Challenges v0.6.0

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

The Challenges API supports challenging banking users to verify their identity when performing other API operations.

This API supports challenges when the financial institution requires the user to prove their identity though a secondary challenge factor, such as entering a code sent to them via SMS (text message), email, voice call, or by answering security questions. User may have has one or more channels associated with each factor, such as a multiple phone numbers or e-mail addresses. The financial institution may require a challenge before certain actions that warrant extra validation, such as making transfers to an external institution, updating the customer's mailing address, or ordering replacement debit cards.

An API operation may return a 403 response with a challengeRequired problem type name to indicate a challenge is required for that operation. (The problem response's type is the URI https://production.api.apiture.com/errors/challengeRequired/v1.0.0/. The actual version number v1.0.0 may change, although the problem type URL always starts with https://production.api.apiture.com/errors/challengeRequired/.) For challengeRequired, the attributes in the apiProblem response lists the challenges that the client may choose from as described in the requiredIdentityChallenge schema. The user must complete one of the offered challenges.

Each challenge contains a challengeFactor which identifies how the user receives and completes the challenge. This object has a type which describes the factor used to complete the challenge and optional string labels which describe the channel(s) through which the user can complete the challenge. For sms and voice factors, the label is the last four digits of a phone number. For email challenges, the label is a masked email address. For securityQuestions, the challengeFactor includes a prompt for each of the user's security questions, and does not use the labels.

The user selects their preferred channel from those available, and the client then starts that challenge flow via the startIdentityChallenge operation. In response to that operation, the service will send an one-time passcode of several digits to the user via the corresponding channel for the sms, email, voice, authenticatorToken challenge factors. The start operation is required to activate the challenge, even if the service does not have to send information to the user, such as with securityQuestions.

The user enters the challenge response, such as the one-time passcode that was sent to them or the answers to their security questions, in the client. Then the client completes the challenge by verifying the user's challenge response.

The system verifies the submitted challenge response(s) and, if valid, returns a token that the client must pass via the Challenge request header (in conjunction with the existing Authorization header) when it retries the operation.

For example, if the user chose to complete the following sms challenge factor: { "type": "sms", "id": "15488eb31d2aef258d59", "labels": [ "3774" ] }

The client will start that challenge.
The system sends the one-time passcode such as 987303 via SMS text message to their phone ending in 3774.
The user enters that one-time passcode 987303 in the client application.
The client application submits the one-time passcode response and the corresponding challenge id (15488eb31d2aef258d59) and factor (sms) and responses using the verifyIdentityChallenge operation.

The verifyIdentityChallenge response includes a result. A result of failed means the verification failed. A result of locked means the user has failed too many verification attempts and the system has locked them out. The response also include an allows object which indicate if the user can submit new response, restart the factor (i.e. resend the one-time passcode), or try the operation again to get a new challenge.

A result of verified means the user's response matched the expected response. A response with a verified result also includes a challengeToken value. The client must send this in the Challenge request header in addition to the Authorization header when retrying the operation.

For example, if the result from verifying the response contains { ... "result": "verified", "challengeToken": "91a2a7724d6e82f5cd73", ... } and their existing bearer token is eyJraWQi...VVb1pH9bcBbg, then the client should send the request headers:

Authentication: Bearer eyJraWQi...VVb1pH9bcBbg
Challenge: 91a2a7724d6e82f5cd73

when retrying the operation.

Download OpenAPI Definition (YAML)

Base URLs:

https://api.apiture.com/banking/challenges

Email: Apiture Web: Apiture

License: Apiture API License

Authentication

OpenID Connect authentication (accessToken)
- OpenId Connect (OIDC) authentication/authorization. The client uses the authorization_endpoint and token_endpoint to obtain an access token to pass in the Authorization header. Those endpoints are available via the OIDC Configuration URL. The actual URL may vary with each financial institution. See details at Secure Access.
- OIDC Configuration URL = https://auth.apiture.com/oidc/.well-known/openid-configuration

Challenges

startIdentityChallenge

Code samples

# You can also use wget
curl -X POST https://api.apiture.com/banking/challenges/startedChallenges \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

POST https://api.apiture.com/banking/challenges/startedChallenges HTTP/1.1
Host: api.apiture.com
Content-Type: application/json
Accept: application/json

const fetch = require('node-fetch');
const inputBody = '{
  "operationId": "createTransfer",
  "challengeId": "b8cae0901002bba4e2a7",
  "factor": "sms",
  "factorId": "mobile-1"
}';
const headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'Authorization':'Bearer {access-token}'

};

fetch('https://api.apiture.com/banking/challenges/startedChallenges',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

var headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'Authorization':'Bearer {access-token}'

};

$.ajax({
  url: 'https://api.apiture.com/banking/challenges/startedChallenges',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json',
  'Authorization' => 'Bearer {access-token}'
}

result = RestClient.post 'https://api.apiture.com/banking/challenges/startedChallenges',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json',
  'Authorization': 'Bearer {access-token}'
}

r = requests.post('https://api.apiture.com/banking/challenges/startedChallenges', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.apiture.com/banking/challenges/startedChallenges");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},
        "Authorization": []string{"Bearer {access-token}"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("POST", "https://api.apiture.com/banking/challenges/startedChallenges", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Start an identity challenge

POST https://api.apiture.com/banking/challenges/startedChallenges

Start the identity challenge flow for the user's chosen factor. For sms, voice, and email challenges, this causes the system to send a four to six digit code to the user via SMS, automated voice phone call, or email. The factor passed in the request is marked as active and eligible to be verified. The user should complete the challenge by submitting their response(s) to the challenge via the verifyIdentityChallenge operation.

Body parameter

{
  "operationId": "createTransfer",
  "challengeId": "b8cae0901002bba4e2a7",
  "factor": "sms",
  "factorId": "mobile-1"
}

Parameters

Parameter	Description
`body`	`identityChallenge` (required) The data necessary to initiate an identity challenge flow.

Example responses

200 Response

{
  "operationId": "createTransfer",
  "challengeId": "b8cae0901002bba4e2a7",
  "factor": "sms",
  "factorId": "mobile-1",
  "expiresAt": "2023-01-05T08:50:33.375Z",
  "minimumResponseLength": 8,
  "maximumResponseLength": 8
}

Responses

Status	Description
200	OK
	OK. The identity challenge flow was started successfully.
	Schema: `startedIdentityChallenge`

Status Description

400 Bad Request

Status	Description
400	Bad Request
	Bad Request. The request body, request headers, and/or query parameters are not well-formed. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/badRequest/v1.0.0` The request body and/or parameters was not well-formed. Remediation: Correct any syntax or schema errors in the request body or parameters.
	Schema: `Inline`

Bad Request. The request body, request headers, and/or query parameters are not well-formed.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/badRequest/v1.0.0
The request body and/or parameters was not well-formed. Remediation: Correct any syntax or schema errors in the request body or parameters.

Schema: Inline

Status Description

401 Unauthorized

Status	Description
401	Unauthorized
	Unauthorized. The operation requires authentication but no authentication or insufficient authentication was given. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/unauthorized/v1.0.0` The request lacks valid authentication credentials for the target resource or operation. Remediation: Authenticate the user and pass the required authorization with the request.
	Schema: `Inline`

Unauthorized. The operation requires authentication but no authentication or insufficient authentication was given.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/unauthorized/v1.0.0
The request lacks valid authentication credentials for the target resource or operation. Remediation: Authenticate the user and pass the required authorization with the request.

Schema: Inline

Status Description

403 Forbidden

Status	Description
403	Forbidden
	Forbidden. The authenticated caller is not authorized to perform the requested operation. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/forbidden/v1.0.0` The user or agent is not allowed to perform this operation; authentication credentials were provided in the request, but the server considers them insufficient to grant access. Remediation: Check the user's permissions and entitlements before attempting the operation. `https://production.api.apiture.com/errors/customerDisabled/v1.0.0` The customer is disabled. Remediation: Have the customer contact the financial institution for support. `https://production.api.apiture.com/errors/antiMalwareRequired/v1.0.0` The financial institution requires the customer to have anti-malware software installed. Remediation: Direct the user to the software requirements guide to install the correct anti-malware software. `https://production.api.apiture.com/errors/modificationForbidden/v1.0.0` The customer is properly authenticated but not authorized to create, modify, or delete resources. Remediation: Avoid modification operation for customers with read-only authorization. `https://production.api.apiture.com/errors/challengeRequired/v1.0.0` The operation requires the customer to complete an identity challenge. Remediation: Complete the challenge as per the problem response, and add an additional `Challenge` header to the call. The `attributes` object in the error may have the properties defined by the `requiredIdentityChallenge` schema. `https://production.api.apiture.com/errors/challengeBlocked/v1.0.0` The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again. `https://production.api.apiture.com/errors/noIdentityChallengeFactors/v1.0.0` This operation requires an identity challenge, but the user does not have the necessary registered authentication factors. Remediation: Have the user register one or more challenge security code delivery factors. `https://production.api.apiture.com/errors/invalidIdentityChallengeHeader/v1.0.0` The additional on-time `Challenge` header in this request is expired, already used, or otherwise invalid. Remediation: Supply a valid, unexpired, unclaimed `Challenge` header in the request.
	Schema: `Inline`

Forbidden. The authenticated caller is not authorized to perform the requested operation.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/forbidden/v1.0.0
The user or agent is not allowed to perform this operation; authentication credentials were provided in the request, but the server considers them insufficient to grant access. Remediation: Check the user's permissions and entitlements before attempting the operation.
https://production.api.apiture.com/errors/customerDisabled/v1.0.0
The customer is disabled. Remediation: Have the customer contact the financial institution for support.
https://production.api.apiture.com/errors/antiMalwareRequired/v1.0.0
The financial institution requires the customer to have anti-malware software installed. Remediation: Direct the user to the software requirements guide to install the correct anti-malware software.
https://production.api.apiture.com/errors/modificationForbidden/v1.0.0
The customer is properly authenticated but not authorized to create, modify, or delete resources. Remediation: Avoid modification operation for customers with read-only authorization.
https://production.api.apiture.com/errors/challengeRequired/v1.0.0
The operation requires the customer to complete an identity challenge. Remediation: Complete the challenge as per the problem response, and add an additional Challenge header to the call. The attributes object in the error may have the properties defined by the requiredIdentityChallenge schema.
https://production.api.apiture.com/errors/challengeBlocked/v1.0.0
The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again.
https://production.api.apiture.com/errors/noIdentityChallengeFactors/v1.0.0
This operation requires an identity challenge, but the user does not have the necessary registered authentication factors. Remediation: Have the user register one or more challenge security code delivery factors.
https://production.api.apiture.com/errors/invalidIdentityChallengeHeader/v1.0.0
The additional on-time Challenge header in this request is expired, already used, or otherwise invalid. Remediation: Supply a valid, unexpired, unclaimed Challenge header in the request.

Schema: Inline

Status Description

422 Unprocessable Entity

Status	Description
422	Unprocessable Entity
	Unprocessable Entity. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/invalidChallengeId/v1.0.0` The provided `challengeId` is invalid, expired, already claimed, or does not match the `factor` or context. Remediation: Provide the corresponding `operationId`, `factor` and `id` from the challenge. `https://production.api.apiture.com/errors/invalidChallengeFactor/v1.0.0` The `factor` in the request does not match available factors. Remediation: Use a `factor` that corresponds to the `challengeId` from the corresponding challenge. `https://production.api.apiture.com/errors/invalidChallengeOperationId/v1.0.0` The `operationId` is invalid. Remediation: Use the `operationId` from the corresponding challenge. `https://production.api.apiture.com/errors/challengeBlocked/v1.0.0` The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again.
	Schema: `problemResponse`

Unprocessable Entity.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/invalidChallengeId/v1.0.0
The provided challengeId is invalid, expired, already claimed, or does not match the factor or context. Remediation: Provide the corresponding operationId, factor and id from the challenge.
https://production.api.apiture.com/errors/invalidChallengeFactor/v1.0.0
The factor in the request does not match available factors. Remediation: Use a factor that corresponds to the challengeId from the corresponding challenge.
https://production.api.apiture.com/errors/invalidChallengeOperationId/v1.0.0
The operationId is invalid. Remediation: Use the operationId from the corresponding challenge.
https://production.api.apiture.com/errors/challengeBlocked/v1.0.0
The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again.

Schema: problemResponse

Status Description

429 Too Many Requests

Status	Description
429	Too Many Requests
	Too Many Requests. The client has sent too many requests in a given amount of time. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/tooManyRequests/v1.0.0` The client has sent too many requests in a given amount of time, exceeding rate limiting. Remediation: Slow down the rate of API calls.
	Schema: `Inline`

Too Many Requests. The client has sent too many requests in a given amount of time.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/tooManyRequests/v1.0.0
The client has sent too many requests in a given amount of time, exceeding rate limiting. Remediation: Slow down the rate of API calls.

Schema: Inline

Status	Description
4XX	Unknown
	Client Request Problem. The client request had a problem not listed under another specific 400-level HTTP response code. View the `detail` in the problem response for additional details.
	Schema: `Inline`

Status	Description
5XX	Unknown
	Server Problem. The server encountered a problem not listed under another specific 500-level HTTP response code. View the `detail` in the problem response for additional details.
	Schema: `Inline`

Response Schema

Status Code 400

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 401

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 403

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 429

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 4XX

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 5XX

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

verifyIdentityChallenge

Code samples

# You can also use wget
curl -X POST https://api.apiture.com/banking/challenges/verifiedChallenges \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {access-token}'

POST https://api.apiture.com/banking/challenges/verifiedChallenges HTTP/1.1
Host: api.apiture.com
Content-Type: application/json
Accept: application/json

const fetch = require('node-fetch');
const inputBody = '{
  "factor": "securityQuestions",
  "operationId": "createTransfer",
  "factorId": "be6177eff07649128e40",
  "challengeId": "dec42c64402319a59ec7",
  "responses": [
    {
      "promptId": "q1",
      "response": "Smith"
    },
    {
      "promptId": "q4",
      "response": "Kinston High School"
    },
    {
      "promptId": "q9",
      "response": "Walter"
    }
  ]
}';
const headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'Authorization':'Bearer {access-token}'

};

fetch('https://api.apiture.com/banking/challenges/verifiedChallenges',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

var headers = {
  'Content-Type':'application/json',
  'Accept':'application/json',
  'Authorization':'Bearer {access-token}'

};

$.ajax({
  url: 'https://api.apiture.com/banking/challenges/verifiedChallenges',
  method: 'post',

  headers: headers,
  success: function(data) {
    console.log(JSON.stringify(data));
  }
})

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json',
  'Authorization' => 'Bearer {access-token}'
}

result = RestClient.post 'https://api.apiture.com/banking/challenges/verifiedChallenges',
  params: {
  }, headers: headers

p JSON.parse(result)

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json',
  'Authorization': 'Bearer {access-token}'
}

r = requests.post('https://api.apiture.com/banking/challenges/verifiedChallenges', params={

}, headers = headers)

print r.json()

URL obj = new URL("https://api.apiture.com/banking/challenges/verifiedChallenges");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
con.setRequestMethod("POST");
int responseCode = con.getResponseCode();
BufferedReader in = new BufferedReader(
    new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
}
in.close();
System.out.println(response.toString());

package main

import (
       "bytes"
       "net/http"
)

func main() {

    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},
        "Authorization": []string{"Bearer {access-token}"},
        
    }

    data := bytes.NewBuffer([]byte{jsonReq})
    req, err := http.NewRequest("POST", "https://api.apiture.com/banking/challenges/verifiedChallenges", data)
    req.Header = headers

    client := &http.Client{}
    resp, err := client.Do(req)
    // ...
}

Verify an identity challenge

POST https://api.apiture.com/banking/challenges/verifiedChallenges

Verify an active identity challenge for a specific factor. This verifies that the submitted data matches the expected response(s) for the chosen challenge factor. The factor must be active; that is, it must be the most recent factor used to start the identity challenge.

Body parameter

{
  "factor": "securityQuestions",
  "operationId": "createTransfer",
  "factorId": "be6177eff07649128e40",
  "challengeId": "dec42c64402319a59ec7",
  "responses": [
    {
      "promptId": "q1",
      "response": "Smith"
    },
    {
      "promptId": "q4",
      "response": "Kinston High School"
    },
    {
      "promptId": "q9",
      "response": "Walter"
    }
  ]
}

Parameters

Parameter	Description
`body`	`identityChallengeResponse` (required) The data necessary to initiate the challenge flow.

Example responses

200 Response

{
  "challengeId": "b8cae0901002bba4e2a7",
  "operationId": "createTransfer",
  "factor": "sms",
  "result": "verified",
  "challengeToken": "91a2a7724d6e82f5cd73"
}

Responses

Status	Description
200	OK
	OK. The challenge verification completed successfully. The response indicates if the request matched or not.
	Schema: `verifiedIdentityChallenge`

Status Description

400 Bad Request

Status	Description
400	Bad Request
	Bad Request. The request body, request headers, and/or query parameters are not well-formed. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/badRequest/v1.0.0` The request body and/or parameters was not well-formed. Remediation: Correct any syntax or schema errors in the request body or parameters.
	Schema: `Inline`

Bad Request. The request body, request headers, and/or query parameters are not well-formed.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/badRequest/v1.0.0
The request body and/or parameters was not well-formed. Remediation: Correct any syntax or schema errors in the request body or parameters.

Schema: Inline

Status Description

401 Unauthorized

Status	Description
401	Unauthorized
	Unauthorized. The operation requires authentication but no authentication or insufficient authentication was given. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/unauthorized/v1.0.0` The request lacks valid authentication credentials for the target resource or operation. Remediation: Authenticate the user and pass the required authorization with the request.
	Schema: `Inline`

Unauthorized. The operation requires authentication but no authentication or insufficient authentication was given.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/unauthorized/v1.0.0
The request lacks valid authentication credentials for the target resource or operation. Remediation: Authenticate the user and pass the required authorization with the request.

Schema: Inline

Status Description

403 Forbidden

Status	Description
403	Forbidden
	Forbidden. The authenticated caller is not authorized to perform the requested operation. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/forbidden/v1.0.0` The user or agent is not allowed to perform this operation; authentication credentials were provided in the request, but the server considers them insufficient to grant access. Remediation: Check the user's permissions and entitlements before attempting the operation. `https://production.api.apiture.com/errors/customerDisabled/v1.0.0` The customer is disabled. Remediation: Have the customer contact the financial institution for support. `https://production.api.apiture.com/errors/antiMalwareRequired/v1.0.0` The financial institution requires the customer to have anti-malware software installed. Remediation: Direct the user to the software requirements guide to install the correct anti-malware software. `https://production.api.apiture.com/errors/modificationForbidden/v1.0.0` The customer is properly authenticated but not authorized to create, modify, or delete resources. Remediation: Avoid modification operation for customers with read-only authorization. `https://production.api.apiture.com/errors/challengeRequired/v1.0.0` The operation requires the customer to complete an identity challenge. Remediation: Complete the challenge as per the problem response, and add an additional `Challenge` header to the call. The `attributes` object in the error may have the properties defined by the `requiredIdentityChallenge` schema. `https://production.api.apiture.com/errors/challengeBlocked/v1.0.0` The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again. `https://production.api.apiture.com/errors/noIdentityChallengeFactors/v1.0.0` This operation requires an identity challenge, but the user does not have the necessary registered authentication factors. Remediation: Have the user register one or more challenge security code delivery factors. `https://production.api.apiture.com/errors/invalidIdentityChallengeHeader/v1.0.0` The additional on-time `Challenge` header in this request is expired, already used, or otherwise invalid. Remediation: Supply a valid, unexpired, unclaimed `Challenge` header in the request.
	Schema: `Inline`

Forbidden. The authenticated caller is not authorized to perform the requested operation.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/forbidden/v1.0.0
The user or agent is not allowed to perform this operation; authentication credentials were provided in the request, but the server considers them insufficient to grant access. Remediation: Check the user's permissions and entitlements before attempting the operation.
https://production.api.apiture.com/errors/customerDisabled/v1.0.0
The customer is disabled. Remediation: Have the customer contact the financial institution for support.
https://production.api.apiture.com/errors/antiMalwareRequired/v1.0.0
The financial institution requires the customer to have anti-malware software installed. Remediation: Direct the user to the software requirements guide to install the correct anti-malware software.
https://production.api.apiture.com/errors/modificationForbidden/v1.0.0
The customer is properly authenticated but not authorized to create, modify, or delete resources. Remediation: Avoid modification operation for customers with read-only authorization.
https://production.api.apiture.com/errors/challengeRequired/v1.0.0
The operation requires the customer to complete an identity challenge. Remediation: Complete the challenge as per the problem response, and add an additional Challenge header to the call. The attributes object in the error may have the properties defined by the requiredIdentityChallenge schema.
https://production.api.apiture.com/errors/challengeBlocked/v1.0.0
The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again.
https://production.api.apiture.com/errors/noIdentityChallengeFactors/v1.0.0
This operation requires an identity challenge, but the user does not have the necessary registered authentication factors. Remediation: Have the user register one or more challenge security code delivery factors.
https://production.api.apiture.com/errors/invalidIdentityChallengeHeader/v1.0.0
The additional on-time Challenge header in this request is expired, already used, or otherwise invalid. Remediation: Supply a valid, unexpired, unclaimed Challenge header in the request.

Schema: Inline

Status Description

409 Conflict

Status	Description
409	Conflict
	Unprocessable Entity. The request was well formed but contains invalid data. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/invalidChallengeFactorState/v1.0.0` The selected challenge factor is not active. Remediation: Start the challenge factor to set it as active before verifying a user response.
	Schema: `problemResponse`

Unprocessable Entity. The request was well formed but contains invalid data.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/invalidChallengeFactorState/v1.0.0
The selected challenge factor is not active. Remediation: Start the challenge factor to set it as active before verifying a user response.

Schema: problemResponse

Status Description

422 Unprocessable Entity

Status	Description
422	Unprocessable Entity
	Unprocessable Entity. The request was well formed but contains invalid data. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/invalidChallengeId/v1.0.0` The provided `challengeId` is invalid, expired, already claimed, or does not match the `factor` or context. Remediation: Provide the corresponding `operationId`, `factor` and `id` from the challenge. `https://production.api.apiture.com/errors/invalidChallengeFactor/v1.0.0` The `factor` in the request does not match available factors. Remediation: Use a `factor` that corresponds to the `challengeId` from the corresponding challenge. `https://production.api.apiture.com/errors/invalidChallengeOperationId/v1.0.0` The `operationId` is invalid. Remediation: Use the `operationId` from the corresponding challenge. `https://production.api.apiture.com/errors/wrongNumberOfResponses/v1.0.0` The challenge verification sent the wrong number of response strings. Remediation: Send only one response for one-time passcode challenges, or send exactly one response for each security question. `https://production.api.apiture.com/errors/challengeBlocked/v1.0.0` The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again.
	Schema: `problemResponse`

Unprocessable Entity. The request was well formed but contains invalid data.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/invalidChallengeId/v1.0.0
The provided challengeId is invalid, expired, already claimed, or does not match the factor or context. Remediation: Provide the corresponding operationId, factor and id from the challenge.
https://production.api.apiture.com/errors/invalidChallengeFactor/v1.0.0
The factor in the request does not match available factors. Remediation: Use a factor that corresponds to the challengeId from the corresponding challenge.
https://production.api.apiture.com/errors/invalidChallengeOperationId/v1.0.0
The operationId is invalid. Remediation: Use the operationId from the corresponding challenge.
https://production.api.apiture.com/errors/wrongNumberOfResponses/v1.0.0
The challenge verification sent the wrong number of response strings. Remediation: Send only one response for one-time passcode challenges, or send exactly one response for each security question.
https://production.api.apiture.com/errors/challengeBlocked/v1.0.0
The user has failed challenges too many times and is blocked from attempting more or performing operations which require additional authentication. Remediation: Have the user end their login session and login again.

Schema: problemResponse

Status Description

429 Too Many Requests

Status	Description
429	Too Many Requests
	Too Many Requests. The client has sent too many requests in a given amount of time. This error response may have one of the following `type` values: `https://production.api.apiture.com/errors/tooManyRequests/v1.0.0` The client has sent too many requests in a given amount of time, exceeding rate limiting. Remediation: Slow down the rate of API calls.
	Schema: `Inline`

Too Many Requests. The client has sent too many requests in a given amount of time.

This error response may have one of the following type values:

https://production.api.apiture.com/errors/tooManyRequests/v1.0.0
The client has sent too many requests in a given amount of time, exceeding rate limiting. Remediation: Slow down the rate of API calls.

Schema: Inline

Status	Description
4XX	Unknown
	Client Request Problem. The client request had a problem not listed under another specific 400-level HTTP response code. View the `detail` in the problem response for additional details.
	Schema: `Inline`

Status	Description
5XX	Unknown
	Server Problem. The server encountered a problem not listed under another specific 500-level HTTP response code. View the `detail` in the problem response for additional details.
	Schema: `Inline`

Response Schema

Status Code 400

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 401

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 403

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 429

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 4XX

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Status Code 5XX

Property Name	Description
Problem Response (v0.4.1)	`object` API problem or error response, as per RFC 9457 application/problem+json.
» type	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `maxLength: 2048`
» title	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `maxLength: 120`
» status	`integer(int32)` The HTTP status code for this occurrence of the problem. `minimum: 100` `maximum: 599`
» detail	`string(text)` A human-readable explanation specific to this occurrence of the problem. `maxLength: 256`
» instance	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `maxLength: 2048`
» id	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `minLength: 6` `maxLength: 48` `pattern: ^[-_:.~$a-zA-Z0-9]{6,48}$`
» occurredAt	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `minLength: 20` `maxLength: 30`
» problems	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128`
» attributes	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

Schemas

apiProblem

{
  "id": "3fbad566-be86-4b22-9ba6-3ca99fdc0799",
  "type": "https://production.api.apiture.com/errors/accountNotFound/v1.0.0",
  "title": "Account Not Found",
  "status": 422,
  "occurredAt": "2022-04-25T12:42:21.375Z",
  "detail": "No account exists at the given account_url",
  "instance": "https://production.api.apiture.com/banking/transfers/bb709151-575041fcd617"
}

API Problem (v1.2.1)

API problem or error, as per RFC 7807 application/problem+json.

Properties

Name	Description
`API Problem (v1.2.1)`	`object` API problem or error, as per RFC 7807 application/problem+json.
`type`	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `format: uri-reference` `maxLength: 2048`
`title`	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `format: text` `maxLength: 120`
`status`	`integer(int32)` The HTTP status code for this occurrence of the problem. `format: int32` `minimum: 100` `maximum: 599`
`detail`	`string(text)` A human-readable explanation specific to this occurrence of the problem. `format: text` `maxLength: 256`
`instance`	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `format: uri-reference` `maxLength: 2048`
`id`	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `read-only` `minLength: 6` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"`
`occurredAt`	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `read-only` `format: date-time` `minLength: 20` `maxLength: 30`
`problems`	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128` items: `object`

challengeAllows

{
  "retry": true,
  "restart": true,
  "reverify": true
}

Challenge Allows (v1.0.0)

Indicates what features of the challenge are allowed after verification has failed. Note: If a retry, restart, or reverify flag is omitted, the client can call those those operations, but they may fail with a challengeBlocked error.

Properties

Name	Description
`Challenge Allows (v1.0.0)`	`object` Indicates what features of the challenge are allowed after verification has failed. Note: If a `retry`, `restart`, or `reverify` flag is omitted, the client can call those those operations, but they may fail with a `challengeBlocked` error.
`retry`	`boolean` If `true`, the user may retry the challenge by selecting any of the original challenge factors and starting/verifying that factor. If `false`, the client should not allow the user to retry identity verification by selecting one of the original challenge factors and starting/verifying it.
`restart`	`boolean` If `true`, the client may restart this challenge factor. If `false`, the client should not restart the challenge.
`reverify`	`boolean` If `true`, the user may enter a new response to the same challenge factor and the client invoke the `verifyIdentityChallenge` after failing verification. For example, if the user typed a one-time passcode incorrectly, the user can enter and verify a new code. If `false`, the client should not allow the user to enter and validate a new response to the same challenge factor after failing verification.

challengeFactor

{
  "type": "sms",
  "labels": [
    "9876"
  ]
}

Challenge Factor (v1.2.1)

An challenge factor. See requiredIdentityChallenge for multiple examples.

Properties

Name Description

Challenge Factor (v1.2.1) object
An challenge factor. See requiredIdentityChallenge for multiple examples.

id

challengeFactorId
The ID of an a challenge factor. This ID is unique within the challenge factors associated with a challenge. The client should pass this id value as the factorId when starting or verifying a challenge factor.

Note: The id will become required in a future update to this schema.
minLength: 3
maxLength: 48
pattern: "^[-a-zA-Z0-9$_]{3,48}$"

type

challengeFactorType (required)

The name of challenge factor.

challengeFactorType strings may have one of the following enumerated values:

Value	Description
`sms`	SMS: One-time passcode sent to the primary mobile phone number
`email`	Email: One-time passcode sent to the primary email address
`voice`	Voice: One-time passcode communicated via automated voice phone call
`authenticatorToken`	authenticator Token: One-time passcode issued by a pre-registered hardware device, such as a token key fob, or an authenticator app
`securityQuestions`	Security Questions: Prompt with the user's security questions registered with their security profile

enum values: sms, email, voice, securityQuestions, authenticatorToken

labels array: [string]
A list of text label which identifies the channel(s) through which the user completes the challenge. For an sms or voice challenge, the only label item is the last four digits of the corresponding phone number. For an email challenge, each label is the masked email address.
minItems: 1
maxItems: 4
items: string(text)
» format: text
» maxLength: 300

securityQuestions challengeSecurityQuestions
Describes a securityQuestions challenge. This is omitted if the challenge type is not securityQuestions.

challengeFactorId

"string"

Challenge Factor ID (v1.0.0)

The ID of an a challenge factor. This ID is unique within the factors offered with a challenge.

type: string

minLength: 3
maxLength: 48
pattern: "^[-a-zA-Z0-9$_]{3,48}$"

challengeFactorType

"sms"

Challenge Factor Type (v1.0.0)

The name of challenge factor.

challengeFactorType strings may have one of the following enumerated values:

Value	Description
`sms`	SMS: One-time passcode sent to the primary mobile phone number
`email`	Email: One-time passcode sent to the primary email address
`voice`	Voice: One-time passcode communicated via automated voice phone call
`authenticatorToken`	authenticator Token: One-time passcode issued by a pre-registered hardware device, such as a token key fob, or an authenticator app
`securityQuestions`	Security Questions: Prompt with the user's security questions registered with their security profile

type: string

enum values: sms, email, voice, securityQuestions, authenticatorToken

challengeOperationId

"string"

Challenge Operation ID (v1.0.1)

The ID of an operation/action for which the user must verify their identity via an identity challenge. This is passed when starting a challenge factor or when validating the identity challenge responses.

type: string

minLength: 6
maxLength: 48
pattern: "^[-a-zA-Z0-9$_]{6,48}$"

challengePromptId

"string"

Challenge Prompt ID (v1.0.0)

The unique ID of a prompt (such as a security question) in a challenge factor.

type: string

minLength: 1
maxLength: 48
pattern: "^[-_:.~$a-zA-Z0-9]+$"

challengeResponseItem

{
  "response": "939733"
}

Challenge Response Item (v1.1.0)

A user's response to challenge.

Properties

Name	Description
`Challenge Response Item (v1.1.0)`	`object` A user's response to challenge.
`promptId`	`challengePromptId` The unique ID of the prompt corresponding to this response. This property is only used if the challenge factor is `securityQuestions`. `minLength: 1` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]+$"`
`response`	`string(text)` (required) The response to the challenge, as entered by the user. The system ignores leading/trailing whitespace and ignores case when verifying the response. The actual minimum and maximum characters for the response are set by the `minimumResponseLength` and `maximumResponseLength` properties of the `startedIdentityChallenge`. `format: text` `maxLength: 255`

challengeResult

"verified"

Challenge Result (v1.1.0)

The result from verifying a user's response(s) to challenge.

challengeResult strings may have one of the following enumerated values:

Value	Description
`verified`	Verified: The user's response was successfully verified
`synchronizationRequired`	Synchronization Required: The user should re-submit two recent, consecutive one-time passcodes from the authenticator token application or device to allow the system to synchronize with it
`failed`	Failed: The user's response failed validation
`locked`	Locked: The user failed the identity challenge too many times and has been locked out
`expired`	Expired: The corresponding identity challenge has expired

type: string

enum values: verified, synchronizationRequired, failed, expired, locked

challengeSecurityQuestion

{
  "id": "74699fa628911e762ea5",
  "prompt": "What is your mother's maiden name?"
}

Challenge Security Question (v1.0.1)

A single security question within the questions array of the challengeSecurityQuestions

Properties

Name	Description
`Challenge Security Question (v1.0.1)`	`object` A single security question within the `questions` array of the `challengeSecurityQuestions`
`id`	`challengePromptId` (required) The unique ID of security question prompt. This should be included in the `challengeVerification` response as the `promptId`. `minLength: 1` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]+$"`
`prompt`	`string(text)` (required) The text prompt of this security question. `format: text` `maxLength: 80`

challengeSecurityQuestions

{
  "questions": [
    {
      "id": "q1",
      "prompt": "What is your mother's maiden name?"
    },
    {
      "id": "q4",
      "prompt": "What is your high school's name?"
    },
    {
      "id": "q9",
      "prompt": "What is the name of your first pet?"
    }
  ]
}

Challenge Security Questions (v1.0.1)

Describes a securityQuestions challenge. This is omitted if the challenge type is not securityQuestions.

Properties

Name	Description
`Challenge Security Questions (v1.0.1)`	`object` Describes a `securityQuestions` challenge. This is omitted if the challenge `type` is not `securityQuestions`.
`questions`	`array: [challengeSecurityQuestion]` (required) The array of security questions. `minItems: 1` `maxItems: 8` items: `object`

challengeToken

"string"

Challenge Token (v1.1.0)

The value of the identity Challenge request header that the client must send when retrying an operation which required a challenge.

type: string

minLength: 6
maxLength: 255
pattern: "^[-_:.~%$a-zA-Z0-9]{6,255}$"

identityChallenge

{
  "operationId": "createTransfer",
  "challengeId": "b8cae0901002bba4e2a7",
  "factor": "sms",
  "factorId": "mobile-1"
}

Identity Challenge (v1.3.0)

An identity challenge to verify the banking customer is who they claim.

Properties

Name	Description
`Identity Challenge (v1.3.0)`	`object` An identity challenge to verify the banking customer is who they claim.
`challengeId`	`resourceId` (required) The ID of the selected challenge. This is the `challengeId` from the corresponding challenge in the 403 problem response. `minLength: 6` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"`
`factor`	`challengeFactorType` (required) The type of challenge. enum values: `sms`, `email`, `voice`, `securityQuestions`, `authenticatorToken`
`factorId`	`challengeFactorId` The ID of the user-selected factor from the challenge. Note: The `factorId` will become `required` in a future update to this schema. `minLength: 3` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{3,48}$"`
`operationId`	`challengeOperationId` (required) The context in which the user must complete the challenge. `minLength: 6` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{6,48}$"`

identityChallengeResponse

{
  "factor": "securityQuestions",
  "operationId": "createTransfer",
  "factorId": "be6177eff07649128e40",
  "challengeId": "dec42c64402319a59ec7",
  "responses": [
    {
      "promptId": "q1",
      "response": "Smith"
    },
    {
      "promptId": "q4",
      "response": "Kinston High School"
    },
    {
      "promptId": "q9",
      "response": "Walter"
    }
  ]
}

Identity Challenge Response (v1.4.0)

A banking customer response(s) to an identity challenge.

Properties

Name	Description
`Identity Challenge Response (v1.4.0)`	`object` A banking customer response(s) to an identity challenge.
`challengeId`	`resourceId` (required) The ID of the challenge. This is the `challengeId` from the corresponding challenge in the 403 problem response. `minLength: 6` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"`
`factor`	`challengeFactorType` (required) The type of challenge delivery factor, chosen from the `requiredIdentityChallenge` problem response. enum values: `sms`, `email`, `voice`, `securityQuestions`, `authenticatorToken`
`factorId`	`challengeFactorId` The ID of the user-selected factor from the challenge. Note: The `factorId` will become `required` in a future update to this schema. `minLength: 3` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{3,48}$"`
`operationId`	`challengeOperationId` (required) The ID of an operation/action for which the user must verify their identity via an identity challenge. This is passed when starting a challenge factor or when validating the identity challenge responses. `minLength: 6` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{6,48}$"`
`responses`	`array: [challengeResponseItem]` (required) The text entered by the user in response to the challenge. This may be the code sent via SMS, email, or voice, or it may be the answers to the security questions. `unique items` `minItems: 1` `maxItems: 8` items: `object`

problemResponse

{
  "id": "3fbad566-be86-4b22-9ba6-3ca99fdc0799",
  "type": "https://production.api.apiture.com/errors/noSuchAccount/v1.0.0",
  "title": "Account Not Found",
  "status": 422,
  "occurredAt": "2022-04-25T12:42:21.375Z",
  "detail": "No account exists for the given account reference",
  "instance": "https://production.api.apiture.com/banking/transfers/bb709151-575041fcd617"
}

Problem Response (v0.4.1)

API problem or error response, as per RFC 9457 application/problem+json.

Properties

Name	Description
`Problem Response (v0.4.1)`	`object` API problem or error response, as per RFC 9457 application/problem+json.
`type`	`string(uri-reference)` A URI reference (RFC3986) that identifies the problem type. If present, this is the URL of human-readable HTML documentation for the problem type. When this member is not present, its value is assumed to be `"about:blank"`. `format: uri-reference` `maxLength: 2048`
`title`	`string(text)` A short, human-readable summary of the problem type. The title is usually the same for all problem with the same `type`. `format: text` `maxLength: 120`
`status`	`integer(int32)` The HTTP status code for this occurrence of the problem. `format: int32` `minimum: 100` `maximum: 599`
`detail`	`string(text)` A human-readable explanation specific to this occurrence of the problem. `format: text` `maxLength: 256`
`instance`	`string(uri-reference)` A URI reference that identifies the specific occurrence of the problem. This is the URI of an API resource that the problem is related to, with a unique error correlation ID URI fragment `format: uri-reference` `maxLength: 2048`
`id`	`readOnlyResourceId` The unique identifier for this problem. This is an immutable opaque string. `read-only` `minLength: 6` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"`
`occurredAt`	`readOnlyTimestamp(date-time)` The timestamp when the problem occurred, in RFC 3339 date-time `YYYY-MM-DDThh:mm:ss.sssZ` format, UTC. `read-only` `format: date-time` `minLength: 20` `maxLength: 30`
`problems`	`array: [apiProblem]` Optional root-causes if there are multiple problems in the request or API call processing. `maxItems: 128` items: `object`
`attributes`	`object` Additional optional attributes related to the problem. This data conforms to the schema associated with the error type.

readOnlyResourceId

"string"

Read-only Resource Identifier (v1.0.1)

The unique, opaque system-assigned identifier for a resource. This case-sensitive ID is also used in URLs as path parameters or in other properties or parameters that reference a resource by ID rather than URL. Resource IDs are immutable.

type: string

read-only
minLength: 6
maxLength: 48
pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"

readOnlyTimestamp

"2021-10-30T19:06:04.250Z"

Read-Only Timestamp (v1.0.0)

A readonly or derived timestamp (an instant in time) formatted in RFC 3339 date-time UTC format: YYYY-MM-DDThh:mm:ss.sssZ.

type: string(date-time)

read-only
format: date-time
minLength: 20
maxLength: 30

requiredIdentityChallenge

{
  "operationId": "createTransfer",
  "challengeId": "0504076c566a3cf7009c",
  "factors": [
    {
      "type": "sms",
      "labels": [
        "9876"
      ],
      "id": "85c0ee5753fcd0b0953f"
    },
    {
      "type": "voice",
      "labels": [
        "9876"
      ],
      "id": "d089e10a80a8627df37b"
    },
    {
      "type": "voice",
      "labels": [
        "6754"
      ],
      "id": "10506ecf9d1c2ee00403"
    },
    {
      "type": "email",
      "labels": [
        "an****nk@example.com",
        "an****98@example.com"
      ],
      "id": "e917d671cb2f030b56f1"
    },
    {
      "type": "authenticatorToken",
      "labels": [
        "Acme fob"
      ],
      "id": "fe6c452d7da0bbb4e407"
    },
    {
      "type": "securityQuestions",
      "securityQuestions": {
        "questions": [
          {
            "id": "q1",
            "prompt": "What is your mother's maiden name?"
          },
          {
            "id": "q4",
            "prompt": "What is your high school's name?"
          },
          {
            "id": "q9",
            "prompt": "What is the name of your first pet?"
          }
        ]
      },
      "id": "df33c6f88a37d6b3f0a6"
    }
  ]
}

Required Challenge (v1.2.3)

A request from the service for the user to verify their identity. This contains a challenge ID, the corresponding operation ID, and a list of challenge factors for identity verification. The user must complete one of these challenge factors to satisfy the challenge. This schema defines the attributes in the 401 Unauthorized problem response when the 401 problem type name is challengeRequired. See the "Challenge API" for details.

Properties

Name	Description
`Required Challenge (v1.2.3)`	`object` A request from the service for the user to verify their identity. This contains a challenge ID, the corresponding operation ID, and a list of challenge factors for identity verification. The user must complete one of these challenge factors to satisfy the challenge. This schema defines the attributes in the 401 Unauthorized problem response when the 401 problem type name is `challengeRequired`. See the "Challenge API" for details.
`operationId`	`challengeOperationId` (required) The ID of an operation/action for which the user must verify their identity via an identity challenge. This is passed when starting a challenge factor or when validating the identity challenge responses. `minLength: 6` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{6,48}$"`
`challengeId`	`readOnlyResourceId` (required) The unique ID of this challenge instance. This is an opaque string. This is passed when starting a challenge factor or when validating the identity challenge responses. `read-only` `minLength: 6` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"`
`factors`	`array: [challengeFactor]` (required) A list of challenge factors. The user must complete one of these challenge factors. The `labels` in each factor identify one or more channels the user may use, such as a list of email addresses the system may use to send a one-time passcode to the user. *Note: The same channel may be used by multiple factors in the array of factors. For example, the user's primary mobile phone number may be used for both an `sms` factor and a `voice` factor. `minItems: 1` `maxItems: 8` items: `object`

resourceId

"string"

Resource Identifier (v1.0.1)

The unique, opaque system identifier for a resource. This case-sensitive ID is also used as path parameters in URLs or in other properties or parameters that reference a resource by ID rather than URL.

type: string

minLength: 6
maxLength: 48
pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"

startedIdentityChallenge

{
  "operationId": "createTransfer",
  "challengeId": "b8cae0901002bba4e2a7",
  "factor": "sms",
  "factorId": "mobile-1",
  "expiresAt": "2023-01-05T08:50:33.375Z",
  "minimumResponseLength": 8,
  "maximumResponseLength": 8
}

Started Challenge (v1.4.0)

The server response after starting an identity challenge.

Properties

Name	Description
`Started Challenge (v1.4.0)`	`object` The server response after starting an identity challenge.
`challengeId`	`resourceId` (required) The ID of the selected challenge. This is the `challengeId` from the corresponding challenge in the 403 problem response. `minLength: 6` `maxLength: 48` `pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"`
`factor`	`challengeFactorType` (required) The type of challenge. enum values: `sms`, `email`, `voice`, `securityQuestions`, `authenticatorToken`
`factorId`	`challengeFactorId` The ID of the user-selected factor from the challenge. Note: The `factorId` will become `required` in a future update to this schema. `minLength: 3` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{3,48}$"`
`operationId`	`challengeOperationId` (required) The context in which the user must complete the challenge. `minLength: 6` `maxLength: 48` `pattern: "^[-a-zA-Z0-9$_]{6,48}$"`
`expiresAt`	`readOnlyTimestamp(date-time)` (required) The timestamp when this challenge expires. The user must submit their challenge response before this time in order for it to be valid. `read-only` `format: date-time` `minLength: 20` `maxLength: 30`
`minimumResponseLength`	`integer(int32)` (required) The minimum number of characters required for the response for this factor. For example, a one-time passcode might have a minimum of 6 characters but a `securityQuestions` response might have a minimum of 2 characters. `format: int32` `minimum: 1` `maximum: 8`
`maximumResponseLength`	`integer(int32)` (required) The maximum number of characters required for the response for this factor. For example, a `sms` one-time passcode might have a maximum of 8 characters but a `securityQuestions` response might have a maximum of 255 characters. `format: int32` `minimum: 2` `maximum: 255`

verifiedIdentityChallenge

{
  "challengeId": "b8cae0901002bba4e2a7",
  "operationId": "createTransfer",
  "factor": "sms",
  "result": "verified",
  "challengeToken": "91a2a7724d6e82f5cd73"
}

Verified Challenge (v1.4.0)

The response from verifying the challenge.

Properties

Name Description

Verified Challenge (v1.4.0) object
The response from verifying the challenge.

challengeId resourceId (required)
The ID of the selected challenge. This is the id from the corresponding challenge in the 403 problem response.
minLength: 6
maxLength: 48
pattern: "^[-_:.~$a-zA-Z0-9]{6,48}$"

factor challengeFactorType (required)
The type of challenge.
enum values: sms, email, voice, securityQuestions, authenticatorToken

factorId

challengeFactorId
The ID of the user-selected factor from the challenge.

Note: The factorId will become required in a future update to this schema.
minLength: 3
maxLength: 48
pattern: "^[-a-zA-Z0-9$_]{3,48}$"

operationId challengeOperationId
The ID of the API operation in which the user must complete the challenge, from the requiredIdentityChallenge problem response.
minLength: 6
maxLength: 48
pattern: "^[-a-zA-Z0-9$_]{6,48}$"

result

challengeResult (required)

The result from verifying a user's response(s) to challenge.

challengeResult strings may have one of the following enumerated values:

Value	Description
`verified`	Verified: The user's response was successfully verified
`synchronizationRequired`	Synchronization Required: The user should re-submit two recent, consecutive one-time passcodes from the authenticator token application or device to allow the system to synchronize with it
`failed`	Failed: The user's response failed validation
`locked`	Locked: The user failed the identity challenge too many times and has been locked out
`expired`	Expired: The corresponding identity challenge has expired

enum values: verified, synchronizationRequired, failed, expired, locked

allows challengeAllows
Indicates if the user may retry or restart the challenge or verification. This property exists if the result is failed or expired.

challengeToken challengeToken
The value that the client must send in the Challenge request header when retrying the operation that required a challenge. This property is not present if the result is failed.
minLength: 6
maxLength: 255
pattern: "^[-_:.~%$a-zA-Z0-9]{6,255}$"

Generated by @apiture/api-doc 3.2.1 on Wed Apr 10 2024 15:36:14 GMT+0000 (Coordinated Universal Time).