π How do I get credentials for the app?
No credentials will be provided in this public program. Please use your own credentials but note that no refunds will be issued for transactions during testing of the Monzo assets
π« I found an OAuth secret! Is it meant to be exposed?
We often get a lot of submissions for "exposed" OAuth 2.0 client secrets. At Monzo we need the majority of APIs to present an access token. To achieve this we use public OAuth 2.0 credentials which grant limited access to resources (scopes).
To understand this pattern, have a look at the excellent page by Auth0 at https://auth0.com/docs/get-started/applications/confidential-and-public-applications.
We've tried to include as many public client IDs as possible in the out-of-scope section (which you should always check first!), but there is a way to check whether a client is confidential or public yourself.
Below shows a request and response you can use. These use public credentials that the Monzo Me (https://monzo.me
) app will return (from /oauth2/token
).
GET /oauth2/clients/oauthclient_000094PvINDGzT3k6tz8jp HTTP/2
Host: internal-api.monzo.com
--snipped--
__auth_v2: true
Authorization: Bearer eyJhbGciO[REDACTED]SecMtg
--snipped--
HTTP/2 200 OK
--snipped--
{
"id": "oauthclient_000094PvINDGzT3k6tz8jp",
"name": "Monzo Developer Portal",
"description": "https://developers.monzo.com",
--snipped--
"confidential": false,
--snipped--
}
In the response is the property confidential
. If it's false
, the client is a public one and the secret is meant to be exposed. If it's true
, and you have the secret, we'd like to know about it to see why that's the case!
Note the published
property controls who the client can authenticate, it doesn't mean it's public/exposed.