Developer Programs
Vendor Integration Program (VIP)
Direct access to Jack Henry's technical integration resources.
Technical Account Manager (TAM)
Get technical integration help from a single point of contact.
Developer Account
Create a developer acccount to access resources that help you integrate with Jack Henry.
Learn
Shared Responsibility
Learn about shared roles and responsibilities of customers and Jack Henry in open banking.
Developer Use Cases
Find a use case that fits your development needs.
Developer Video Gallery
Watch the latest demos, webinars, and more.
Developer Conference
Connect with industry leaders, gain insights from expert speakers, and explore our latest innovations.
Docs
Admin API
Create solutions for an institution's back office support tools.
Authentication Framework
Map customer identities to your existing system IDs.
Consumer API
Access financial data for user accounts, transactions, and more.
Data Hub
Get deeper access to financial institution data.
Enterprise Event System
Respond to events in real-time using this powerful pub/sub-based solution.
jXchange - REST API
Translate business information between Jack Henry and 3rd-party apps using a REST-based API.
jXchange - SOAP API
Translate business information between Jack Henry and 3rd-party apps using a SOAP-based API.
Operational Data Integration (ODI)
Get customized queries for bulk data needs.
Payments
Embed check deposits, ACH, bill pay, cards, and real-time payments.
Plugin Framework
Embed the best of the fintech world directly into your user's dashboard.
SymXchange
Query Symitar core member accounts, post transactions, run PowerOn scripts, and more.
Xperience
Modern UI that provides consistent visual integration across Jack Henry products.
Full List of APIs
Begin working with Jack Henry's public APIs to build financial applications today.
The security model enhancement for jXchange SOAP APIs begins on May 1st, 2025.
More info

SOAP Authentication Update

SOAP Authentication Update
jXchange Service Gateway is upgrading to support OAuth 2.0 authentication and deprecating the usage of WS-Security headers

Overview

jXchange (JX), our Enterprise Integration gateway since 2004, has focused on secure, reliable performance. We’re now enhancing JX SOAP security by transitioning to OAuth 2.0 (RFC 6749: The OAuth 2.0 Authorization Framework), ensuring alignment with modern cloud security standards. This improvement reflects our dedication to maintaining the highest security standards and proactively safeguarding our systems.

Why are we making this change?

OAuth 2.0 offers a more robust, secure, and modern solution with features such as:

  • Token-based authentication: Short-lived access tokens that can be easily revoked, minimizing the impact of compromised credentials.
  • Delegated authorization: Securely grant access to third-party applications without sharing sensitive user credentials.
  • Improved observability: Institutions can self-manage and review API clients in an administrative portal.

What are the benefits?

This upgrade will significantly enhance the security posture of our APIs, protecting sensitive data. Additionally, it will:

  • Standardize the authentication model across SOAP and REST services
  • Reduce the risk of credential theft and unauthorized access.
  • Ensure compliance with industry best practices and regulatory requirements.
  • Eliminates the need for Internet Protocol (IP) address filtering.

When are these changes taking place?

Recognizing the development effort required, we’ve established a timeline with the following key dates to provide you with an expected implementation timeframe:

  • April 30, 2025: New Gateway and Authentication made available for use. The old authentication model will continue to be available in tandem with the new OAuth model. New vendors joining the VIP after this date will be required to adopt the OAuth security model to pass the Vendor Readiness Test.
  • April 30, 2026: If you’re setting up a new customer implementation, you must use OAuth 2.0. For implementations already configured before this date, there’s no change needed.
  • April 30, 2028: The old username/password authentication model will be officially terminated. Please note that this change solely impacts the security authentication method. The existing SOAP services, API structure, and behavior will remain unchanged. All previous implementations must migrate to the OAuth security model by this date.

What are the changes?

This security model will require changes for all current JX consumers and FIs. At a high level, consumers will need to migrate from the old SOAP WS-Security Model to the new OAuth 2.0 confidential client credential. That means:

  • Username and password are no longer required in the SOAP security headers and must not be included.
  • To establish an OAuth client, the API consumer must create a private and public key pair (Public Key + Private Key | Digital Toolkit | Jack Henry Docs).
  • Initial Configuration:
    • Institutions will have administrative oversight to manage the consumers who access their data.
    • Consumers will provide the public key in PEM format or a JWKS URL to the institution to create their API client.
    • Institutions will provide the client id to the consumer.
    • Consumers will follow the OAuth 2.0 client credential flow with signed JWTto access API resources
      • Scopes required in the token request include: openid profile https://jackhenry.com/jx/service-gateway.write
  • New jConnect egress IP addresses: 10.27.69.0/25 and 10.27.69.128/25
  • New jXchange endpoint: jx.jackhenry.com

First Steps

The expectation is for consumers to understand the OAuth 2.0 process before consuming our APIs.

We recommend that you review the Getting Started Development using SOAP page for more detailed information about this change. Please read the information and any referenced sites thoroughly before beginning development.

To aid with start up testing, we have a public Postman workspace with sample APIs using the new OAuth security. We also offer a tutorial on using and copying the Postman workspace to a consumer’s local environment.

Postman Support
While we provide Postman samples for OAuth and our APIs, we do not offer direct support for Postman or the methods it uses to utilize OAuth security.

Contacting Jack Henry

  • Vendor Integration Program Members: Please open a support case through the Vendor Portal and provide your newly created public key and a listing of all APIs that your solution is consuming.
  • Financial Institutions: Contact Vendor QA for assistance.
  • For community support and general questions, visit Stack Overflow.

Topics in this section

Have a Question?
Have a how-to question? Seeing a weird error? Get help on StackOverflow.
Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.
Last updated Wed Apr 30 2025