Auth v0.6.1

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

Introduction

The Authentication API is an identity layer based on OpenID Connect (OIDC) and OAuth 2.0. Accessing resources in the Apiture Open platform requires registering an OAuth consumer before making authenticated API requests.

Supported authentication flows

OAuth 2.0 Authorization code: used with server-side Applications
OAuth 2.0 Implicit: used with Mobile Applications or Web Applications

Discovery

The OpenID Connect Discovery metadata can be retrieved by browsing to the /auth/openid/metadata URL. The metadata information is public.

Samples

For each endpoint in the API, sample requests and responses are provided.

Creating a consumer

Request an OAuth consumer key and secret by emailing api@apiture.com. The following information must be part of the consumer request:

Name: A name identifying the consumer.
Callback URL: A URL in the target application that can receive token responses.

After submitting the request, an email will be sent containing the generated key and secret for the consumer.

Flows

OpenID Connect Authorization Code Flow

This interactive flow involves browser redirection to the Apiture Identity Provider URL (the OAuth authorization server) for secure user login and consent. After the first redirection, the user is redirected back to the requesting application using the callback URL that was configured when the application was registered as a consumer.

Authenticate the user [browser redirection]
Receive user consent [browser redirection]
Authenticate the client
Exchange code for tokens

OpenID Connect Implicit Flow

This flow is similar to the code flow but allows to retrieve a token directly without the need of an intermediate code. Upon successful authentication the tokens are returned in the hash fragment of the redirection URL. No refresh tokens are returned using this type of grant.

Authenticate the user [browser redirection]
Receive user consent [browser redirection]

More information about triggering these flows can be found by reading about the /auth/oauth2 endpoints below.

Using the Tokens

Upon successful authentication the token endpoint will return an access token that can be used to call secured API endpoints, it will have an expiration time in milliseconds as indicated in the expires_in attribute.

Each request to a secured endpoint must include the bearer token as part of the Authorization header: Authorization: Bearer <TOKEN> The /oauth2/token#refreshToken endpoint can be used to refresh an expired token. To do this the grant_type must be set to refresh_token and the refresh_token parameter must be the refresh token obtained when the last token was issued.

Pasword reset flow

It is possible to reset the user's password from an unauthenticated space by sending the user's key identifying information.

Start the process by issuing a POST to /passwordResetRequests with the user's username, taxId and birthdate. A confirmation code is sent via the preconfigured delivery channel as a result of this operation.
Use the confirmation code as part of a POST request to /passwordResets along with the user's username and the new desired password. A successful password reset will be acknowledged with a 202 status code.

Download OpenAPI Definition (YAML)

Base URLs:

https://api.devbank.apiture.com/auth

Email: Apiture Web: Apiture

Authentication

API Key (apiKey)
- header parameter: API-Key
- API Key based authentication. Each client application must pass its private, unique API key, allocated in the developer portal, via the API-Key: {api-key} request header.

OAuth2 authentication (accessToken)
- OAuth2 client access token authentication. The client authenticates against the server at authorizationUrl, passing the client's private clientId (and optional clientSecret) as part of this flow. The client obtains an access token from the server at tokenUrl. It then passes the received access token via the Authorization: Bearer {access-token} header in subsequent API calls. The authorization process also returns a refresh token which the client should use to renew the access token before it expires.
- Flow: authorizationCode
- Authorization URL = https://auth.apiture.com/oauth2/authorize
- Token URL = http://auth.apiture.com/auth/oauth2/token

Scope	Scope Description
`profiles/read`	Read access to user and contact related resources.
`profiles/write`	Write (update) access to user and contact related resources.
`profiles/delete`	Delete access to user and contact related resources.
`profiles/readPii`	Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
`profiles/full`	Full access to user and contact related resources.

API

Endpoints which describe this API

getApi

Code samples

# You can also use wget
curl -X GET https://api.devbank.apiture.com/auth/ \
  -H 'Accept: application/hal+json'

GET https://api.devbank.apiture.com/auth/ HTTP/1.1
Host: api.devbank.apiture.com
Accept: application/hal+json

var headers = {
  'Accept':'application/hal+json'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');

const headers = {
  'Accept':'application/hal+json'

};

fetch('https://api.devbank.apiture.com/auth/',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/hal+json'
}

result = RestClient.get 'https://api.devbank.apiture.com/auth/',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Accept': 'application/hal+json'
}

r = requests.get('https://api.devbank.apiture.com/auth/', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Accept": []string{"application/hal+json"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("GET", "https://api.devbank.apiture.com/auth/", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Top-level resources and operations in this API

GET /

Return links to the top-level resources and operations in this API.

Example responses

OK

{
  "id": "auth",
  "name": "Authorization",
  "apiVersion": "0.1.0",
  "_profile": "https://api.apiture.com/schemas/common/api/v1.0.0/profile.json",
  "_links": {
    "apiture:authorize": {
      "href": "/authorization/oauth2/authorize"
    },
    "apiture:token": {
      "href": "/authorization/oauth2/token"
    },
    "apiture:metadata": {
      "href": "/authorization/openid/metadata"
    }
  }
}

200 Response

{
  "id": "apiName",
  "name": "API name",
  "apiVersion": "0.0.1-SNAPSHOT",
  "_profile": "https://api.apiture.com/schemas/common/root/v1.0.0/profile.json",
  "_links": null
}

Responses

Status	Description
200	OK
	OK
	Schema: `root`

getApiDoc

Code samples

# You can also use wget
curl -X GET https://api.devbank.apiture.com/auth/apiDoc \
  -H 'Accept: application/json'

GET https://api.devbank.apiture.com/auth/apiDoc HTTP/1.1
Host: api.devbank.apiture.com
Accept: application/json

var headers = {
  'Accept':'application/json'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/apiDoc',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');

const headers = {
  'Accept':'application/json'

};

fetch('https://api.devbank.apiture.com/auth/apiDoc',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient.get 'https://api.devbank.apiture.com/auth/apiDoc',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get('https://api.devbank.apiture.com/auth/apiDoc', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/apiDoc");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Accept": []string{"application/json"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("GET", "https://api.devbank.apiture.com/auth/apiDoc", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Return API definition document

GET /apiDoc

Return the OpenAPI document that describes this API.

Example responses

200 Response

{}

Responses

Status	Description
200	OK
	OK
	Schema: `Inline`

Response Schema

Discovery

Endpoints for OpenID Connect Discovery

getMetadata

Code samples

# You can also use wget
curl -X GET https://api.devbank.apiture.com/auth/openid/metadata \
  -H 'Accept: application/json' \
  -H 'API-Key: API_KEY'

GET https://api.devbank.apiture.com/auth/openid/metadata HTTP/1.1
Host: api.devbank.apiture.com
Accept: application/json

var headers = {
  'Accept':'application/json',
  'API-Key':'API_KEY'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/openid/metadata',
  method: 'get',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');

const headers = {
  'Accept':'application/json',
  'API-Key':'API_KEY'

};

fetch('https://api.devbank.apiture.com/auth/openid/metadata',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json',
  'API-Key' => 'API_KEY'
}

result = RestClient.get 'https://api.devbank.apiture.com/auth/openid/metadata',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Accept': 'application/json',
  'API-Key': 'API_KEY'
}

r = requests.get('https://api.devbank.apiture.com/auth/openid/metadata', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/openid/metadata");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Accept": []string{"application/json"},
        "API-Key": []string{"API_KEY"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("GET", "https://api.devbank.apiture.com/auth/openid/metadata", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Returns OpenID Connect Discovery metadata.

GET /openid/metadata

This request returns a JSON structure containing scopes.

Example responses

200 Response

{}

400 Response

Responses

Status	Description
200	OK
	The metadata was returned successfully.
	Schema: `authMetadata`
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
422	Unprocessable Entity
	Unprocessable Entity. One or more of the query parameters was well formed but otherwise invalid.
	Schema: `errorResponse`

Authorize

Endpoints for user authentication and authorization

authorize

Code samples

# You can also use wget
curl -X GET https://api.devbank.apiture.com/auth/oauth2/authorize?client_id=string \
  -H 'Accept: */*' \
  -H 'API-Key: API_KEY'

GET https://api.devbank.apiture.com/auth/oauth2/authorize?client_id=string HTTP/1.1
Host: api.devbank.apiture.com
Accept: */*

var headers = {
  'Accept':'*/*',
  'API-Key':'API_KEY'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/oauth2/authorize',
  method: 'get',
  data: '?client_id=string',
  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');

const headers = {
  'Accept':'*/*',
  'API-Key':'API_KEY'

};

fetch('https://api.devbank.apiture.com/auth/oauth2/authorize?client_id=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Accept' => '*/*',
  'API-Key' => 'API_KEY'
}

result = RestClient.get 'https://api.devbank.apiture.com/auth/oauth2/authorize',
  params: {
  'client_id' => 'string'
}, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Accept': '*/*',
  'API-Key': 'API_KEY'
}

r = requests.get('https://api.devbank.apiture.com/auth/oauth2/authorize', params={
  'client_id': 'string'
}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/oauth2/authorize?client_id=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Accept": []string{"*/*"},
        "API-Key": []string{"API_KEY"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("GET", "https://api.devbank.apiture.com/auth/oauth2/authorize", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Redirect to id.apiture.com for secure user login

GET /oauth2/authorize

This request redirects the user to the Apiture Identity Provider login page.

Parameters

Parameter	Description
`response_type` (query)	`string` Indicates the authentication flow to be used. Use `code` to specify the usage of the OAuth 2.0 Authorization code flow and `token` for the OAuth 2.0 implicit grant flow.
`scope` (query)	`string` This must be set to `openid` to indicate a request for OpenID authentication and ID token.
`client_id` (query)	`string` (required) This must be set to the key obtained after registration of the application as a consumer.
`state` (query)	`string` An arbitrary value set by the client to maintain state between the authorization request and the callback.
`redirect_uri` (query)	`string` The callback url that the user will be redirected to after successful login and consent with the Apiture Identity Provider. This value must match the value used during the consumer registration process. The callback url will be called with the authorization code provided as a parameter. Required if using the authorization_code flow.

Example responses

400 Response

Responses

Status	Description
302	Found
	Indicates a redirection url has been returned to the client.
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
422	Unprocessable Entity
	Unprocessable Entity. One or more of the query parameters was well formed but otherwise invalid.
	Schema: `errorResponse`

Response Headers

Status	Description
`302`	`Location` `string`
	The login and consent page of the Apiture Identity Provider.

Token

Endpoints for token exchange

getToken

Code samples

# You can also use wget
curl -X POST https://api.devbank.apiture.com/auth/oauth2/token \
  -H 'Accept: */*' \
  -H 'Authorization: string' \
  -H 'API-Key: API_KEY'

POST https://api.devbank.apiture.com/auth/oauth2/token HTTP/1.1
Host: api.devbank.apiture.com
Accept: */*
Authorization: string

var headers = {
  'Accept':'*/*',
  'Authorization':'string',
  'API-Key':'API_KEY'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/oauth2/token',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');

const headers = {
  'Accept':'*/*',
  'Authorization':'string',
  'API-Key':'API_KEY'

};

fetch('https://api.devbank.apiture.com/auth/oauth2/token',
{
  method: 'POST',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Accept' => '*/*',
  'Authorization' => 'string',
  'API-Key' => 'API_KEY'
}

result = RestClient.post 'https://api.devbank.apiture.com/auth/oauth2/token',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Accept': '*/*',
  'Authorization': 'string',
  'API-Key': 'API_KEY'
}

r = requests.post('https://api.devbank.apiture.com/auth/oauth2/token', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/oauth2/token");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Accept": []string{"*/*"},
        "Authorization": []string{"string"},
        "API-Key": []string{"API_KEY"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("POST", "https://api.devbank.apiture.com/auth/oauth2/token", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Obtain a secure access token.

POST /oauth2/token

Create an access token for client use. The authorization code received from the callback redirection is an intermediate credential. The code must then be exchanged with a token by making a request to this endpoint.

Parameters

Parameter Description

Parameter	Description
`Authorization` (header)	`string` (required) Authorization credentials in the form of `Basic <ENCODED-CREDENTIALS>` where `<ENCODED-CREDENTIALS>` is a base 64 encoding of the text `key:secret` for the registered client. If these client credentials are supplied when using the `client_credentials` grant, the OpenID Connect handshake is shortened and no interactive redirect is used. This form of authentication is less secure since it requires transmitting credentials. This should only be used with trusted clients.
`grant_type` (query)	`string` This must be set to one of the following:

Authorization
(header)

string (required)
Authorization credentials in the form of

Basic <ENCODED-CREDENTIALS>

where <ENCODED-CREDENTIALS> is a base 64 encoding of the text key:secret for the registered client. If these client credentials are supplied when using the client_credentials grant, the OpenID Connect handshake is shortened and no interactive redirect is used. This form of authentication is less secure since it requires transmitting credentials. This should only be used with trusted clients.

grant_type
(query) string
This must be set to one of the following:

authorization_code if using the OAuth 2.0 Authorization code flow
client_credentials when using client-supplied credentials (key and secret)
refresh_token when refreshing an expired token. | |code
(query) | string
This must be set to the authorization code returned via a callback redirect after calling the /auth/oauth2/authorize endpoint if using the OAuth 2.0 Authorization code flow. | |redirect_uri
(query) | string
The callback url that the user will be redirected to after successful login and consent with the Apiture Identity Provider. This value must match the value used during the consumer registration process. The callback url will be called with the authorization code provided as a parameter. Required if using the authorization_code flow. |

Example responses

400 Response

Responses

Status	Description
200	OK
	Return a response containing the access token, refresh token, etc. schema: $ref: '#/definitions/oauthTokens'
302	Found
	Indicates a redirection url has been returned to the client.
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
401	Unauthorized
	The client did not include credentials or the credentials are not valid, or the `access_token` has expired and should be refreshed.
	Schema: `errorResponse`
403	Forbidden
	The client is not authorized to generate a new token.
	Schema: `errorResponse`
422	Unprocessable Entity
	Unprocessable Entity. One or more of the query parameters was well formed but otherwise invalid.
	Schema: `errorResponse`

Response Headers

Status	Description
`302`	`Location` `string`
	The login and consent page of the Apiture Identity Provider.

refreshToken

Code samples

# You can also use wget
curl -X POST https://api.devbank.apiture.com/auth/oauth2/token#refreshToken?refresh_token=string \
  -H 'Accept: */*' \
  -H 'Authorization: string' \
  -H 'API-Key: API_KEY'

POST https://api.devbank.apiture.com/auth/oauth2/token#refreshToken?refresh_token=string HTTP/1.1
Host: api.devbank.apiture.com
Accept: */*
Authorization: string

var headers = {
  'Accept':'*/*',
  'Authorization':'string',
  'API-Key':'API_KEY'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/oauth2/token#refreshToken',
  method: 'post',
  data: '?refresh_token=string',
  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');

const headers = {
  'Accept':'*/*',
  'Authorization':'string',
  'API-Key':'API_KEY'

};

fetch('https://api.devbank.apiture.com/auth/oauth2/token#refreshToken?refresh_token=string',
{
  method: 'POST',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Accept' => '*/*',
  'Authorization' => 'string',
  'API-Key' => 'API_KEY'
}

result = RestClient.post 'https://api.devbank.apiture.com/auth/oauth2/token#refreshToken',
  params: {
  'refresh_token' => 'string'
}, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Accept': '*/*',
  'Authorization': 'string',
  'API-Key': 'API_KEY'
}

r = requests.post('https://api.devbank.apiture.com/auth/oauth2/token#refreshToken', params={
  'refresh_token': 'string'
}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/oauth2/token#refreshToken?refresh_token=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Accept": []string{"*/*"},
        "Authorization": []string{"string"},
        "API-Key": []string{"API_KEY"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("POST", "https://api.devbank.apiture.com/auth/oauth2/token#refreshToken", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Obtain new tokens after an access token has expired.

POST /oauth2/token#refreshToken

Create a new access token for client use after an access_token has expired.

Parameters

Parameter Description

Parameter	Description
`Authorization` (header)	`string` (required) Authorization credentials in the form of `Basic <ENCODED-CREDENTIALS>` where `<ENCODED-CREDENTIALS>` is a base 64 encoding of the text `key:secret` for the registered client. If these client credentials are supplied when using the `client_credentials` grant, the OpenID Connect handshake is shortened and no interactive redirect is used. This form of authentication is less secure since it requires transmitting credentials. This should only be used with trusted clients.
`grant_type` (query)	`string` This must be set to one of the following:

Authorization
(header)

string (required)
Authorization credentials in the form of

Basic <ENCODED-CREDENTIALS>

grant_type
(query) string
This must be set to one of the following:

authorization_code if using the OAuth 2.0 Authorization code flow
client_credentials when using client-supplied credentials (key and secret)
refresh_token when refreshing an expired token. | |refresh_token
(query) | string (required)
The value of the refresh_token obtained with the original expired access token. |

Example responses

400 Response

Responses

Status	Description
200	OK
	Return a response containing the new access token, refresh token, etc. schema: $ref: '#/definitions/oauthTokens'
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
401	Unauthorized
	The client did not include credentials or the credentials are not valid, or the `access_token` has expired and should be refreshed.
	Schema: `errorResponse`
403	Forbidden
	The client is not authorized to generate a new token.
	Schema: `errorResponse`
422	Unprocessable Entity
	Unprocessable Entity. One or more of the query parameters was well formed but otherwise invalid.
	Schema: `errorResponse`

Password

User authentication passwords

passwordResetRequest

Code samples

# You can also use wget
curl -X POST https://api.devbank.apiture.com/auth/passwordResetRequests \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'API-Key: API_KEY'

POST https://api.devbank.apiture.com/auth/passwordResetRequests HTTP/1.1
Host: api.devbank.apiture.com
Content-Type: application/json
Accept: application/json

var headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'API-Key':'API_KEY'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/passwordResetRequests',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');
const inputBody = '{
  "username": "john0224",
  "taxId": "XXXX",
  "birthdate": "1974-10-27"
}';
const headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'API-Key':'API_KEY'

};

fetch('https://api.devbank.apiture.com/auth/passwordResetRequests',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json',
  'API-Key' => 'API_KEY'
}

result = RestClient.post 'https://api.devbank.apiture.com/auth/passwordResetRequests',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json',
  'API-Key': 'API_KEY'
}

r = requests.post('https://api.devbank.apiture.com/auth/passwordResetRequests', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/passwordResetRequests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},
        "API-Key": []string{"API_KEY"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("POST", "https://api.devbank.apiture.com/auth/passwordResetRequests", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Initiate a password reset flow.

POST /passwordResetRequests

Initiate a password reset flow by sending the user's key identifying information. (This operation does not create a resource). A confirmation code is sent to the user via text message or email as a result of this operation. In order to complete the flow, a POST request to /passwordResets must contain the confirmation code as well as the username and the desired new password. This operation does not create a new persisent resource; the password reset is transient and returned in the response body only.

Body parameter

{
  "username": "john0224",
  "taxId": "XXXX",
  "birthdate": "1974-10-27"
}

Parameters

Parameter	Description
`body` (body)	`passwordResetRequest` (required) The data necessary to create a password reset resource.

Example responses

202 Response

{
  "codeDeliveryMethod": "email",
  "codeDestination": "b***@m***.com"
}

400 Response

Responses

Status	Description
202	Accepted
	Accepted
	Schema: `passwordReset`
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
409	Conflict
	There was a conflict with the state of the user.
	Schema: `errorResponse`
422	Unprocessable Entity
	Password reset is invalid.
	Schema: `errorResponse`
500	Internal Server Error
	Server Error. Fatal error has occurred.
	Schema: `errorResponse`

passwordReset

Code samples

# You can also use wget
curl -X POST https://api.devbank.apiture.com/auth/passwordResets \
  -H 'Content-Type: application/json' \
  -H 'Accept: */*' \
  -H 'API-Key: API_KEY'

POST https://api.devbank.apiture.com/auth/passwordResets HTTP/1.1
Host: api.devbank.apiture.com
Content-Type: application/json
Accept: */*

var headers = {
  'Content-Type':'application/json',
  'Accept':'*/*',
  'API-Key':'API_KEY'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/passwordResets',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');
const inputBody = '{
  "username": "john0224",
  "newPassword": "newPassword",
  "confirmationCode": "12345"
}';
const headers = {
  'Content-Type':'application/json',
  'Accept':'*/*',
  'API-Key':'API_KEY'

};

fetch('https://api.devbank.apiture.com/auth/passwordResets',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => '*/*',
  'API-Key' => 'API_KEY'
}

result = RestClient.post 'https://api.devbank.apiture.com/auth/passwordResets',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': '*/*',
  'API-Key': 'API_KEY'
}

r = requests.post('https://api.devbank.apiture.com/auth/passwordResets', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/passwordResets");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"*/*"},
        "API-Key": []string{"API_KEY"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("POST", "https://api.devbank.apiture.com/auth/passwordResets", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Complete a password reset flow.

POST /passwordResets

Complete an unauthenticated password reset flow by passing username,confirmationCode, and newPassword in the request. This operation will return 202 Accepted if the request is valid.

Body parameter

{
  "username": "john0224",
  "newPassword": "newPassword",
  "confirmationCode": "12345"
}

Parameters

Parameter	Description
`body` (body)	`confirmPasswordReset` (required) The data necessary to confirm a password reset

Example responses

400 Response

Responses

Status	Description
202	Accepted
	Accepted
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
401	Unauthorized
	The client did not include credentials or the credentials are not valid, or the `access_token` has expired and should be refreshed.
	Schema: `errorResponse`
422	Unprocessable Entity
	Current password does not match or invalid new password.
	Schema: `errorResponse`

changeUserPassword

Code samples

# You can also use wget
curl -X PUT https://api.devbank.apiture.com/auth/my/password \
  -H 'Content-Type: application/json' \
  -H 'Accept: */*' \
  -H 'API-Key: API_KEY' \
  -H 'Authorization: Bearer {access-token}'

PUT https://api.devbank.apiture.com/auth/my/password HTTP/1.1
Host: api.devbank.apiture.com
Content-Type: application/json
Accept: */*

var headers = {
  'Content-Type':'application/json',
  'Accept':'*/*',
  'API-Key':'API_KEY',
  'Authorization':'Bearer {access-token}'

};

$.ajax({
  url: 'https://api.devbank.apiture.com/auth/my/password',
  method: 'put',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

const fetch = require('node-fetch');
const inputBody = '{
  "currentPassword": "currentPassword",
  "newPassword": "newPassword"
}';
const headers = {
  'Content-Type':'application/json',
  'Accept':'*/*',
  'API-Key':'API_KEY',
  'Authorization':'Bearer {access-token}'

};

fetch('https://api.devbank.apiture.com/auth/my/password',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => '*/*',
  'API-Key' => 'API_KEY',
  'Authorization' => 'Bearer {access-token}'
}

result = RestClient.put 'https://api.devbank.apiture.com/auth/my/password',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': '*/*',
  'API-Key': 'API_KEY',
  'Authorization': 'Bearer {access-token}'
}

r = requests.put('https://api.devbank.apiture.com/auth/my/password', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.devbank.apiture.com/auth/my/password");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("PUT");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"*/*"},
        "API-Key": []string{"API_KEY"},
        "Authorization": []string{"Bearer {access-token}"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("PUT", "https://api.devbank.apiture.com/auth/my/password", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Change the user password

PUT /my/password

An authenticated user must pass currentPassword and newPassword in the request body to change its password. This operation requires both apiKey and accessToken security. This operation will return 202 Accepted if the request is valid. If the request fails, and the user does not know the current password, they can request a password reset by using /passwordResetRequests. This operation supports pre-flight validation. If invoked with the preFlightValidate=true query parameter, the operation only validates the newPassword against the password policies and returns an _error in the response with details of any password policy violations.

Body parameter

{
  "currentPassword": "currentPassword",
  "newPassword": "newPassword"
}

Parameters

Parameter	Description
`preFlightValidate` (query)	`boolean` If `true`, the operation performs pre-flight validation only of the `newPassword` and it does not attempt to update the user's password.
`body` (body)	`passwordChange` (required)

Example responses

200 Response

Responses

Status	Description
200	OK
	OK. It uses for pre-flight validation response. The `_error` object in the response, if it exists, contains error messages and other detail about the validation (and may contain nested errors).
	Schema: `passwordChange`
202	Accepted
	Accepted
400	Bad Request
	Bad Request. The request body or one or more of the query parameters was not well formed. The `_error` field in the response will contain details about the request error.
	Schema: `errorResponse`
401	Unauthorized
	The client did not include credentials or the credentials are not valid, or the `access_token` has expired and should be refreshed.
	Schema: `errorResponse`
422	Unprocessable Entity
	Current password does not match or invalid new password.
	Schema: `errorResponse`

Schemas

passwordResetRequest

{
  "username": "john0224",
  "taxId": "XXXX",
  "birthdate": "1974-10-27"
}

Password Reset Request

Create a new password reset.

Properties

Name	Description
`username`	`string` (required) The user's username.
`taxId`	`string` (required) Last 4 digits of the user tax ID.
`birthdate`	`string(date)` (required) The user's birth date in RFC 3339 `YYYY-MM-DD` date format.

passwordReset

{
  "codeDeliveryMethod": "email",
  "codeDestination": "b***@m***.com"
}

Password Reset

Password reset resource.

Properties

Name	Description
`codeDeliveryMethod`	`string` Confirmation code delivery method. Enumerated values: `sms` `email`
`codeDestination`	`string` Masked email address or phone number the confirmation code is sent to.

authMetadata

{}

Authentication metadata

A map of (name, value) pairs which describe then the OpenID Provider metadata.

Properties

oauthToken

{
  "access_token": "string",
  "token_type": "string",
  "expires_in": 0,
  "refresh_token": "string"
}

OAuth Tokens

A response from a credentialed request for tokens.

Properties

Name	Description
`access_token`	`string` An opaque string which should be passed (along with the `token_type`) to subsequent API calls which require authentication. Normally this is done via the the `Authorization` header of the request: from this response: `Authorization:` `token_type` `access_token`
`token_type`	`string` The form of token returned. This is typically the string `Bearer` and is the key which subsequent calls should use (along with the `access_token` above) in the `Authorization` header when making authenticated API requests.
`expires_in`	`integer(int64)` The number of seconds until the `access_token` expires. When it expires, use the `refresh_token` to request a new access token.
`refresh_token`	`string` A token to use when the `access_token` expires. The client should retain this securely so it can obtain a new `access_token` later when the access token expires.

abstractResource

{
  "_profile": "https://api.apiture.com/schema/example/v1.0.0/profile.json",
  "_links": {
    "self": {
      "href": "{uri of current resource}"
    }
  }
}

Abstract Resource

An augmented HAL resource representation. This model contains hypermedia _links, and either optional domain object data with _profile and optional _embedded objects, or an _error object. In responses, if the operation was successful, this object will not include the _error, but if the operation was a 4xx or 5xx error, this object will not include _embedded or any data fields, only _error and optionally _links.

Properties

Name	Description
`_links`	`links` An optional map of links, mapping each link relation to a link object. This model defines the `_links` object of HAL representations.
`_embedded`	`object` An optional map of nested resources, mapping each nested resource name to a nested resource representation.
`_profile`	`string(uri)` The URI of a resource profile which describes the representation.
`_error`	`error` An object which describes an error. This value is omitted if the operation succeeded without error.

root

{
  "id": "apiName",
  "name": "API name",
  "apiVersion": "0.0.1-SNAPSHOT",
  "_profile": "https://api.apiture.com/schemas/common/root/v1.0.0/profile.json",
  "_links": null
}

The root of this API

A HAL response, with hypermedia _links for the top-level resources and operations in API.

Properties

Name	Description
`_links`	`links` An optional map of links, mapping each link relation to a link object. This model defines the `_links` object of HAL representations.
`_embedded`	`object` An optional map of nested resources, mapping each nested resource name to a nested resource representation.
`_profile`	`string(uri)` The URI of a resource profile which describes the representation.
`_error`	`error` An object which describes an error. This value is omitted if the operation succeeded without error.
`_id`	`string` This API's unique ID.
`name`	`string` This API's name.
`apiVersion`	`string` This API's version.

links

{
  "property1": {
    "href": "http://example.com",
    "type": "string",
    "templated": true,
    "title": "string",
    "deprecation": "http://example.com",
    "profile": "http://example.com"
  },
  "property2": {
    "href": "http://example.com",
    "type": "string",
    "templated": true,
    "title": "string",
    "deprecation": "http://example.com",
    "profile": "http://example.com"
  }
}

Links

An optional map of links, mapping each link relation to a link object. This model defines the _links object of HAL representations.

Properties

Name	Description
`additionalProperties`	`link` Describes a hypermedia link within a `_links` object in HAL representations. In Apiture APIs, links are HAL links, but Apiture APIs do not use the `name` or `hreflang` properties of HAL. Apiture links may include a `method` property.

link

{
  "href": "http://example.com",
  "type": "string",
  "templated": true,
  "title": "string",
  "deprecation": "http://example.com",
  "profile": "http://example.com"
}

Link

Describes a hypermedia link within a _links object in HAL representations. In Apiture APIs, links are HAL links, but Apiture APIs do not use the name or hreflang properties of HAL. Apiture links may include a method property.

Properties

Name	Description
`href`	`string(uri)` (required) The URI or URI template for the resource/operation this link refers to.
`type`	`string` The media type for the resource.
`templated`	`boolean` If true, the link's href is a URI template.
`title`	`string` An optional human-readable localized title for the link.
`deprecation`	`string(uri)` If present, the containing link is deprecated and the value is a URI which provides human-readable text information about the deprecation.
`profile`	`string(uri)` The URI of a profile document, a JSON document which describes the target resource/operation.

errorResponse

{
  "_profile": "https://api.apiture.com/schemas/common/errorResponse/v1.0.0/profile.json",
  "_error": {
    "_id": "2eae46e1-575c-4d69-8a8f-0a7b0115a4b3",
    "_profile": "https://api.apiture.com/schemas/common/errorResponse/v1.0.0/profile.json",
    "message": "The value for deposit must be greater than 0.",
    "statusCode": 422,
    "type": "positiveNumberRequired",
    "attributes": {
      "value": -125.5
    },
    "remediation": "Provide a value which is greater than 0",
    "occurredAt": {},
    "_links": {
      "describedby": {
        "href": "http://doc.apiture.com/errors/positiveNumberRequired"
      }
    },
    "_embedded": {
      "errors": []
    }
  }
}

Error Response

Describes an error response, typically returned on 4xx or 5xx errors from API operations. The _error object contains the error details.

Properties

Name	Description
`_links`	`links` An optional map of links, mapping each link relation to a link object. This model defines the `_links` object of HAL representations.
`_embedded`	`object` An optional map of nested resources, mapping each nested resource name to a nested resource representation.
`_profile`	`string(uri)` The URI of a resource profile which describes the representation.
`_error`	`error` An object which describes an error. This value is omitted if the operation succeeded without error.

error

{
  "_id": "2eae46e1-575c-4d69-8a8f-0a7b0115a4b3",
  "_profile": "https://api.apiture.com/schemas/common/errorResponse/v1.0.0/profile.json",
  "message": "The value for deposit must be greater than 0.",
  "statusCode": 422,
  "type": "positiveNumberRequired",
  "attributes": {
    "value": -125.5
  },
  "remediation": "Provide a value which is greater than 0",
  "occurredAt": "2018-01-25T05:50:52.375Z",
  "_links": {
    "describedby": {
      "href": "http://doc.apiture.com/errors/positiveNumberRequired"
    }
  },
  "_embedded": {
    "errors": []
  }
}

Error

An error description. Nested source errors are contained in the _embedded object with the key "errors"; this is an array of nested error objects. For example, an API which validates its request body may find multiple errors in the request, which may be detailed here. The _links may contain a describedby link which refers to a web page with details about the error. The attributes field An optional map of name/value pairs which provide structured data about the error. For example, if the error is a value out of range, the attributes may specify the range values min and max. This allows clients to present error messages as they see fit (the API does not assume the client/presentation tier).

Properties

Name	Description
`message`	`string` (required) A localized message string describing the error condition.
`_id`	`string` A unique identifier for this error instance. This may be used as a correlation ID with the root cause error (i.e. this ID may be logged at the source of the error). This is is an opaque string.
`statusCode`	`integer` The HTTP status code associate with this error. `minimum: 100` `maximum: 599`
`type`	`string` An error identifier which indicates the category of error and associate it with API support documentation or which the UI tier can use to render an appropriate message or hint. This provides a finer level of granularity than the `statusCode`. For example, instead of just 400 Bad Request, the `type` may be much more specific. such as `integerValueNotInAllowedRange` or `numericValueExceedsMaximum` or `stringValueNotInAllowedSet`.
`occurredAt`	`string(date-time)` An ISO 8601 UTC time stamp indicating when the error occurred.
`attributes`	`attributes` Data attribute associated with the error, such as values or constraints.
`remediation`	`string` An optional localized string which provides hints for how the user or client can resolve the error.
`_embedded`	`object` Optional embedded array of errors. This field may not exist if the error does not have nested errors.
`» items`	`[errorResponse]` An array of error objects.

attributes

{}

Attributes

An optional map of name/value pairs which contains additional dynamic data about the resource.

Properties

passwordChange

{
  "currentPassword": "currentPassword",
  "newPassword": "newPassword"
}

Password change

Representation used to change a user password. The request must contain the newPassword and the currentPassword.

Properties

Name	Description
`_links`	`links` An optional map of links, mapping each link relation to a link object. This model defines the `_links` object of HAL representations.
`_embedded`	`object` An optional map of nested resources, mapping each nested resource name to a nested resource representation.
`_profile`	`string(uri)` The URI of a resource profile which describes the representation.
`_error`	`error` An object which describes an error. This value is omitted if the operation succeeded without error.
`newPassword`	`string(password)` A new user password
`currentPassword`	`string(password)` A current user password. This field is used for performing the change password flow.

confirmPasswordReset

{
  "username": "john0224",
  "newPassword": "newPassword",
  "confirmationCode": "12345"
}

Confirm Password Reset

Representation used to confirm a password reset flow.

Properties

Name	Description
`newPassword`	`string(password)` A new user password
`confirmationCode`	`string` A confirmation code send when the user initiated password reset.
`username`	`string` The username.