An access_token generated via the OAuth 2.0 Password grant type will be required for any components that create, or use, data specific to an end user (e.g. the Card Issuance Component). To properly authenticate the end user, you will need to create them as a username in our Admin service, and then use one of the following options for the password:
Store the password for the Nucleus Client in our Admin service. This is a good option if you don't already have an existing userbase on your app. You can POST the plain text passwords to the admin (this password will be salted and hashed with BCrypt and stored by Hydrogen), and then update it when the user changes it on your app.
Use our Custom Client Token Auth. This is the recommended option when you have an existing userbase. You will create a public-private key pair, and then upload the public key to the "API Keys and Whitelists" page on your Hydrogen portal, as shown below. Once you authenticate the user on your site using your own auth mechanism, you can then sign the request with your key and submit only the username. The result will be the same JWT generated from our OAuth Password grant, and can be used to securely access only the user's data.
Create a separate Hydrogen password and store it in your application. This method is NOT RECOMMENDED. You will need to be able to retrieve this data in plain text, so it can be submitted to our service. If you need to use this option, we recommend encrypting the passwords with AES-128 or AES-256 encryption, a strong private key, and storing in a key vault such as AWS or Azure, for storage. When the user is authenticated to your app, you can decrypt the password, and then pass it to our OAuth 2.0 service, to authenticate it in Hydrogen.