An access_token generated via the OAuth 2.0 Password grant type will be required for any components that create, or use, data specific to an end user (e.g. the Card Transactions or Card Balance Components). To properly authenticate the end user, you will need to create them as a username in our Admin service, and then use one of the following options for the password:
Store the password for the Nucleus Client in our Admin service. This is a good option if you don't already have an existing user base on your app. You can POST the plain text passwords to the admin (this password will be salted and hashed with BCrypt and stored by Hydrogen), and then update it when the user changes it on your app.
Use our Custom Client Token Auth. This is the recommended option when you have an existing user base. You will create a public-private key pair, and then upload the public key to the "API Keys and Whitelists" page on your Hydrogen portal, as shown below. Once you authenticate the user on your site using your own auth mechanism, you can then sign the request with your key and submit only the username. The result will be the same JWT generated from our OAuth Password grant, and can be used to securely access only the user's data.
Create a separate Hydrogen password and store it in your application. This method is NOT RECOMMENDED. You will need to be able to retrieve this data in plain text, so it can be submitted to our service. If you need to use this option, we recommend encrypting the passwords with AES-128 or AES-256 encryption, a strong private key, and storing in a key vault such as AWS or Azure, for storage. When the user is authenticated to your app, you can decrypt the password, and then pass it to our OAuth 2.0 service, to authenticate it in Hydrogen.
Integrating with SSO Services
If your app supports Single Sign On (SSO) for users of Google, Twitter, Apple, Linkedin etc. you can use options #2 or #3 above but not #1, since you will not be storing the user's password.