# Part 5: Authorized Access Model {% hint style="warning" %} **The Authorized Access Model is now in ****beta****!** \ To access it, your business must hold a 2-digit NFT and be onboarded with Fiat24 as a verified corporate client. Eligible NFTs are in the ranges **10** – **89**. {% endhint %} ## Introduction The Authorized Access Model is an enhanced integration model for **platforms** such as centralised crypto exchange (CEX) or payment applications. The Authorized Access Model technically enables: * Fiat24 end users can authorise (approve) the **platforms** to move their USD, EUR, CHF, RMB balances, directly from their wallet address * Fiat24 end users can authorise (approve) the **platforms** to access their identity information ## Part 1: UX Integration ### Connect an Fiat24 account The **platform** can either mint a new Fiat24 NFT and then run the verification, or link user's existing NFT.

#### Option 1: Mint a new account The platform can mint a new NFT for its user and get verified. The instruction is the same as illustrated in [**Part 1**](https://docs.fiat24.com/developer/part-1-smart-contracts#id-1.-mint-an-nft)**.** #### Option 2: Link an existing account If the end user of the **platform** has a verified Fiat24 account already, it's easy to link inside the **platform**. The **platform** must store the Fiat24 NFT id together with its client profile, and should include UI components that allow users to connect their Fiat24 NFT id. This NFT id will then be sent to the Fiat24 Connect API to confirm the validity of the associated account. The following [connect](#id-1.-connect) function is used to verify whether the account is ready to link. ### Showing balances

The **platform** can retrieve the following information from Fiat24 and display it across different UI components. #### Account Balances * Showing the NFT id from **platform**'s database * Showing the Avatar from `api.fiat24.com/avatar?nftId=[nftId]` * Showing the client profile and masked card info from API `api.fiat24.com/br` * Showing the USD, EUR, CHF and CNH balance from ERC20 contracts #### Transaction History * Showing the transactions from a specific currency from `api.fiat24.com/transaction` #### Account Info * Showing the Swiss IBAN from API `api.fiat24.com/br` {% hint style="warning" %} All API data retrieved is **read-only**. The following **write** actions must still be performed directly on [id.fiat24.com](https://id.fiat24.com): * Updating the email address * Completing compliance (KYC) actions * Viewing sensitive Mastercard details (e.g., full card number, expiry date, CVV) * Block/unblock Mastercard or manage card limits * Managing authorizations to other systems {% endhint %} ### Cash Deposit Each cash (fiat) deposit from end-user's Fiat24 account to **platform** account is a P2P transfer. It's free and real-time. ```javascript // Transfer 256.00 USD from client #123456 to platform #80 usd24.transferFrom(123456, 80, 25600); // Transfer 1000.00 EUR from client #123456 to platform #80 eur24.transferFrom(123456, 80, 100000); // Transfer 155.20 CHF from client #123456 to platform #80 chf24.transferFrom(123456, 80, 15520); // Transfer 5000.00 RMB from client #123456 to platform #80 cnh24.transferFrom(123456, 80, 500000); ``` ### Cash Withdrawal Each cash (fiat) withdrawal from **platform** account to end-user's account is a P2P transfer. It's free and real-time. ```javascript // Transfer 500.50 USD to client #123456 usd24.transferByAccountId(123456, 50050); // Transfer 999.88 EUR to client #123456 eur24.transferByAccountId(123456, 99988) // Transfer 125.60 CHF to client #123456 chf24.transferByAccountId(123456, 12560) // Transfer 2500.15 RMB to client #123456 cnh24.transferByAccountId(123456, 250015) ``` ## Part 2: API Integration ### Authentication & Access In the section [RESTful APIs](https://docs.fiat24.com/developer/integration-guide/part-2-api-reference), we illustrated two important APIs to access the client profile: `/br` and `/transaction`, which requires signature signed by address holding the client NFT. In this section, we introduce the approach that the **platform** can call those two APIs from the address holding the **platform NFT**, as long as the client has authorised the identity to the **platform**. Fiat24 does NOT use any standard protocol for authentication and authorization. All requests need to have a header with signed information by the NFT holder, which guarantees only the end-user can access his/her data. ```javascript const headers = { tokenid: , network: 42161, sign: , hash: , deadline: , "Content-Type": "application/json" } ``` where: ``` // We only allow the signature to be valid for 20 minutes max. // Can be less than that if want more security. const SIGNATURE_DEADLINE_IN_SECONDS = 1200; // Alternative to Date.now() // sometimes the device clock is out of sync and can give the wrong timestamp const serverTimestamp = await fetch("https://api.fiat24.com/timestamp"); const now = serverTimestamp.timestamp; const deadline = Math.round(now/1000) + SIGNATURE_DEADLINE_IN_SECONDS; const hash = "Hello world"; // Could be any text const deadlineHash = web3.utils.sha3(hash + deadline); const messageToSign = `I agree to access my profile. ${deadlineHash}`; // web3.js const sign = await web3.eth.personal.sign(messageToSign, address) // ethers const sign = await signer.signMessage({ message: messageToSign }); return { hash, deadline, sign }; ``` where: * **address** is the address of the **platform**'s wallet. * **signer.signMessage** is the signatures of the **platform**'s wallet sign. * Please note that in some programming languages SHA3 function might act a bit different than the web3.utils.sha3(). The SHA3 of a simple text such as **SHA3("Fiat24"),** should give as a response **0x1cf688cdaa53bf4605bfbb1ab56565651179978e63d41cf2df557d5bb5f1bd90.** ### 1. Connect The **platform** can verify whether the client exists from following user information: * NFT id * Last name and first name * Date of birth This data, along with the provided User id (or UID) of the platform, will be sent to the **Connect API** to verify the user's Fiat24 account. ```json POST api.fiat24.com/verify { "nftId" : 123456, "uid" : 80526632, "firstName" : "James", "lastName" : "Bond", "birthday" : "1975-02-25" } ``` The response will have 200 or 401 response code. {% tabs %} {% tab title="200 OK" %} The connect API returns **200** response code to indicate the account information matches and the account is in normal status. It's ready to be connected. {% endtab %} {% tab title="401 NOK" %} The connect API returns **401** response code to indicate the account is NOT ready to be connected. Reason could be: * Account is closed * Account is blocked * Account is in the middle of compliance investigation {% endtab %} {% endtabs %} ### 2. Get Client Profile The platform can retrieve client profile when the client NFT has been authorised to it. The calling method is the same as [Part 2](https://docs.fiat24.com/developer/part-2-api-reference#id-1.-get-client-profile). ### 3. Get Transactions The platform can retrieve client transaction details when the client NFT has been authorised to it. The calling method is the same as [Part 2](https://docs.fiat24.com/developer/part-2-api-reference#id-3.-get-transactions).