# Authentication and environments

Fondo's API is designed for secure, efficient integration by both technical and business teams. It follows standard REST conventions and provides predictable, resource-oriented URLs, JSON-encoded requests and responses, and well-defined authentication. All requests require **server-to-server OAuth 2.0 client credentials**.

All requests require a valid access token, obtained via POST https://api.fondo.se/v2/partner/auth/token.

Separate sandbox and production environments let you test thoroughly before going live. Every call is made over secure HTTPS. Requests can be sent to:

- **Sandbox** – safe testing with no impact on live data.
- **NPC** – use test-bankid for authentication in web-onboarding user journeys.
- **Production** – the live environment.


## Request & Response Conventions

- **Content type**: application/json
- **HTTP methods**:
  - GET fetches data
  - POST creates resources
  - PATCH updates
  - DELETE removes
- **Idempotency**: GET and DELETE are idempotent.


All endpoints are served over HTTPS and return JSON in UTF-8. Dates and times follow ISO-8601 in UTC (YYYY-MM-DDTHH:MM:SS.sssZ).

## Error Handling

Standard HTTP status codes are used:

- 2xx – success
- 4xx – client errors such as validation issues or unauthorized requests
- 5xx – unexpected server errors


Error responses include a JSON body with details about the issue.

## Webhooks & Streaming

For near real-time updates, use:

- **WebSocket subscriptions** – keep a persistent connection to receive live events such as new orders or settlements.
- **Webhooks** (web journey statuses only) – Fondo sends POST callbacks to your system when objects are created, updated or deleted.