before it does.
If you have read api-standards/authentication, this page only adds the Bre-B specifics: the token-exchange endpoint, the token lifetime, and the rotation procedure.
This page is an authentication scaffold. The full version will document the token-exchange request and response, scopes, error handling, and recommended client patterns.
Before you start
You need:
- A Bre-B participant agreement with Mono.
- Client credentials (client ID and client secret) issued by Mono for your tenant.
- The participant base URL for your environment (sandbox or production).
Token exchange
The full token-exchange request, response, and refresh strategy will be documented here. See Bre-B Participant authentication API reference for the endpoint contract.
Sending the token
Authorization: Bearer <your_access_token>Failures
| Status | Meaning |
|---|---|
401 Unauthorized | Token missing, expired, or revoked — refresh it. |
403 Forbidden | Token valid but lacks the scope for this endpoint. |
Rotating credentials
Tokens expire automatically; rotation in the operational sense means rotating the client secret used to obtain them. Rotate the client secret at least every 90 days and immediately after any suspected exposure.