Skip to main content

SSO

SSO APIs are exposed as a transparent passthrough to the MX SSO APIs via the Candescent APIs Gateway. After OAuth V2 token validation and routing, the gateway forwards request headers, paths, query parameters, and payloads to MX and returns responses unchanged.

The MX SSO APIs are a RESTful interface for authenticating users on the MX platform. They provide endpoints to obtain widget URLs (for Personal Finance Management and Financial Insights experiences) and an api_token for initiating a Nexus API session.

For complete schemas and the full set of supported operations, see the MX SSO APIs documentation.

End-user benefits

  • Launch MX widgets (for example, Mini Budgets and other PFM experiences) within a webview or iframe without exposing long-lived MX credentials.
  • Authenticate users on the MX platform using SSO-based sessions and short-lived redirect URLs.
  • Access Financial Insights and MoneyMap-style experiences through a consistent single sign-on authentication process.

Integration capabilities

  • Transparent passthrough ensures that SSO headers, paths, query parameters, and payloads are forwarded to MX, and that HTTP status codes and responses are returned unchanged.
  • Gateway controls are applied by Candescent, including OAuth V2 Bearer token validation, spike arrest, and quota enforcement, before requests are forwarded to MX.
  • MX routing is configured by setting ext_host to the MX SSO host such as sso.moneydesktop.com (production) or int-sso.moneydesktop.com (sandbox).
  • Content negotiation is supported through MX vendor-specific Accept headers, such as application/vnd.moneydesktop.sso.v3+xml or application/vnd.moneydesktop.sso.v3+json and include institution-scoped path segments as documented for each endpoint.

Required headers

HeaderDescription
AuthorizationBearer {token} (OAuth V2)
correlationIdUUID used to trace and correlate requests across services for debugging and logging.
ext_hostMX SSO upstream host (for example, sso.moneydesktop.com (production) or int-sso.moneydesktop.com (sandbox)). Required for gateway routing; stripped before forwarding to MX.
AcceptMX vendor media type (for example, application/vnd.moneydesktop.sso.v3+xml or application/vnd.moneydesktop.sso.v3+json). Required by MX; forwarded unchanged.
Content-TypeMX vendor media type (for example, application/vnd.moneydesktop.sso.v3+xml or application/vnd.moneydesktop.sso.v3+json). Required by MX for POST request; forwarded unchanged.

Error codes

Candescent API Gateway

CodeMessageHTTP Status Code
CMN_90000Internal server error500
CMN_90001Client not authorized to access this resource401
CMN_90001Quota limit violation500
CMN_90002Spike limit violation500
CMN_90008Header correlationId is invalid400
CMN_90010Header correlationId is required400
CMN_90010Header ext_host is required400
CMN_90011Invalid or unsupported ext_host400
CMN_90018Invalid token400

MX SSO APIs

For detailed descriptions and error semantics, refer to the MX SSO APIs documentation.

Endpoints