Authentication and access
To use the GraphQL endpoint, you need an access token for all API requests:
To get an access token and verify your authentication, follow the steps in Authenticate in GraphQL to get an access token.
To use the access token, see the example in Make a GraphQL request using the access token.
The GraphQL API takes into account the permissions of the user. If you need to restrict access to the client data via GraphQL API, see Apply limited visibility in GraphQL.
Notice
If you get a CORS (Cross-Origin Resource Sharing) error when using FA APIs, contact FA and tell us the domain from which you are making the request. FA will then add your domain to the valid web origins list of your FA environment.
Authenticate in GraphQL to get an access token
Before sending requests, you need to authenticate in FA via OpenID protocol with your username and password to receive an access token. Then, use the access token in all GraphQL API requests. Once the token expires, request a new one.
Use the following command to verify your GraphQL authentication:
curl -d "client_id=external-api" -d "username=<username>" -d "password=<password>" -d "grant_type=password" "https://<instance>.fasolutions.com/auth/realms/fa/protocol/openid-connect/token"
Notice
For system-to-system integration, you should use your technical user to authenticate.
Use the following values in the request parameters:
Parameter | Value | Description |
|
| 'external-api' is the default public client ID from FA. |
|
| Your username. |
|
| Your password. |
|
| FA platform environment used by your organization. |
You will get a JSON response that contains an access token if the authentication is successful. By default, the token is configured to be valid for 1 minute.
{
"access_token":"eyJhbGciOiJSUzI1NiIs...",
"expires_in":60,
"refresh_expires_in":1800,
"refresh_token":"eyJhbGciOiJIUzI1NiIsI...”,
"token_type":"bearer",
"not-before-policy":0,
"session_state":"270c5fdb...",
"scope":"email profile"
}Make a GraphQL request using the access token
You can use your access token, for example, with a GraphQL API call to fetch a portfolio name:
Choose a portfolio in FA Back that you want to fetch through GraphQL API and note down its ID. You can find the ID in the last part of the portfolio URL, for example:
https://<instance>.fasolutions.com/app/main/Overview/Overview/portfolio-
<portfolio_ID>Query the portfolio using cURL. Apply the previously fetched parameters to the following query:
curl -X POST -i -H "Content-Type: application/json" --header "Authorization: bearer <
access_token>" -d "{\"query\": \"{ portfolio(id:<portfolio_ID>) { name } }\"}" "https://<instance>.fasolutions.com/graphql"You will get the portfolio name in the response, for example:
{ "data": { "portfolio": { "name": "Investment portfolio" } } }
Apply limited visibility in GraphQL
If you need to limit access to the client and portfolio data, follow the steps:
Set up the limited visibility feature for the user in FA Back. For instructions, see Set up limited visibility for one user and Set up limited visibility for many users in FA Admin Guide.
Authenticate the user's GraphQL requests with user credentials.
Verify the user's access restriction by requesting all active contacts. The response should contain only the contacts the user has access to:
curl -X POST -i -H "Content-Type: application/json" --header "Authorization: bearer <access_token>" -d "{\"query\": \"{ contacts(status:\\\"A\\\") { name } }\"}" "https://<instance>.fasolutions.com/graphql"