Authorised Users

Corporate and Consumer identities can invite authorised users to access their account. Once on-boarded, authorised users can create and manage instruments and transactions on behalf of the identity they are on-boarded with.

In case of Corporate Identities, authorised users are typically employees who have access to company's banking products such as cards and bank accounts.

In case of Consumer Identities, authorised users are typically children/teens whose parents want them to have access to banking products such as cards and bank accounts.

Note that /users endpoints are to be used only for performing operations related to authorised users - getting or updating the details of root users is to be done via the respective /consumers or /corporates endpoints.

Create a user

Creates a user linked to the logged-in corporate or consumer identity.

Once on-boarded, users have access to all instruments (cards and accounts) of the identity.

Application-specific permissions to limit what each user can view and do need to be implemented in your application.

In order to Create an Authorised User you would need a stepped-up token. After calling /multi/users you need to step-up ( issue a challenge multi/stepup/challenges/otp/{channel} )

More details on how to step-up a token can be found here Step-Up

Securityauth_token and api_key
Request
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
name
required
string <= 20 characters

The first name of the user.

surname
required
string <= 20 characters

The last name of the user.

email
required
string <email> (Email)

E-mail Address of the user

object (Mobile)
object (Date)

Date of birth of the authorised user.

tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users
Request samples
application/json
{
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "dateOfBirth": {
    },
  • "tag": "string"
}
Response samples
application/json
{
  • "id": "string",
  • "identity": {
    },
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    },
  • "tag": "string"
}

Get all users

Fetches all authorised users associated with the corporate or consumer identity the logged-in user belongs to.

Securityauth_token and api_key
Request
query Parameters
offset
integer <int32> >= 0

The offset value for paging, indicating the initial item number to be returned from the data set satisfying the given criteria. Leave out to fetch the first page of results.

limit
integer <int32> [ 1 .. 100 ]

The limit of the results for paging, starting at the offset. Limit is always capped at 100.

active
boolean

Filter for active or deactivated users. Leave out to fetch all users.

email
string <email> (Email)

Filter by the email address of the user.

tag
string

Filter by the managed account/card tag. The exact tag must be provided, as wildcards are not supported. Leave out to fetch all managed accounts/card.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

get/users
Request samples
Response samples
application/json
{
  • "users": [
    ],
  • "count": 0,
  • "responseCount": 0
}

Get a user

Retrieves the user identified by the user_id path parameter.

Securityauth_token and api_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The user id for which this password is created.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

get/users/{user_id}
Request samples
Response samples
application/json
{
  • "id": "string",
  • "identity": {
    },
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    },
  • "tag": "string"
}

Update a user

Update the details of a user identified by the user_id in the the path parameter.

Only the fields that are specified in the request body will be updated. All other fields will remain unchanged.

When patching a mobile number, the new mobile number should be enrolled for Additional Factors.

Securityauth_token and api_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The user id for which this password is created.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
name
string <= 20 characters

The first name of the user.

surname
string <= 20 characters

The last name of the user.

email
string <email> (Email)

E-mail Address of the user

object (Mobile)
object (Date)

Date of birth of the authorised user.

tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

patch/users/{user_id}
Request samples
application/json
{
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "dateOfBirth": {
    },
  • "tag": "string"
}
Response samples
application/json
{
  • "id": "string",
  • "identity": {
    },
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    },
  • "tag": "string"
}

Activate a user

Activate the user identified by the user_id path parameter.

By default, any new users created will be automatically activated. This operation needs to be used only if the user was previously de-activated using the userDeactivate operation, or if the user was de-activated automatically after multiple incorrect login attempts.

Securityauth_token and api_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The user id for which this password is created.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/{user_id}/activate
Request samples
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Deactivate a user

De-activate the user identified by the user_id path parameter.

Deactivated users cannot log in or execute any operations with their credentials.

This operations is not final and a user can be re-activated using the userActivate operation. Note that another active user would need to log in so as to re-activate the de-activated user.

Securityauth_token and api_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The user id for which this password is created.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/{user_id}/deactivate
Request samples
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Send a user invite

Once a user is created using the userCreate operation, the user needs to setup his/her password.

An invitation needs to be sent to the user in order to be able to set up the password for the first time. The invitation email, which remains valid for 1 month, will contain a URL having all information required to setup the password via the userInviteConsume.

Securityauth_token and api_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/{user_id}/invite
Request samples
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Validate a user invite

Check if a user's invite is still valid. This operation is useful to avoid having the user fill in a form only to be held by a validation issue (eg. expired invite).

Securityapi_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

Request Body schema: application/json
required
inviteCode
required
string (Nonce) = 6 characters ^[0-9]*$

A randomly generated one-time use code.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/{user_id}/invite/validate
Request samples
application/json
{
  • "inviteCode": "string"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Consume a user invite

Consumes an invitation perviously sent to the user via userInviteSend. This is needed so that the invited user sets up the password.

Note that on the Sandbox Environment, the inviteCode is always set to "123456".

Securityapi_key
Request
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
inviteCode
required
string (Nonce) = 6 characters ^[0-9]*$

A randomly generated one-time use code.

required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested token couldn't be found.

409

Conflict

410

Gone - The requested token is expired.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/{user_id}/invite/consume
Request samples
application/json
{
  • "inviteCode": "string",
  • "password": {
    }
}
Response samples
application/json
{
  • "token": "string"
}

Send an email verification code to the authorised user

The first step in verifying an authorised user's email. The authorised user whose email address is to be verified is sent an email containing a randomly generated code.

This code must then be provided in the authorisedUserEmailVerify operation to verify the authorised user's email address.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

Securityapi_key
Request
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
email
required
string <email> (Email)

E-mail Address of the user

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

404

Not found - The requested resource couldn't be found.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/verification/email/send
Request samples
application/json
{
  • "email": "user@example.com"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Verify email of the authorised user

The second step in verifying the authorised user's email. The randomly generated code sent to the authorised user via email, using the authorisedUserEmailVerificationCodeSend operation, is submitted here to verify the authorised user's email.

This is needed as part of the verification process for basic due diligence.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

Securityapi_key
Request
Request Body schema: application/json
required
email
required
string <email> (Email)

E-mail Address of the user

verificationCode
required
string (VerificationCode) = 6 characters ^[0-9]+$

A randomly generated one-time use code used to verify the user's email address or mobile number.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/verification/email/verify
Request samples
application/json
{
  • "email": "user@example.com",
  • "verificationCode": "string"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Start KYC for the user

Perform the kyc for a corporate user.

Securityapi_key
Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/users/kyc
Request samples
Response samples
application/json
{
  • "reference": "string"
}