An access_token generated via the OAuth 2.0 Password grant type or Custom Client Token will be required for any components that create, or use, data specific to an end user (e.g. the Card Transactions or Card Balance Components). To properly authenticate the end user, you will need to create them as a username in our Admin service, and then use one of the following options for the password:
Use the OAuth Password Grant and store the password for the Nucleus Client in our Admin service. This is a good option if you don't already have an existing user base on your app. You can POST the plain text passwords to the admin (this password will be salted and hashed with BCrypt and stored by Hydrogen), and then update it when the user changes it on your app.
Use the Custom Client Token Auth and store the password for the client in your own KMS. This is the recommended option when you have an existing user base. You will create a public-private key pair, and then upload the public key to the "API Keys and Whitelists" page on your Hydrogen portal, as shown below. Once you authenticate the user on your site using your own auth mechanism, you can then sign the request with your key and submit only the username. The result will be the same JWT generated from our OAuth Password grant, and can be used to securely access only the user's data.
Use the OAuth Password Grant and create a separate Hydrogen password and store it in your application. This method is NOT RECOMMENDED. You will need to be able to retrieve this data in plain text, so it can be submitted to our service. If you need to use this option, we recommend encrypting the passwords with AES-128 or AES-256 encryption, a strong private key, and storing in a key vault such as AWS or Azure, for storage. When the user is authenticated to your app, you can decrypt the password, and then pass it to our OAuth 2.0 service, to authenticate it in Hydrogen.
Integrating with SSO Services
If your app supports Single Sign On (SSO) for users of Google, Twitter, Apple, Linkedin etc. you can use options #2 or #3 above but not #1, since you will not be storing the user's password.