Weavr Multi Product API (3.8.0)

Download OpenAPI specification:Download

Weavr Multi API provides a simple and flexible way to issue cards and accounts to your customers.

By integrating Weavr Multi API in your application you can embed banking capabilities within your app and provide a seamless experience for your customers.

Authentication

Each request to the Multi API must include an api_key that represents your account. You can obtain an API Key by registering for a Multi account here.

Almost all endpoints require a secondary authentication token auth_token that represents the user for whom the request is being executed.

api_key

The API Key representing your Multi account. You can find your API Key in your Multi Portal in the API Credentials page.

Security Scheme Type API Key
Header parameter name: api-key

auth_token

The authentication token representing the user. This will be included in the login response object.

Security Scheme Type HTTP
HTTP Authorization Scheme bearer
Bearer format "JWT"

Access

Manage authentication for your users.

Login with password

Authenticate a user with the email and password that they provided when registering.

Given that the user credentials are correct, this returns a token that can then be used to authorise other secured operations. In case the password is expired, a temporary token is returned, which can be used solely for updating the password.

The token returned is valid for 15 minutes from last activity.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses

Request samples

Content type
application/json
{
  • "email": "string",
  • "password": {
    }
}

Response samples

Content type
application/json
{
  • "token": "string",
  • "identity": {
    },
  • "credentials": {
    }
}

Logout

Logs out the user and terminates the session identified by the auth_token in the Authorization Header.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/logout \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Passwords

Manage your users' passwords.

Create a password

Create a new password for the user identified by the user_id path parameter.

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The user id for which this password is created.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses

Request samples

Content type
application/json
{
  • "password": {
    }
}

Response samples

Content type
application/json
{
  • "passwordInfo": {
    },
  • "token": "string"
}

Update a password

Update the password for the logged-in user.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses

Request samples

Content type
application/json
{
  • "oldPassword": {
    },
  • "newPassword": {
    }
}

Response samples

Content type
application/json
{
  • "token": "string",
  • "passwordInfo": {
    }
}

Validate a password

Check that a password adheres to all complexity checks.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses

Request samples

Content type
application/json
{
  • "password": {
    }
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Initiate lost password process

Initiate the lost password process.

If the email address provided is associated with an active user, an email will be sent, containing a URL that redirects the user to change their password. The URL contains request parameters for all of the parameters required to change the password for the user via the /passwords/lost_password/resume POST endpoint.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

Responses

Request samples

Content type
application/json
{
  • "email": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Resume lost password process

This is the second and final step in updating the password of a user who forgot their password.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
nonce
required
string (Nonce) <= 50 characters ^[a-zA-Z0-9_.*@-]*$|^[a-zA-Z0-9.!#$%&*+\\/=?^...

A randomly generated one-time use code.

email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses

Request samples

Content type
application/json
{
  • "nonce": "string",
  • "email": "string",
  • "newPassword": {
    }
}

Response samples

Content type
application/json
{
  • "token": "string"
}

Additional Factors

Manage additional strong customer authentication factors for your users.

Get user authentication factors

Retrieves the list of authentication factors that can be used to verify the logged-in user.

Authorizations:

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/authentication_factors \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE'

Response samples

Content type
application/json
{
  • "factors": [
    ]
}

Enrol a user device for authentication using one-time passwords

This is the first step in enrolling the logged-in user's mobile device, where a one-time password is sent to the device.

Note that on the Sandbox Environment, text messages are not sent and the one-time-password is always "123456".

Authorizations:
path Parameters
channel
required
string (SCAOtpChannel)

The unique identifier for the user.

Value: "SMS"

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/authentication_factors/otp/:channel \
  -H 'api-key: YOUR_API_KEY_HERE'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Verify enrolment of a user device for authentication using one-time passwords

The second step in enrolling the logged-in user (root or authorised user) to use one-time-passwords to enable verification of transactions.

Note that on the Sandbox Environment, text messages are not sent and the verificationCode is always set to "123456".

Authorizations:
path Parameters
channel
required
string (SCAOtpChannel)

The unique identifier for the user.

Value: "SMS"
Request Body schema: application/json
verificationCode
required
string (Nonce) <= 50 characters ^[a-zA-Z0-9_.*@-]*$|^[a-zA-Z0-9.!#$%&*+\\/=?^...

A randomly generated one-time use code.

Responses

Request samples

Content type
application/json
{
  • "verificationCode": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Corporates

Corporates are identities representing companies. Once on-boarded, Corporates can create and manage their own instruments via your application.

Create a corporate

Create a corporate identity for a business customer. The information provided must be accurate and will be passed on for KYB verification with our partner.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
profileId
required
string (ProfileId) ^[0-9]+$

The profile Id which a specific identity, instrument or transaction type is linked to.

Profiles contain configuration and determine behavioral aspects of the newly created transaction, for example, fees that may apply.

You can have one or more profiles linked to your application, and these can be used to drive different behaviors according to your product's needs.

Profile Ids can be found in the Multi Portal, in the API Credentials page.

tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

required
object

The root user needs to be a director or a legal representative of the corporate that is being onboarded - this user cannot be deactivated.

Root users need to verify their email address and mobile number, as well as complete KYC as part of the Corporate's due diligence process.

required
object

The details associated with the company being on-boarded. The details provided need to match exactly with the details provided during KYB.

industry
required
string (Industry)

The industry of the identity.

Enum: "ACCOUNTING" "AUDIT" "FINANCE" "PUBLIC_SECTOR_ADMINISTRATION" "ART_ENTERTAINMENT" "AUTO_AVIATION" "BANKING_LENDING" "BUSINESS_CONSULTANCY_LEGAL" "CONSTRUCTION_REPAIR" "EDUCATION_PROFESSIONAL_SERVICES" "INFORMATIONAL_TECHNOLOGIES" "TOBACCO_ALCOHOL" "GAMING_GAMBLING" "MEDICAL_SERVICES" "MANUFACTURING" "PR_MARKETING" "PRECIOUS_GOODS_JEWELRY" "NON_GOVERNMENTAL_ORGANIZATION" "INSURANCE_SECURITY" "RETAIL_WHOLESALE" "TRAVEL_TOURISM" "FREELANCER"
sourceOfFunds
required
string (CorporateSourceOfFunds)

The corporate's source of funds.

Enum: "LABOUR_CONTRACT" "CIVIL_CONTRACT" "RENT" "FUNDS_FROM_OTHER_AUXILIARY_SOURCES" "SALE_OF_MOVABLE_ASSETS" "SALE_OF_REAL_ESTATE" "ORDINARY_BUSINESS_ACTIVITY" "DIVIDENDS" "LOAN_FROM_FINANCIAL_INSTITUTIONS_CREDIT_UNIONS" "LOAN_FROM_THIRD_PARTIES" "SALE_OF_COMPANY_SHARES_BUSINESS" "OTHER"
sourceOfFundsOther
string

Description of source of funds in case OTHER was chosen.

acceptedTerms
required
boolean

Must be set to true to indicate that the corporate root user has accepted the terms and conditions.

ipAddress
required
string [ 5 .. 45 ] characters

The IP address of the corporate user doing the registration.

baseCurrency
required
string (Currency) 3 characters ^[A-Z]*$

The currency expressed in ISO-4217 code. Example: GBP, EUR, USD.

feeGroup
string

Fee groups allow the possibility to charge different fees to users under the same profile. If fee groups are not required, ignore this field.

Responses

Request samples

Content type
application/json
{
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "company": {
    },
  • "industry": "ACCOUNTING",
  • "sourceOfFunds": "LABOUR_CONTRACT",
  • "sourceOfFundsOther": "string",
  • "acceptedTerms": true,
  • "ipAddress": "string",
  • "baseCurrency": "str",
  • "feeGroup": "string"
}

Response samples

Content type
application/json
{
  • "id": {
    },
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "company": {
    },
  • "industry": "ACCOUNTING",
  • "sourceOfFunds": "LABOUR_CONTRACT",
  • "sourceOfFundsOther": "string",
  • "acceptedTerms": true,
  • "ipAddress": "string",
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "creationTimestamp": 0
}

Get a corporate

Retrieve the details of the logged-in corporate.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/corporates \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "id": {
    },
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "company": {
    },
  • "industry": "ACCOUNTING",
  • "sourceOfFunds": "LABOUR_CONTRACT",
  • "sourceOfFundsOther": "string",
  • "acceptedTerms": true,
  • "ipAddress": "string",
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "creationTimestamp": 0
}

Update a corporate

Update the details of the logged-in corporate identity.

The following Corporate details are verified during due diligence (KYB) and cannot be updated via the API once the Corporate has been verified:

  • Root User Name
  • Root User Surname
  • Root User Email
  • Root User Mobile Country Code
  • Root User Mobile Number

If these details need to be changed after due diligence is completed, please contact Customer Support to restart the Due Diligence process.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

industry
string (Industry)

The industry of the identity.

Enum: "ACCOUNTING" "AUDIT" "FINANCE" "PUBLIC_SECTOR_ADMINISTRATION" "ART_ENTERTAINMENT" "AUTO_AVIATION" "BANKING_LENDING" "BUSINESS_CONSULTANCY_LEGAL" "CONSTRUCTION_REPAIR" "EDUCATION_PROFESSIONAL_SERVICES" "INFORMATIONAL_TECHNOLOGIES" "TOBACCO_ALCOHOL" "GAMING_GAMBLING" "MEDICAL_SERVICES" "MANUFACTURING" "PR_MARKETING" "PRECIOUS_GOODS_JEWELRY" "NON_GOVERNMENTAL_ORGANIZATION" "INSURANCE_SECURITY" "RETAIL_WHOLESALE" "TRAVEL_TOURISM" "FREELANCER"
sourceOfFunds
string (CorporateSourceOfFunds)

The corporate's source of funds.

Enum: "LABOUR_CONTRACT" "CIVIL_CONTRACT" "RENT" "FUNDS_FROM_OTHER_AUXILIARY_SOURCES" "SALE_OF_MOVABLE_ASSETS" "SALE_OF_REAL_ESTATE" "ORDINARY_BUSINESS_ACTIVITY" "DIVIDENDS" "LOAN_FROM_FINANCIAL_INSTITUTIONS_CREDIT_UNIONS" "LOAN_FROM_THIRD_PARTIES" "SALE_OF_COMPANY_SHARES_BUSINESS" "OTHER"
sourceOfFundsOther
string

Description of source of funds in case OTHER was chosen.

object (Address)
feeGroup
string

The fee group which the Corporate will be bound to. Do not specify this if you are not using fee groups.

baseCurrency
string (Currency) 3 characters ^[A-Z]*$

The currency expressed in ISO-4217 code. Example: GBP, EUR, USD.

name
string <= 20 characters ^[^0-9~!@#$%^*()_+={}\\|:;,<>/?]*$

The first name of the Corporate root user.

surname
string <= 20 characters ^[^0-9~!@#$%^*()_+={}\\|:;,<>/?]*$

The last name of the Corporate root user.

email
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

object (Mobile)
object (Date)

Responses

Request samples

Content type
application/json
{
  • "tag": "string",
  • "industry": "ACCOUNTING",
  • "sourceOfFunds": "LABOUR_CONTRACT",
  • "sourceOfFundsOther": "string",
  • "companyBusinessAddress": {
    },
  • "feeGroup": "string",
  • "baseCurrency": "str",
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "dateOfBirth": {
    }
}

Response samples

Content type
application/json
{
  • "id": {
    },
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "company": {
    },
  • "industry": "ACCOUNTING",
  • "sourceOfFunds": "LABOUR_CONTRACT",
  • "sourceOfFundsOther": "string",
  • "acceptedTerms": true,
  • "ipAddress": "string",
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "creationTimestamp": 0
}

Send an email verification code to the root user

The first step in verifying a root user's email. The root user whose email address is to be verified is sent an email containing a randomly generated code.

This code must then be provided in the corporateRootUserEmailVerify operation to verify the root user's email address.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

Responses

Request samples

Content type
application/json
{
  • "email": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Verify email of the root user

The second step in verifying the root user's email. The randomly generated code sent to the root user via email, using the corporateRootUserEmailVerificationCodeSend operation, is submitted here to verify the root user's email.

This is needed as part of the verification process for basic due diligence.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

verificationCode
required
string (VerificationCode) 6 characters ^[0-9]+$

A randomly generated one-time use code used to verify the user's email address or mobile number.

Responses

Request samples

Content type
application/json
{
  • "email": "string",
  • "verificationCode": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Send root user mobile verification code Deprecated

For new development, we encourage you to use the /authentication_factors/otp/{channel} API endpoint.

The first step in verifying a root user's mobile number. The root user whose mobile number is to be verified is sent a text message containing a randomly generated code.

This code must then be provided in the corporateRootUserMobileVerify operation to verify the root user's mobile number.

Note that on the Sandbox Environment, text messages are not sent and the verification code is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/corporates/verification/mobile/send \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "timeLeftForRetry": 0,
  • "retriesLeft": 0
}

Verify root user mobile Deprecated

For new development, we encourage you to use the /authentication_factors/otp/{channel} API endpoint.

The second step in verifying the root user's mobile number. The randomly generated code sent to the root user via text message, using the corporateRootUserVerificationCodeSend operation, is to be submitted here to verify the root user's mobile number.

This is needed as part of the verification process for basic due diligence.

Note that on the Sandbox Environment, text messages are not sent and the verification code is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
verificationCode
required
string (VerificationCode) 6 characters ^[0-9]+$

A randomly generated one-time use code used to verify the user's email address or mobile number.

Responses

Request samples

Content type
application/json
{
  • "verificationCode": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Start KYB for a corporate

Corporates need to complete due diligence (KYB) before they can create instruments and perform transactions.

This operation initiates the due diligence process for the logged-in corporate.

Due Diligence is handled by a KYB provider - you will need to embed the KYB UI Component in your application so that the Corporate will be able to perform the KYB process.

To initialise the KYB UI Component, you need a reference that is given you in the response of this operation.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/corporates/kyb \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "reference": "string"
}

Get KYB for a corporate

Returns the KYB status for the logged-in corporate.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/corporates/kyb \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "kybStatus": "NOT_STARTED"
}

Charge fee to a corporate

Charge a fee to the corporate identified by the auth token, based on a pre-defined custom fee. Custom fees can be configured in the Multi Portal.

The fees collected will be deposited into your Revenue Account. The balance and transaction history of your revenue account can be viewed in the Multi Portal.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
feeType
required
string

The fee type as defined in the Multi Portal.

required
object (InstrumentId)

Responses

Request samples

Content type
application/json
{
  • "feeType": "string",
  • "source": {
    }
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Consumers

Consumers are identities representing individuals. Once on-boarded, Consumers can create and manage their own instruments via your application.

Create a consumer

Create a Consumer Identity to represent an Individual.

The information provided must be accurate as it will be passed on for KYC verification with our partner.

Incorrect information may incur a re-processing fee.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
profileId
required
string (ProfileId) ^[0-9]+$

The profile Id which a specific identity, instrument or transaction type is linked to.

Profiles contain configuration and determine behavioral aspects of the newly created transaction, for example, fees that may apply.

You can have one or more profiles linked to your application, and these can be used to drive different behaviors according to your product's needs.

Profile Ids can be found in the Multi Portal, in the API Credentials page.

tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

required
object

The root user represents the identity.

Root users need to verify their email address and mobile number, as well as complete KYC, as part of the Consumer's due diligence process.

ipAddress
required
string [ 5 .. 45 ] characters

The IP address of the user doing the registration.

acceptedTerms
required
boolean

Must be set to true to indicate that the consumer has accepted the terms and conditions.

baseCurrency
string (Currency) 3 characters ^[A-Z]*$

The currency expressed in ISO-4217 code. Example: GBP, EUR, USD.

feeGroup
string

The fee group which the consumer is bound to. Fee groups provide the possibility of different fees to users under the same profile. If fee groups are not required, ignore this field.

sourceOfFunds
required
string (ConsumerSourceOfFunds)

The consumer's source of funds.

Enum: "PERSONAL_SAVINGS" "FAMILY_SAVINGS" "LABOUR_CONTRACT" "CIVIL_CONTRACT" "RENT" "FUNDS_FROM_OTHER_AUXILIARY_SOURCES" "SALE_OF_MOVABLE_ASSETS" "SALE_OF_REAL_ESTATE" "ORDINARY_BUSINESS_ACTIVITY" "DIVIDENDS" "LOAN_FROM_FINANCIAL_INSTITUTIONS_CREDIT_UNIONS" "LOAN_FROM_THIRD_PARTIES" "INHERITANCE" "SALE_OF_COMPANY_SHARES_BUSINESS" "OTHER"
sourceOfFundsOther
string

Description of source of funds in case OTHER was chosen.

Responses

Request samples

Content type
application/json
{
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "ipAddress": "string",
  • "acceptedTerms": true,
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "sourceOfFunds": "PERSONAL_SAVINGS",
  • "sourceOfFundsOther": "string"
}

Response samples

Content type
application/json
{
  • "id": {
    },
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "creationTimestamp": 0,
  • "ipAddress": "string",
  • "acceptedTerms": true,
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "sourceOfFunds": "PERSONAL_SAVINGS",
  • "sourceOfFundsOther": "string"
}

Get a consumer

Retrieve the details of the logged-in Consumer.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/consumers \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "id": {
    },
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "creationTimestamp": 0,
  • "ipAddress": "string",
  • "acceptedTerms": true,
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "sourceOfFunds": "PERSONAL_SAVINGS",
  • "sourceOfFundsOther": "string"
}

Update a consumer

Update the details of the logged-in consumer identity.

If the Consumer root user has already completed KYC, the following details cannot be updated:

  • name
  • surname
  • email
  • mobile Country Code
  • mobile Number
  • date of Birth
  • address
Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

name
string <= 20 characters ^[^0-9~!@#$%^*()_+={}\\|:;,<>/?]*$

The first name of the Consumer root user.

surname
string <= 20 characters ^[^0-9~!@#$%^*()_+={}\\|:;,<>/?]*$

The last name of the Consumer root user.

email
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

object (Mobile)
object (Date)
object (Address)
feeGroup
string

The fee group which the consumer will be bound to. Do not specify this if you are not using fee groups.

baseCurrency
string (Currency) 3 characters ^[A-Z]*$

The currency expressed in ISO-4217 code. Example: GBP, EUR, USD.

occupation
string (Occupation)

The industry of the identity.

Enum: "ACCOUNTING" "AUDIT" "FINANCE" "PUBLIC_SECTOR_ADMINISTRATION" "ART_ENTERTAINMENT" "AUTO_AVIATION" "BANKING_LENDING" "BUSINESS_CONSULTANCY_LEGAL" "CONSTRUCTION_REPAIR" "EDUCATION_PROFESSIONAL_SERVICES" "INFORMATIONAL_TECHNOLOGIES" "TOBACCO_ALCOHOL" "GAMING_GAMBLING" "MEDICAL_SERVICES" "MANUFACTURING" "PR_MARKETING" "PRECIOUS_GOODS_JEWELRY" "NON_GOVERNMENTAL_ORGANIZATION" "INSURANCE_SECURITY" "RETAIL_WHOLESALE" "TRAVEL_TOURISM" "FREELANCER" "STUDENT" "UNEMPLOYED" "RETIRED" "OTHER"
sourceOfFunds
string (ConsumerSourceOfFunds)

The consumer's source of funds.

Enum: "PERSONAL_SAVINGS" "FAMILY_SAVINGS" "LABOUR_CONTRACT" "CIVIL_CONTRACT" "RENT" "FUNDS_FROM_OTHER_AUXILIARY_SOURCES" "SALE_OF_MOVABLE_ASSETS" "SALE_OF_REAL_ESTATE" "ORDINARY_BUSINESS_ACTIVITY" "DIVIDENDS" "LOAN_FROM_FINANCIAL_INSTITUTIONS_CREDIT_UNIONS" "LOAN_FROM_THIRD_PARTIES" "INHERITANCE" "SALE_OF_COMPANY_SHARES_BUSINESS" "OTHER"
sourceOfFundsOther
string

Description of source of funds in case OTHER was chosen.

Responses

Request samples

Content type
application/json
{
  • "tag": "string",
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "dateOfBirth": {
    },
  • "address": {
    },
  • "feeGroup": "string",
  • "baseCurrency": "str",
  • "occupation": "ACCOUNTING",
  • "sourceOfFunds": "PERSONAL_SAVINGS",
  • "sourceOfFundsOther": "string"
}

Response samples

Content type
application/json
{
  • "id": {
    },
  • "profileId": "string",
  • "tag": "string",
  • "rootUser": {
    },
  • "creationTimestamp": 0,
  • "ipAddress": "string",
  • "acceptedTerms": true,
  • "baseCurrency": "str",
  • "feeGroup": "string",
  • "sourceOfFunds": "PERSONAL_SAVINGS",
  • "sourceOfFundsOther": "string"
}

Send an email verification code to the root user

The first step in verifying a root user's email. The root user whose email address is to be verified is sent an email containing a randomly generated code.

This code must then be provided in the consumerRootUserEmailVerify operation to verify the root user's email address.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

Responses

Request samples

Content type
application/json
{
  • "email": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Verify email of the root user

The second step in verifying the root user's email. The randomly generated code sent to the root user via email, using the consumerRootUserEmailVerificationCodeSend operation, is submitted here to verify the root user's email.

This is needed as part of the verification process for basic due diligence.

Note that on the Sandbox Environment, emails are not sent and the verification code is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

verificationCode
required
string (VerificationCode) 6 characters ^[0-9]+$

A randomly generated one-time use code used to verify the user's email address or mobile number.

Responses

Request samples

Content type
application/json
{
  • "email": "string",
  • "verificationCode": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Send root user mobile verification code Deprecated

For new development, we encourage you to use the /authentication_factors/otp/{channel} API endpoint.

The first step in verifying a root user's mobile number. The root user whose mobile number is to be verified is sent a text message containing a randomly generated code.

This code must then be provided in the consumerRootUserMobileVerify operation to verify the root user's mobile number.

Note that on the Sandbox Environment, text messages are not sent and the verification code is always set to "123456".

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/consumers/verification/mobile/send \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "timeLeftForRetry": 0,
  • "retriesLeft": 0
}

Verify root user mobile Deprecated

For new development, we encourage you to use the /authentication_factors/otp/{channel}/verify API endpoint.

The second step in verifying the root user's mobile number. The randomly generated code sent to the root user via text message, using the consumerRootUserMobileVerificationCodeSend operation, is to be submitted here to verify the root user's mobile number.

This is needed as part of the verification process for basic due diligence.

Note that on the Sandbox Environment, text messages are not sent and the verification code is always set to "123456"

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
verificationCode
required
string (VerificationCode) 6 characters ^[0-9]+$

A randomly generated one-time use code used to verify the user's email address or mobile number.

Responses

Request samples

Content type
application/json
{
  • "verificationCode": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Start KYC for a consumer

Consumers need to complete due diligence (KYC) before they can create instruments and fund transaction.

This operation initiates the due diligence process for the logged-in consumer.

Due Diligence is handled by a KYB provider, you will need to embed the KYC UI Component in your application to show the KYC screens to your users.

To initialise the KYC UI Component, you need a reference that is given you in the response of this operation.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/consumers/kyc \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "reference": "string"
}

Get KYC for a consumer

Returns the KYC status for the logged-in consumer.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/consumers/kyc \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "fullDueDiligence": "NOT_STARTED"
}

Start consumer KYC on mobile

Consumers need to complete due diligence (KYC) before they can create instruments and perform transactions. Use this call instead of /consumers/kyc only in case where the KYC is to be performed using a mobile device. The information returned in the response is to be used to integrate directly with Sumsub Mobile SDK.

Authorizations:

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/consumers/kyc_mobile_sumsub \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE'

Response samples

Content type
application/json
{
  • "verificationFlow": "string",
  • "accessToken": "string",
  • "identityType": "string",
  • "externalUserId": "string",
  • "kycProviderKey": "string"
}

Charge fee to a consumer

Charge a fee to the logged-in consumer based on a pre-defined custom fee. Custom fees can be configured in the Multi Portal.

The fees collected will be deposited into your Revenue Account. The balance and transaction history of your revenue account can be viewed in the Multi Portal.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
feeType
required
string

The fee type as defined in the Multi Portal.

required
object (InstrumentId)

Responses

Request samples

Content type
application/json
{
  • "feeType": "string",
  • "source": {
    }
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Authorised Users

Corporate and Consumer identities can invite authorised users to access their account. Once on-boarded, authorised users can create and manage instruments and transactions on behalf of the identity they are on-boarded with.

In case of Corporate Identities, authorised users are typically employees who have access to company's banking products such as cards and bank accounts.

In case of Consumer Identities, authorised users are typically children/teens whose parents want them to have access to banking products such as cards and bank accounts.

Note that /users endpoints are to be used only for performing operations related to authorised users - getting or updating the details of root users is to be done via the respective /consumers or /corporates endpoints.

Create a user

Creates a user linked to the logged-in corporate or consumer identity.

Once on-boarded, users have access to all instruments (cards and accounts) of the identity.

Application-specific permissions to limit what each user can view and do need to be implemented in your application.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
name
required
string <= 20 characters

The first name of the user.

surname
required
string <= 20 characters

The last name of the user.

email
required
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

object (Mobile)
object (Date)

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "dateOfBirth": {
    }
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "identity": {
    },
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    }
}

Get all users

Fetches all authorised users associated with the corporate or consumer identity the logged-in user belongs to.

Authorizations:
query Parameters
offset
integer <int32> >= 0

The offset value for paging, indicating the initial item number to be returned from the data set satisfying the given criteria. Leave out to fetch the first page of results.

limit
integer <int32> [ 1 .. 100 ]

The limit of the results for paging, starting at the offset. Limit is always capped at 100.

active
boolean

Filter for active or deactivated users. Leave out to fetch all users.

email
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

Filter by the email address of the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  'https://sandbox.weavr.io/multi/users?offset=0&limit=1&active=true&email=string' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "users": [
    ],
  • "count": 0,
  • "responseCount": 0
}

Get a user

Retrieves the user identified by the user_id path parameter.

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/users/:user_id \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "id": "string",
  • "identity": {
    },
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    }
}

Update a user

Update the details of a user identified by the user_id in the the path parameter.

Only the fields that are specified in the request body will be updated. All other fields will remain unchanged.

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
name
string <= 20 characters

The first name of the user.

surname
string <= 20 characters

The last name of the user.

email
string (Email) [ 6 .. 255 ] characters ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{...

E-mail Address of the user

object (Mobile)
object (Date)

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "dateOfBirth": {
    }
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "identity": {
    },
  • "name": "string",
  • "surname": "string",
  • "email": "string",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    }
}

Activate a user

Activate the user identified by the user_id path parameter.

By default, any new users created will be automatically activated. This operation needs to be used only if the user was previously de-activated using the userDeactivate operation, or if the user was de-activated automatically after multiple incorrect login attempts.

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/users/:user_id/activate \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Deactivate a user

De-activate the user identified by the user_id path parameter.

Deactivated users cannot log in or execute any operations with their credentials.

This operations is not final and a user can be re-activated using the userActivate operation. Note that another active user would need to log in so as to re-activate the de-activated user.

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/users/:user_id/deactivate \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Send a user invite

Once a user is created using the userCreate operation, the user needs to setup his/her password.

An invitation needs to be sent to the user in order to be able to set up the password for the first time. The invitation email, which remains valid for 1 month, will contain a URL having all information required to setup the password via the userInviteConsume.

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/users/:user_id/invite \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Validate a user invite

Check if a user's invite is still valid. This operation is useful to avoid having the user fill in a form only to be held by a validation issue (eg. expired invite).

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
inviteCode
required
string (Nonce) <= 50 characters ^[a-zA-Z0-9_.*@-]*$|^[a-zA-Z0-9.!#$%&*+\\/=?^...

A randomly generated one-time use code.

Responses

Request samples

Content type
application/json
{
  • "inviteCode": "string"
}

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Consume a user invite

Consumes an invitation perviously sent to the user via userInviteSend. This is needed so that the invited user sets up the password.

Note that on the Sandbox Environment, the inviteCode is always set to "123456".

Authorizations:
path Parameters
user_id
required
string (UserId) ^[0-9]+$

The unique identifier for the user.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
inviteCode
required
string (Nonce) <= 50 characters ^[a-zA-Z0-9_.*@-]*$|^[a-zA-Z0-9.!#$%&*+\\/=?^...

A randomly generated one-time use code.

required
object (SensitivePassword)

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses

Request samples

Content type
application/json
{
  • "inviteCode": "string",
  • "password": {
    }
}

Response samples

Content type
application/json
{
  • "token": "string"
}

Managed Accounts

Managed Accounts are a type of financial instrument offered by Weavr.

They hold funds for their owner, and can be upgraded to IBANs so as to receive and send funds to instruments outside of the Weavr Platform, via Wire Transfers.

Managed accounts can also be used as source and destination instruments in the transfer and send transactions.

Get all managed accounts

Retrieves all managed accounts belonging to the logged-in identity.

Authorizations:
query Parameters
offset
integer <int32> >= 0

The offset value for paging, indicating the initial item number to be returned from the data set satisfying the given criteria. Leave out to fetch the first page of results.

limit
integer <int32> [ 1 .. 100 ]

The limit of the results for paging, starting at the offset. Limit is always capped at 100.

profileId
string (ProfileId) ^[0-9]+$

Filter by the managed account profile. Leave out to fetch all managed accounts.

friendlyName
string [ 1 .. 50 ] characters

Filter by the managed account friendly name. Leave out to fetch all managed accounts.

The exact name must be provided, as wildcards are not supported.

state
Array of strings (InstrumentState) unique
Items Enum: "ACTIVE" "BLOCKED" "DESTROYED"
state.blockedReason
Array of strings (BlockedReason) unique
Items Enum: "USER" "SYSTEM" "LOST"
state.destroyedReason
Array of strings (DestroyedReason) unique
Items Enum: "SYSTEM" "USER" "LOST" "STOLEN" "EXPIRED"
currency
string (Currency) 3 characters ^[A-Z]*$

Filter by the managed account currency.

Currencies are expressed as an ISO 4217 code. Leave out to fetch all managed accounts.

createdFrom
integer <int64>

Filter by the managed account creation date. Leave out to fetch all managed accounts.

createdTo
integer <int64>

Filter by the managed account created date. Leave out to fetch all managed accounts.

tag
string

Filter by the managed account tag. The exact tag must be provided, as wildcards are not supported. Leave out to fetch all managed accounts.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  'https://sandbox.weavr.io/multi/managed_accounts?offset=0&limit=1&profileId=string&friendlyName=string&state=ACTIVE&state.blockedReason=USER&state.destroyedReason=SYSTEM&currency=str&createdFrom=0&createdTo=0&tag=string' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "accounts": [
    ],
  • "count": 0,
  • "responseCount": 0
}

Create a managed account

Creates a managed account for the consumer or corporate identity. The Managed Account Profile (configured in the Multi Portal) specified determines the behavior and restrictions that the managed account will have."

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
profileId
required
string (ProfileId) ^[0-9]+$

The profile Id which a specific identity, instrument or transaction type is linked to.

Profiles contain configuration and determine behavioral aspects of the newly created transaction, for example, fees that may apply.

You can have one or more profiles linked to your application, and these can be used to drive different behaviors according to your product's needs.

Profile Ids can be found in the Multi Portal, in the API Credentials page.

friendlyName
required
string [ 1 .. 50 ] characters

The friendly name to be given to the managed account.

currency
required
string (Currency) 3 characters ^[A-Z]*$

The currency expressed in ISO-4217 code. Example: GBP, EUR, USD.

tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

Responses

Request samples

Content type
application/json
{
  • "profileId": "string",
  • "friendlyName": "string",
  • "currency": "str",
  • "tag": "string"
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "profileId": "string",
  • "tag": "string",
  • "friendlyName": "string",
  • "currency": "str",
  • "balances": {
    },
  • "state": {
    },
  • "creationTimestamp": 0
}

Get a managed account

Fetch the managed account identified by the id in path.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the Managed Account.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/managed_accounts/:id \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "id": "string",
  • "profileId": "string",
  • "tag": "string",
  • "friendlyName": "string",
  • "currency": "str",
  • "balances": {
    },
  • "state": {
    },
  • "creationTimestamp": 0
}

Update a managed account

Update the details for the managed account identified by the id in the path.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the managed account.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

friendlyName
string [ 1 .. 50 ] characters

Updates the friendly name of the managed account. Leave blank if no change is needed.

Responses

Request samples

Content type
application/json
{
  • "tag": "string",
  • "friendlyName": "string"
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "profileId": "string",
  • "tag": "string",
  • "friendlyName": "string",
  • "currency": "str",
  • "balances": {
    },
  • "state": {
    },
  • "creationTimestamp": 0
}

Upgrade a managed account with IBAN

Assign an IBAN to a Managed Account.

IBANs enable managed accounts to receive and send funds via wire transfers.

Assigning an IBAN to a Managed Account may be done asynchronously, in which case the ManagedAccountIBAN.state will be set to PENDING_ALLOCATION until bank details are ready to use.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the Managed Account.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/managed_accounts/:id/iban \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "state": "UNALLOCATED",
  • "bankAccountDetails": [
    ]
}

Get a managed account IBAN

Fetch the IBAN details associated with the Managed Account identified by the id in the path.

Authorizations:
path Parameters
id
required
string^[0-9]+$
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/managed_accounts/:id/iban \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "state": "UNALLOCATED",
  • "bankAccountDetails": [
    ]
}

Block a managed account

Temporarily blocks a managed account.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the managed account.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/managed_accounts/:id/block \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Unblock a managed account

Unblocks the managed account identified by the id path parameter. The managed account must have state.blockedReason as USER so that it can be unblocked. If the managed account was blocked by SYSTEM, users cannot unblock it.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the managed account.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/managed_accounts/:id/unblock \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Get a managed account statement

Returns a list of transactions against the managed account identified by the id path parameter, matching the criteria provided in the request.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the managed account.

query Parameters
offset
integer <int32> >= 0

The offset value for paging, indicating the initial item number to be returned from the data set satisfying the given criteria. Leave out to fetch the first page of results.

limit
integer <int32> [ 1 .. 100 ]

The limit of the results for paging, starting at the offset. Limit is always capped at 100.

orderByTimestamp
string

Orders the result in ascending or descending order.

  • ASC: Ascending order, oldest transactions first.
  • DESC: Descending order, most recent transactions first.

If not specified, the transactions will be returned in descending order.

Enum: "ASC" "DESC"
fromTimestamp
integer <int64>

Filter for transactions having transaction timestamp after fromTimestamp. Timestamp is expressed in Epoch timestamp using millisecond precision. Leave out to fetch all managed accounts.

toTimestamp
integer <int64>

Filter for transactions having transaction timestamp before toTimestamp. Timestamp is expressed in Epoch timestamp using millisecond precision. Leave out to fetch all managed accounts.

showFundMovementsOnly
boolean

Returns only the entries which contain fund movements.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

accept
string

A request parameter specifying the type of response the client would like. Must be one of application/json or text/csv.

The default response type (application/json) will be returned if specified incorrectly or not specified.

Responses

Request samples

curl -i -X GET \
  'https://sandbox.weavr.io/multi/managed_accounts/:id/statement?offset=0&limit=1&orderByTimestamp=ASC&fromTimestamp=0&toTimestamp=0&showFundMovementsOnly=true' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'accept: string' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
{
  • "entry": [
    ],
  • "count": 0,
  • "responseCount": 0
}

Remove a managed account

Destroys the managed account identified by the id path parameter. Unlike block, this action is not reversible.

A managed account must be emptied from any remaining funds before it can be destroyed.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of the managed account.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X POST \
  https://sandbox.weavr.io/multi/managed_accounts/:id/remove \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Managed Cards

Managed Cards are a type of financial instrument offered by Weavr.

You can create virtual or physical cards that are issued to the consumer or corporate identity.

A card created in prepaid mode has its own balance, whereas a card created in debit mode does not have its own balance but taps into the balance of its parent managed account.

Create a managed card

Creates a managed card for the consumer or corporate identity. The Managed Card Profile (configured in the Multi Portal) specified determines the behaviour and restrictions that the managed card will have.

Authorizations:
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
profileId
required
string (ProfileId) ^[0-9]+$

The profile Id which a specific identity, instrument or transaction type is linked to.

Profiles contain configuration and determine behavioral aspects of the newly created transaction, for example, fees that may apply.

You can have one or more profiles linked to your application, and these can be used to drive different behaviors according to your product's needs.

Profile Ids can be found in the Multi Portal, in the API Credentials page.

tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

friendlyName
required
string [ 1 .. 50 ] characters

The friendly name for the card.

nameOnCard
required
string [ 1 .. 27 ] characters ^[a-zA-Z0-9äöüÄÖÜ\\-^. ']*$

The card holder's name for the card.

This may be verified by merchants when the card is used online. For Physical cards, this field will be printed on the card.

cardholderMobileNumber
required
string [ 5 .. 20 ] characters ^\\+[0-9]+$

The mobile number including country code of the card holder.

For transactions that require a 3DS challenge, an SMS with a code will be sent on this number, to be entered during an online purchase.

required
object (Address)
mode
required
string

The card can be created in prepaid mode or debit mode.

  • A prepaid mode card has its own balance and can have funds transferred to or from it.
  • A debit mode card does not have its own balance but will be able to spend funds belonging to its parent managed account, subject to a configurable spend limit.
currency
required
string (Currency) 3 characters ^[A-Z]*$

The currency expressed in ISO-4217 code. Example: GBP, EUR, USD.

Responses

Request samples

Content type
application/json
Example
{
  • "profileId": "string",
  • "tag": "string",
  • "friendlyName": "string",
  • "nameOnCard": "string",
  • "cardholderMobileNumber": "string",
  • "billingAddress": {
    },
  • "mode": "PREPAID_MODE",
  • "currency": "str"
}

Response samples

Content type
application/json
Example
{
  • "id": "string",
  • "profileId": "string",
  • "externalHandle": "string",
  • "tag": "string",
  • "friendlyName": "string",
  • "currency": "str",
  • "state": {
    },
  • "type": "VIRTUAL",
  • "cardBrand": "MASTERCARD",
  • "cardNumber": {
    },
  • "cvv": {
    },
  • "cardNumberFirstSix": "string",
  • "cardNumberLastFour": "stri",
  • "nameOnCard": "string",
  • "startMmyy": "stri",
  • "expiryMmyy": "stri",
  • "cardLevelClassification": "CONSUMER",
  • "expiryPeriodMonths": 1,
  • "renewalType": "AUTO_RENEW",
  • "creationTimestamp": 0,
  • "cardholderMobileNumber": "string",
  • "billingAddress": {
    },
  • "physicalCardDetails": {
    },
  • "mode": "PREPAID_MODE",
  • "balances": {
    }
}

Get all managed cards

Fetch cards matching the search criteria provided.

Authorizations:
query Parameters
offset
integer <int32> >= 0

The offset value for paging, indicating the initial item number to be returned from the data set satisfying the given criteria. Leave out to fetch the first page of results.

limit
integer <int32> [ 1 .. 100 ]

The limit of the results for paging, starting at the offset. Limit is always capped at 100.

profileId
string (ProfileId) ^[0-9]+$

Filter by the managed card profile. Leave out to fetch all managed cards.

friendlyName
string [ 1 .. 50 ] characters

Filter by the managed card friendly name. Leave out to fetch all managed cards. The exact name must be provided, as wildcards are not supported.

state
Array of strings (InstrumentState) unique
Items Enum: "ACTIVE" "BLOCKED" "DESTROYED"
state.blockedReason
Array of strings (BlockedReason) unique
Items Enum: "USER" "SYSTEM" "LOST"
state.destroyedReason
Array of strings (DestroyedReason) unique
Items Enum: "SYSTEM" "USER" "LOST" "STOLEN" "EXPIRED"
currency
string (Currency) 3 characters ^[A-Z]*$

Filter by the managed card currency. Currencies are expressed as an ISO 4217 code. Leave out to fetch all managed cards.

type
string

Filter by the type of the card.

Enum: "VIRTUAL" "PHYSICAL"
externalHandle
string

Search by the card's externalHandle.

cardNumberFirstSix
string 6 characters ^[0-9]*$

Filter by first six digits of the card.

cardNumberLastFour
string 4 characters ^[0-9]*$

Filter by last four digits of the card.

createdFrom
integer <int64>

Filter for managed cards created after createdFrom timestamp. Timestamp is expressed in Epoch timestamp using millisecond precision. Leave out to fetch all managed cards.

createdTo
integer <int64>

Filter for managed cards created before createdTo timestamp. Timestamp is expressed in Epoch timestamp using millisecond precision. Leave out to fetch all managed cards.

mode
string

Filter by card mode (prepaid mode or debit mode).

Enum: "DEBIT_MODE" "PREPAID_MODE"
tag
string

Filter by the managed card tag. The exact tag must be provided, as wildcards are not supported. Leave out to fetch all managed cards.

parentManagedAccountId
string^[0-9]+$

Filter by the Id of the parent managed account associated with the card. This is applicable only for debit mode cards.

manufacturingState
Array of strings (ManufacturingState) unique
Items Enum: "REQUESTED" "SENT_FOR_FULFILLMENT" "DISPATCHED" "DELIVERED"
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  'https://sandbox.weavr.io/multi/managed_cards?offset=0&limit=1&profileId=string&friendlyName=string&state=ACTIVE&state.blockedReason=USER&state.destroyedReason=SYSTEM&currency=str&type=VIRTUAL&externalHandle=string&cardNumberFirstSix=string&cardNumberLastFour=stri&createdFrom=0&createdTo=0&mode=DEBIT_MODE&tag=string&parentManagedAccountId=string&manufacturingState=REQUESTED' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
{
  • "cards": [
    ],
  • "count": 0,
  • "responseCount": 0
}

Get a managed card

Returns all details of the managed card identified by the id path parameter.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of a card.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses

Request samples

curl -i -X GET \
  https://sandbox.weavr.io/multi/managed_cards/:id \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'api-key: YOUR_API_KEY_HERE' \
  -H 'idempotency-ref: string'

Response samples

Content type
application/json
Example
{
  • "id": "string",
  • "profileId": "string",
  • "externalHandle": "string",
  • "tag": "string",
  • "friendlyName": "string",
  • "currency": "str",
  • "state": {
    },
  • "type": "VIRTUAL",
  • "cardBrand": "MASTERCARD",
  • "cardNumber": {
    },
  • "cvv": {
    },
  • "cardNumberFirstSix": "string",
  • "cardNumberLastFour": "stri",
  • "nameOnCard": "string",
  • "startMmyy": "stri",
  • "expiryMmyy": "stri",
  • "cardLevelClassification": "CONSUMER",
  • "expiryPeriodMonths": 1,
  • "renewalType": "AUTO_RENEW",
  • "creationTimestamp": 0,
  • "cardholderMobileNumber": "string",
  • "billingAddress": {
    },
  • "physicalCardDetails": {
    },
  • "mode": "PREPAID_MODE",
  • "balances": {
    }
}

Update a managed card

Update the details of the managed card identified by the id path parameter.

Authorizations:
path Parameters
id
required
string^[0-9]+$

The unique identifier of a card.

header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
tag
string (Tag) <= 50 characters ^[a-zA-Z0-9_-]+$

The tag field is a custom field that can be used to search and filter.

friendlyName
string [ 1 .. 50 ] characters

Updates the friendly name of the card. Leave blank if no change is needed.

cardholderMobileNumber
string [ 5 .. 20 ] characters ^\\+[0-9]+$

The mobile number including country code of the card holder, needed in case a 3DS challenge is required.

object (Address)
object (DeliveryAddress)

The delivery address where the physical card is delivered.

deliveryMethod
string (DeliveryMethod)

The delivery methods supported for delivering printed physical cards. If not specified, the STANDARD_DELIVERY method will be used.

Enum: "STANDARD_DELIVERY" "REGISTERED_MAIL" "COURIER" "FIRST_CLASS_MAIL"

Responses

Request samples

Content type
application/json
{
  • "tag": "string",
  • "friendlyName": "string",
  • "cardholderMobileNumber": "string",
  • "billingAddress": {
    },
  • "deliveryAddress": {
    },
  • "deliveryMethod": "STANDARD_DELIVERY"
}

Response samples

Content type
application/json
Example
{
  • "id": "string",
  • "profileId": "string",
  • "externalHandle": "string",
  • "tag": "string",
  • "friendlyName": "string"