Basic API Authentication

TxB APIs are authenticated with mutual TLS and IP allowlisting.

In this example, we assume you are a client of TxB's and want to create an API connection to perform operations on your own account(s). We also support the ability to securely perform operations on other clients' accounts where express permission is granted.

Step by Step Guide

Step 1 - IP Allowlisting

First, we need to allowlist IPs. Clients (or partner connecting on behalf of a Client) should provide TxB all of their CIDR blocks for inbound connectivity for both test and production servers. This is essential for you to execute the cURL command in Step 4

Step 2 - User creation & entitlements

TxB will then create for you a Client identifier (gseid) and an API User identifier (gsuid). Each API User will also be granted entitlements to perform one or more of the following activities: - Entity and account creation - Payments execution - Payments execution for internal transfers - Payments execution to predefined set of beneficiaries - Read only reporting data

These identifiers will be used in the CSR generation process in Step 3

Step 3 - Certification creation & exchange

You can now generate a CSR request using a preset template file provided by TxB. The CSR request template looks like the below and the Client is asked to fill out the section titled [ dn ].

default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ] #Client to modify this section with appropriate details
ST=New York
L=New York
CN =

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
URI.1 = gseid://0EAA62456B3426NU962A296BC4C5F9C9 #replace 0EAA62456B3426NU962A296BC4C5F9C9 with gseid from Step 2
URI.2 = gsuid://001df87sdfd7f8f999s9ded60126a299 #replace 001df87sdfd7f8f999s9ded60126a299 with gsuid from Step 2

Save the above as text file(e.g., template.txt) and execute the openSSL command as below:

openssl req -new -sha256 -nodes -out public_key.csr -newkey rsa:2048 -keyout private_key.key -config template.txt

This script produces two files:

  1. public_key.csr - send this file to TxB. We will use it to generate X.509 file (e.g.,certificate.pem)
  2. private_key.key - DO NOT SHARE THIS FILE WITH TXB

Step 4 - Use X509 + private key to test connection

Take the two outputs of Step 3 (1. certificate.pem and 2. private_key.key) and use them as inputs to run the below cURL command:

curl -s -X GET "" -v --cacert ./certificate.pem --key private_key.key

Some versions of cURL may work with the below arguments:

curl -s -X GET "" -v --cert certificate.pem --key private_key.key

Run this cURL command if you are using a proxy:

curl -s --proxy <proxy-url>:<proxy-port> -X GET "" -v --cacert ./ certificate.pem --key private_key.key

Success will result in the below response:

HTTP/1.1 200 Connection established

HTTP/1.1 200
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Date: Wed, 23 Sep 2020 12:19:27 GMT
    "connection”: “OK”,
    "additionalAuth": "OK"

Step 5 - Add a JWT (optional)

In some cases, Clients and Partners may need to provide step up authentication. Every TxB API allows you to include a JWT in the Authentication input parameter. Step up authentication may be required on certain end points or in cases where you perform an operation on a 3rd party account.

See here for step by step instructions on using our Step Up Authentication.

This site is for informational purposes only and does not constitute an offer to sell, or the solicitation of an offer to buy, any security. The Goldman Sachs Marquee® platform is for institutional and professional clients only. Some of the services and products described on this site may not be available in certain jurisdictions or to certain types of client. Please contact your Goldman Sachs sales representative with any questions. Nothing on this site constitutes an offer, or an invitation to make an offer from Goldman Sachs to purchase or sell a product. This site is given for purely indicative purposes and does not create any contractual relationship between you and Goldman Sachs. Any market information contained on the site (including but not limited to pricing levels) is based on data available to Goldman Sachs at a given moment and may change from time to time. There is no representation that any transaction can or could have been effected on such terms or at such prices. Please see for additional information. © 2023 Goldman Sachs. All rights reserved.
Transaction Banking services are offered by Goldman Sachs Bank USA (“GS Bank”). GS Bank is a New York State chartered bank, a member of the Federal Reserve System and a Member FDIC. © 2023 Goldman Sachs. All rights reserved.
Not all products and functionality mentioned on this website are currently available through our API platform.
All loans and deposit products are provided by Goldman Sachs Bank USA, Salt Lake City Branch. Member FDIC.
Brokerage and investment advisory services offered by our investment products are provided by Goldman Sachs & Co. LLC (`‘GS&CO.`’), which is an SEC registered broker-dealer and investment adviser, and member FINRA/SIPC. Research our firm at FINRA's BrokerCheck. Custody and clearing services are provided by Apex Clearing Corporation, a registered broker-dealer and member FINRA/SIPC. Please consider your objectives before investing. A diversified portfolio does not ensure a profit or protect against a loss. Past performance does not guarantee future results. Investment outcomes and projections are forward-looking statements and hypothetical in nature. Neither this website nor any of its contents shall constitute an offer, solicitation, or advice to buy or sell securities in any jurisdictions where GS&Co. is not registered. Any information provided prior to opening an investment account is on the basis that it will not constitute investment advice and that GS&Co. is not a fiduciary to any person by reason of providing such information. For more information about our investment offerings, visit our Full Disclosures.