I’m currently trying to implement a P2P transaction model with the end users being able to initiate payments between themselves. I was wondering how Dwolla handles the authentication and authorization of a user who wants to initiate a transfer between two accounts. The request only needs a funding source and destination along with an access token, but that doesn’t necessarily check whether the end user making the request ‘owns’ the funding source they are trying to transfer from.
Hi @Stoovles, Dwolla offers a white labeled platform that is powered by an API, which means that you would tailor your application’s user experience to your customers needs using your own branding. You would ultimately design the onboarding and payments experience for your end-users that would be setup as Customer records in Dwolla. You’d then communicate with Dwolla for all Customer interactions, by sending requests from your backend server.
Authentication and authorization (permissions) would be handling by your application as your end-users would solely be interacting with your app. As part of the onboarding process with the Dwolla platform, we’ll provide you with an integration guide that outlines additional requirements relating to Legal, compliance, and Information security. We do have requirements surrounding authentication, encryption, and overall application security which must be met prior to being approved to use the Dwolla APIs in production.
The customer record creation and bank account addition processes are separate from one another and you would need to make that connection on your end with regards to what bank accounts your end-users have access to debit funds from or credit funds to.