Login as Sub-Account
Authenticate into a single sub-account context, choose when to use scoped tokens versus header-based scoping, and operate safely on one downstream customer at a time.
Login as Sub-Account
Authenticate into a specific sub-account context when you need a token that is limited to one downstream customer’s wallets, balances, transactions, and payout activity.
✅ Before you log in as a sub-account
Complete these steps first:
- Create the sub-account and store its ID.
- Authenticate successfully with your master credentials.
- Decide whether you need a scoped token or whether master auth +
X-Sub-Account-Idis enough for your use case. - Use scoped auth only when the session should be limited to a single customer context.
The Scoped Token Pattern
By passing a subAccountId during the login handshake, Verto returns a JWT that is limited strictly to that user's resources. This is the recommended pattern for building user-facing dashboards.
| Parameter | Type | Purpose |
|---|---|---|
clientId | String | Your master client identifier. |
apiKey | String | Your master API key (encrypted if using Certificates). |
subAccountId | String | The ID of the specific customer (e.g., sub_acc_123). |
When to use scoped auth vs header scoping
Use the approach that matches how your application is structured:
| Approach | Best for | How it works |
|---|---|---|
| Scoped token | User-facing dashboards and customer-specific sessions | Authenticate once with subAccountId and use the returned token for that customer's actions. |
Master token + X-Sub-Account-Id | Server-side orchestration across many sub-accounts | Keep one master session and scope each request with the correct sub-account header. |
🚀 Execution Workflow
Authenticate as the sub-account to receive a context-locked accessToken.
curl -X POST https://api.sandbox.vertofx.com/v2/auth/token \
-H "Content-Type: application/json" \
-d '{
"clientId": "YOUR_CLIENT_ID",
"apiKey": "YOUR_API_KEY",
"mode": "apiKey",
"subAccountId": "sub_acc_778899"
}'Store the returned scoped token separately from your master token. Use it only for operations that should be limited to that one downstream customer.
🏗️ Token Capabilities
Once you have the scoped token, you can perform the following actions without needing to pass the X-Sub-Account-Id header manually in every call, as the token already carries that identity.
| Capability | Scope |
|---|---|
| Wallet Management | Create wallets and fetch balances for this user only. |
| Transaction Logs | Query history scoped to this specific sub-account. |
| FX Conversion | Swap currencies using the sub-account's liquidity. |
| Payouts | Dispatch funds from sub-account wallets to external rails. |
Use this model when you want to reduce the risk of acting on the wrong downstream customer by mistake.
Troubleshooting
| Issue | What to check |
|---|---|
| Scoped login fails | Confirm the subAccountId exists and belongs to the platform context tied to your master credentials. |
| Requests still affect the wrong customer | Verify you are using the intended scoped token and not accidentally reusing the master token. |
| Customer cannot access balances or wallets | Confirm the sub-account is active and has the wallets or resources you expect in that context. |
🎯 Next Steps
| Wallets Guide → Manage the sub-account's ledgers. | Sub-Accounts Overview → Review the full sub-account lifecycle. |
Updated about 1 month ago