When you sign up for finAPI, you receive two sets of client credentials, one for an "app client" and one for a "mandator admin client”. This article explains the difference between those two.
A mandator in finAPI defines the user base and all data that comes with it. Multiple finAPI app clients can access the data of one mandator.
The app client can call all services allowed for the client role in finAPI, except for the services in the Mandator Administration section.
You need this client for creating users, verifying users, or changing user passwords, as well as for calling other client-based services like "Get banks", etc.
Also, this client must be used to get/refresh/revoke user access_tokens.
In short: This client is required for your application and the one that your application will use for most API calls that relate to user management.
Mandator Admin Client
It cannot call any other client-based services, and it cannot be used for any user-related services (including getting/refreshing/revoking user access_tokens).
Depending on what your business logic is (i.e. whether you need the services from the Mandator Administration section), this client may be optional for your application.
Why is there even a Mandator Admin client?
The Mandator Administration Client exists for two reasons:
finAPI allows you as a customer (we use the term "Mandator") to have multiple finAPI App clients, which - while all sharing the same user base - can have different configurations (see Client Configuration services). The Mandator Administration section of finAPI is designed to provide cross-app/mandator services. It makes sense from a design point of view to have a unique, separate client for accessing these services.
The Mandator Administration section provides services that allow you to receive user-related data relevant for administration tasks without the need to have any user-specific information at hand (e.g. "Get user list" returns a list of user IDs without any required input parameters).
In the scenario that an intruder gets hold of your admin client's credentials, he will be able to get user IDs, but he won't be able to compromise a user's account and get hold of sensitive data, because the admin client cannot be used to receive any tokens for the user, nor for resetting the user's password.
Similarly, when an intruder gets hold of your regular client's credentials, he might technically be able to compromise individual user accounts, but he won't know which users even exist as he cannot get the user list with the regular client. Thus the concept of separating the Mandator Administration from all other services also adds to the security of finAPI.