Prosper takes the security and integrity of user accounts and personal information seriously. In order for your apps to access Prosper member data or to act on their behalf, the app must be authorized. To ensure data integrity, our services and APIs require OAuth 2.0 authorization over SSL.
There are three OAuth 2.0 flows supported by Prosper. The OAuth flow you use to access Prosper APIs depends on the type of client you need to develop.
The flows are briefly listed here. Read on for more information below, with direct links to instructions for each flow.
- Password Flow – for personal investment clients
- Authorization Key Flow – for third party agent investment clients that act on behalf of a registered Prosper user
- Client Flow – for trusted clients passing information to Prosper Borrower Services
Which flow should I use?
Investor client developers
There are two types of client apps you can develop for Prosper investing. Each client type requires a different security flow. It is important that you know which client type you have developed when you register your app.
Institutional or Personal investment clients If you are developing an institutional investment client or a client to invest on your own behalf, the authorization process is simple: You will use your client id and client secret and your Prosper account username and password to authenticate your client and obtain an access token for making calls to Prosper APIs for account resources.
If you are creating an Institutional or Personal investment client, use the OAuth 2.0 Password Flow described here.
Third party investment clients A third party investment client makes Prosper API calls on behalf of a registered Prosper user.
If you are developing a third party investment client, we require that 1) you apply and get approved as a third party agent, and 2) Prosper users grant access to your application through a Prosper login process.
When a user wants to grant account access to your client, you will direct them to our site for permission. Once access is granted, you will receive an authorization key that uniquely identifies your client and the user when making calls to the Prosper APIs. You will use this authorization key to obtain an access token for making calls to Prosper APIs for account resources.
If you are creating a third party investment client, use the OAuth 2.0 Authorization Key Flow described here.
Borrower Services client developers
There are two types of clients you can develop for using Prosper Borrower Services.
Website client – If you are creating a website client to pass loan applicant information to Prosper, you will use your client id and client secret to authenticate your client and obtain an access token for making calls to Prosper APIs for account resources.
If you are creating a website client to access Prosper Borrower Services, use the OAuth 2.0 Client Flow described here.
- Mobile apps – If you are integrating one of our mobile SDKs into your iOS or Android app, you’ll set the client id and client secret in the SDK’s initialization method. Our SDKs will take care of the OAuth client flow on your app’s behalf.