For partners developing clients that get personalized loan offers
Step 1: Register as a partner for your client id and secret
Before you can make any calls into Prosper Borrower Services endpoints, you must register as a partner for access to Prosper APIs. To register, contact the Prosper Business Development team at [email protected].
Once registered, you’ll receive a Client ID and Client Secret, which your client will use to make an OAuth 2.0 client authorization flow request. If successful, this OAuth request results in Prosper issuing your client an access token, good for one hour.
Once you have an access token, you can pass the token with each API call you make, ensuring a secure authorized transaction with Prosper.
Note: When you register with Prosper, you will also receive a Partner Source Code. This code is a unique id that identifies your partnership with Prosper when you pass information to Prosper. We’ll show you where to pass the Partner Source Code in the API documentation for the offers API.
Token validity and expiration
Prosper-issued access tokens must be used to access Prosper REST API endpoints.
The access token expires in one hour (3599 seconds). You must write your client code to detect when an access token will expire. You can do this by making note of the “expires_in” value returned in the response from the token request. The “expires_in” value is expressed in seconds. You can also handle the error response (400, expired_token, or 400, invalid_token) from the API endpoint when an expired token is detected.
Once the access token expires, you’ll make a new OAuth 2.0 client authorization flow request, using your Client ID and Client Secret to obtain a new access token.
Step 2: Request an access token
You will authorize your app using the OAuth 2.0 client credentials flow. The client credentials flow results in Prosper issuing an access token for making API calls.
Example: Make a token request
You will make an HTTP urlencoded POST request to Prosper’s OAuth security token endpoint, passing the following parameters:
| Parameter name | Value |
| grant_type | client_credentials |
| client_id | The id Prosper provided to you when you registered your app |
| client_secret | The secret Prosper provided to you when you registered your app |
Request (Sandbox environment for testing):
POST https://api.uat.circleone.com/v1/security/oauth/token Accept: application/json Content-type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=<your_client_id>&client_secret=<your_client_secret>
Request (Production environment):
POST https://api.prosper.com/v1/security/oauth/token Accept: application/json Content-type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=<your_client_id>&client_secret=<your_client_secret>
Response:
{
"access_token": "22a5aaaf-bb7b-4278",
"token_type": "bearer",
"expires_in": 3599
}
The following parameters are passed back in the response:
| Parameter name | Value |
| access_token | The new access token you will use when requesting resources from Prosper. |
| token_type | The token type to set in the HTTP header when making resource requests from Prosper. |
| expires_in | The amount of time left, expressed in seconds, before the access token expires. You will need to refresh the token when this time has passed. |
Errors
Access Token Errors
| Error Code | Error Reason(s) | HTTP Status code |
| invalid_token | The access token is invalid (expired, not provided etc) | 401 |
| invalid_request | Unsupported response types Missing response type |
400 |
| All Client Authority Errors below | ||
Client Authority Errors
| Error Code | Error Reason(s) | HTTP Status code |
| unauthorized | Invalid/Missing client Id No Authorization (header) information provided |
401 |
| invalid_client | Invalid/Missing credentials Unauthorized grants |
401 |
| invalid_request | Generic “Bad request” Invalid/Missing grant type |
400 |
| unsupported_grant_type | The grant type given is unsupported | 400 |
Client flow token requests: curl and python examples
curl client flow access token request – Sandbox environment
curl -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<your_client-id>&client_secret=<your_client_secret>' 'https://api.uat.circleone.com/v1/security/oauth/token'
curl client flow access token request – Production environment
curl -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<your_client-id>&client_secret=<your_client_secret>' 'https://api.prosper.com/v1/security/oauth/token'
python client flow access token request – Sandbox environment
import requests
url = "https://api.uat.circleone.com/v1/security/oauth/token"
payload = "grant_type=client_credentials&client_id=<your_client_id>&client_secret=<your_client_secret>"
headers = { 'accept': "application/json", 'content-type': "application/x-www-form-urlencoded" }
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)
python client flow access token request – Production environment
import requests
url = "https://api.prosper.com/v1/security/oauth/token"
payload = "grant_type=client_credentials&client_id=<your_client_id>&client_secret=<your_client_secret>"
headers = { 'accept': "application/json", 'content-type': "application/x-www-form-urlencoded" }
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)