oAuth Token

Documents

Access Token (v2-v3)

Download OpenAPI specification:Download

SEI uses OAuth 2.0, the authorization and authentication mechanism preferred in the industry. OAuth 2.0 ensures security by granting deliberate and verified permissions through API Keys. In order to be able to access API product endpoints, you must first authenticate by calling for an OAuth token.


Servers

SEI's API products have various environments available depending on your stage of integration. The server URL should correspond with the environment of your application.

Note For all Client applications, the Two-way TLS URL must be used. This is essential in order for the client server making API calls to establish a successful Two-Way SSL communication with SEI.


Access Token

An application making Investment Manager Services (IMS) API Requests from a Client/Server or Server/Server type of infrastructure will leverage the grant_type client_credentials while minting an oAuth from the Token API. The oAuth has a 60 minutes active TTL and 30 minutes inactive TTL. The OAuth obtained from client_credentials cannot be refreshed.

header Parameters
Authorization
required
string
Example: aD5hypOjp9YYMxYBEix8Rluatan7bY0w4vWLjfqOT4cHrLAFthQGEJj1W820fPL92e==

The Base64 encoded form of the AppKey:AppSecret provided during application registration.

Content-Type
required
string
Example: application/x-www-form-urlencoded

Request content type. The valid value is application/xxx-form-urlencoded.

Request Body schema: application/x-www-form-urlencoded
username
string

The Siteminder service account userid that is used to mint the OAuth Token.

password
string

The Siteminder service account password that is used to mint the OAuth Token.

grant_type
string
Enum: "client_credentials" "password" "refresh_token" "sessionToken" "invalidate_token"

OAuth 2.0 grant types available depending on the characteristics of the authorization required. client_credentials For use for a Client/Server or Server/Server application. password For use for an internal, user-defined application. refresh_token The Apigee refresh token. The OAuth obtained from client_credentials cannot be refreshed. sessionToken The IDP Siteminder session token. invalidate_token

Responses

Request samples

curl --location --request POST \
'https://test.mtls.api.seic.com/v2/oauthtoken' \
--header 'Authorization: aD5hypOjp9YYMxYBEix8Rluatan7bY0w4vWLjfqOT4cHrLAFthQGEJj1W820fPL92e==' \
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'username=jsmith' \
--data-urlencode 'password=mypassword123!'

Response samples

Content type
application/json
{
  • "refresh_token_expires_in": "0",
  • "api_product_list": "[Investors]",
  • "api_product_list_json": [
    ],
  • "organization_name": "sei",
  • "developer.email": "jsmith@seic.com",
  • "token_type": "BearerToken",
  • "issued_at": "1529525648451",
  • "client_id": "ADsgdnnkjnfdIKJN",
  • "access_token": "QxHKdx0nk2i",
  • "application_name": "21c2fcd4-03ed-48815cf168",
  • "scope": "",
  • "expires_in": "3599",
  • "refresh_count": "0",
  • "status": "approved"
}

An application making SEI API Requests from a Client/Server or Server/Server type of infrastructure will leverage the grant_type client_credentials while minting an oAuth from the Token API. The oAuth has a 60 minutes active TTL and 30 minutes inactive TTL. The oAuth obtained from client_credentials cannot be refreshed.

header Parameters
Authorization
required
string
Example: aD5hypOjp9YYMxYBEix8Rluatan7bY0w4vWLjfqOT4cHrLAFthQGEJj1W820fPL92e==

The Base64 encoded form of the AppKey:AppSecret provided during application registration.

Content-Type
required
string
Example: application/x-www-form-urlencoded

Request content type. The valid value is application/xxx-form-urlencoded.

Request Body schema: application/x-www-form-urlencoded
username
string

The Siteminder service account userid that is used to mint the OAuth Token.

password
string

The Siteminder service account password that is used to mint the OAuth Token.

grant_type
string
Enum: "client_credentials" "password" "refresh_token" "sessionToken" "invalidate_token"

OAuth 2.0 grant types available depending on the characteristics of the authorization required. client_credentials For use for a Client/Server or Server/Server application. password For use for an internal, user-defined application. refresh_token The Apigee refresh token. The OAuth obtained from client_credentials cannot be refreshed. sessionToken The IDP Siteminder session token. invalidate_token

Responses

Request samples

curl --location --request POST \
'https://test.mtls.api.seic.com/v2/oauthtoken' \
--header 'Authorization: aD5hypOjp9YYMxYBEix8Rluatan7bY0w4vWLjfqOT4cHrLAFthQGEJj1W820fPL92e==' \
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'username=jsmith' \
--data-urlencode 'password=mypassword123!'

Response samples

Content type
application/json
{
  • "refresh_token_expires_in": "0",
  • "api_product_list": "[Investors]",
  • "api_product_list_json": [
    ],
  • "organization_name": "sei",
  • "developer.email": "jsmith@seic.com",
  • "token_type": "BearerToken",
  • "issued_at": "1529525648451",
  • "client_id": "ADsgdnnkjnfdIKJN",
  • "access_token": "QxHKdx0nk2i",
  • "application_name": "21c2fcd4-03ed-48815cf168",
  • "scope": "",
  • "expires_in": "3599",
  • "refresh_count": "0",
  • "status": "approved"
}

Authorization Code

Authorization Code Flow with Proof Key for Code Exchange (PKCE) uses the Authorization Code grant type. And it is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

query Parameters
client_id
required
string

The App Key or Consumer Key provided during Application Registration.

response_type
required
string

The format in which Auth code is required.

redirect_uri
required
string

The url to which the code needs to be re-directed.

code_challenge
required
string

The value for code challenge encrypted in the format provided in 'code_challenge_method'.

code_challenge_method
required
string

The encoding used to convert the 'code_challenge'.

header Parameters
Content-Type
required
string

Request content type. The valid values are application/xxx-form-urlencoded.

Responses

Authorization Code Flow with Proof Key for Code Exchange (PKCE) uses the Authorization Code grant type. And it is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

query Parameters
client_id
required
string

The App Key or Consumer Key provided during Application Registration.

response_type
required
string

The format in which Auth code is required.

redirect_uri
required
string

The url to which the code needs to be re-directed.

code_challenge
required
string

The value for code challenge encrypted in the format provided in 'code_challenge_method'.

code_challenge_method
required
string

The encoding used to convert the 'code_challenge'.

header Parameters
Content-Type
required
string

Request content type. The valid values are application/xxx-form-urlencoded.

Responses