Authentication

This API uses custom token-based authentication, where each request must include a valid token in the X-AUTH-TOKEN HTTP header.

How to get your own Tokens

As a HANSAINVEST client feel free to contact us in order to get tokens for your funds that are managed by us. There is a way to create tokens on your own, too.

How to use Authentication

Every request to any API endpoint must include the following custom header:

X-AUTH-TOKEN: <your_token_here>

  • <your_token_here>: Replace with a valid token obtained through an external authentication process (not detailed in this documentation).
  • Token Format: A string of 32–64 alphanumeric characters (e.g., a1b2c3d4e5f6...).

Authentication Header required for

  • All API endpoints regarding fund data for secured funds.
  • There are some endpoints that provide basic data or data for all not secured endpoints.
  • Endpoints that provide data for more than one fund need the authentication header, too, if you want to retrieve data of a secured fund. 
    Notice: there will be no data provided, even if the authentication is missing or not corretc for only one fund.

Security Best Practices

  • Never hard-code tokens in client-side code (e.g., JavaScript, React, Vue).
  • Use HTTPS always to prevent token interception over unsecured networks.
  • Rotate or regenerate tokens regularly if there is a suspicion of compromise.

Notes for Developers

  • This documentation assumes that you already have access to a valid token. For information on how to obtain or generate tokens, consult us.
  • Tokens are not stored by this API; they are only validated against an internal secret or issued by another service (not detailed here).

<?php

// Replace this with your actual token
$token = 'abc123xyz456';

// Base URL of the API (you can modify this to other endpoints.)
$isin = 'DE0008479023';
$url  = "https://fondsapi.hansainvest.com/api/fund/$isin";

// Initialize cURL session
$ch = curl_init();

if (!$ch) {
    die("cURL initialization failed.");
}

// Set cURL options

curl_setopt_array($ch, [
    // Target URL
    CURLOPT_URL            => $url,

    // Accept JSON response
    CURLOPT_HTTPHEADER     => [
        'Accept: application/json',
        "X-AUTH-TOKEN: $token",
    ],

    // Return the response as a string instead of outputting it directly
    CURLOPT_RETURNTRANSFER => true,

    // Enable verbose output for debugging (optional)
    CURLOPT_VERBOSE        => false,
]);

// Execute the request
$response = curl_exec($ch);

if ($response === false) {
    // Handle cURL errors
    $error = curl_error($ch);
    echo "cURL Error: {$error}";
} else {
    // Process response (e.g., decode JSON)
    $data = json_decode($response, true);

    if (json_last_error() === JSON_ERROR_NONE) {
        // Data is valid JSON
        print_r($data);
    } else {
        // Invalid JSON format received
        echo "Invalid JSON response: {$response}";
    }
}

// Close the cURL session
curl_close($ch);

Basic JavaScript example using the Fetch-API:

// Replace with your actual token
const token = "abc123xyz456";

// Base URL for the API and specific resource path
const isin = 'DE000A3DCAW6';
const url = "https://fondsapi.hansainvest.com/api/fund/" + isin + "/key-figures";

// 📡 Fetch request to get book data from the API
fetch(url, {
    method: 'GET',
    headers: {
        'Accept': 'application/json',
        'X-AUTH-TOKEN': token,
    },
})
.then(response => {
    // Check if response is OK (2xx status)
    if (!response.ok) {
        throw new Error(`HTTP error! Status: ${response.status}`);
    }

    return response.json(); // Parse JSON response
})
.then(data => {
    console.log("Data fetched successfully:");
    console.log(data);
})
.catch(error => {
    console.error("An error occurred:", error.message);

    if (error.message.includes("401")) {
        console.warn("Authentication failed. Check your X-AUTH-TOKEN.");
    } else if (error.message.includes("5xx")) {
        console.warn("Server error. Try again later or contact support.");
    }
});

Please note that using this JavaScript code in client-side environments cause it makes your tokens visible.

import requests

# Replace with your actual token
token = "abc123xyz456"

# Base URL for the API and specific resource path
url = "https://fondsapi.hansainvest.com/api/fund/DE000A0RHG59/structure/asset_structure"

# Headers to include in the request
headers = {
    'Accept': 'application/json',
    'X-AUTH-TOKEN': token,
}

try:
    # Make a GET request with headers
    response = requests.get(url, headers=headers)

    # Check if response is OK (2xx)
    response.raise_for_status()

    # Parse JSON data from the response
    data = response.json()
    print("Data fetched successfully:")
    print(data)

except requests.exceptions.HTTPError as e:
    # Handle HTTP errors
    print(f"HTTP error occurred: {e}")
    if response.status_code == 401:
        print("Authentication failed. Check your X-AUTH-TOKEN.")
    elif response.status_code >= 500:
        print("Server error. Try again later or contact support.")

except requests.exceptions.RequestException as e:
    # Handle other request-related errors (e.g., network issues)
    print(f"An error occurred during the request: {e}")