Security
Quovo Data
API Access Tokens Best Practices
/tokens
endpoint. All other endpoints are authenticated with access tokens, with the exception of the /me
endpoint, which is used to fetch information on the API user and update their API password.
Quovo recommends generating a new API access token every hour, and as such this is the default expiration time for tokens unless otherwise specified. We strongly discourage creating API access tokens that last longer than a day.
We recognize that tokens with longer expiration times can be useful during development and testing periods, and the practice of sharing development tokens among developers is common; however, if multiple environments are required we urge clients to contact us to create a dedicate API user (and associated end user group) limited to test institution data.
API access tokens should be stored carefully. Therefore, we strongly discourage hardcoding API access tokens in your codebase for any purpose.
Rate Limiting
/sync
endpoint, which can be numerous when polling for sync status.
Quovo believes that this rate limit is sufficient for the majority of use cases and reduces the damage that bad actors can potentially cause. If you find that you require more than 10,000 API per hour, please contact us. Our implementation team can work with you to determine whether an increased rate limit is appropriate for your account volume and use case.
Account Data Retention
End User Sync Lockouts
Quovo Object Creation
Connectivity