This guide walks you through how to use the Access Manager plugin in your application. It covers setup, configuration, and how the Auth and Identity plugins work together to handle authentication and identity management.

Typical Usage

Access Manager is built to make authentication straightforward — whether you’re managing real people or system-to-system integrations. Here’s how it typically fits into your workflow.

Human Access

When you’re creating the credentials for a person, you’ll usually follow these steps:

Step 1 - Check the group permissions

First, figure out what roles or permissions you want the person to have. To do so, you can list all groups available using the List Groups endpoint.

If you want to check the details of a specific group, use the Retrieve Group details endpoint.

Step 2 - Create the user

Once you’ve got the right groups in mind, it’s time to create the user. To do so, use the Create a User endpoint.

Add them to the correct groups during creation so they get the permissions they need from day one.

Managing Users

The following endpoints are also available for you to manage the users and their access:

List Users - List all users created.
Retrieve User details - Retrieve the information of a specific user.
Delete a User - Remove a user’s access from the system.
Update a User - Update a user's information
Reset a User Password - Reset a user’s password
Update a User Password - Update a user’s password by providing the current password along with the new one.

Step 3 - Request a token using password

The user can now authenticate using their credentials. To do so, use the Request an Access Token endpoint and use passwordas the grantType. This will return an access token they can use to access your protected APIs.

If you need to renew an expired access token, use the Refresh the Access Token endpoint.

M2M Access

For system-to-system (machine-to-machine) scenarios, the flow is a little different — but just as simple.

Step 1 - Create an application

Each system or service that needs to authenticate should have its own application. To do so, use the Create an Application endpoint.

Managing Applications

The following endpoints are also available for you to manage the applications:

List Applications - List all applications with M2M credentials generated by the client, based on the configurations defined during the identity provider setup.
Retrieve an Application - Retrieves detailed information about an Application.
Delete an Application - Remove an application and its associated credentials from the system

Step 2 - Request a token using client credentials

Once your application is set up, it can authenticate itself without a user. To do so, use the Request an Access Token endpoint and use client_credentialsas the grantType. This returns a token the system can use to call APIs securely.

Ending User Session

If, for some reason, you need to end a user's session and revoke their active tokens, ensuring a secure and complete logout from the application, use the End User Session endpoint.

Best Practices for Access Manager

Access Manager is powerful — it handles identity, authorization, and credentials at the heart of your Midaz stack. That power comes with responsibility. Here’s how to use it securely and efficiently.

Credentials

Create credentials on both ends

If two plugins need to talk to each other, both must have the necessary M2M credentials created. Don’t assume symmetry — define explicitly on both sides.

Lock down the physical environment

Access Manager store credentials locally. That means anyone with access to the hardware could potentially extract them. Make sure the physical or virtual machine hosting the plugin is tightly secured — this is your first line of defense.

Avoid exposing endpoints that retrieve the credentials.

Admins in Access Manager (via Identity) can retrieve credentials — which is exactly why these endpoints should not be integrated into any back-office system. Keep sensitive operations isolated to reduce the chance of accidental exposure.

Security Recommendations

Use Application-to-Application flows for sensitive endpoints.

For critical accesses like the Ledger, we recommend interacting through Applications. This ensures you have full control over each credential. If something leaks, you can revoke or delete the Application without bringing down your entire system.

Manual actions? Use user-based credentials

When a human needs to act (for debugging, operations, etc.), create user credentials with the password grant — not client_credentials. That way, if access needs to be revoked, you can easily block the user and force logout using the appropriate endpoint.