Auth

API

getApi

Top-level resources and operations in this API

Return links to the top-level resources and operations in this API.


/

Usage and SDK Samples

curl -X GET "http:///auth/"
import { APIApi } from "@apiture/auth-client-sdk";

var api = new Auth.APIApi.getApi()
var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
aPIApi.getApi(callback);

Scopes

Parameters

Responses


getApiDoc

Return API definition document

Return the OpenAPI document that describes this API.


/apiDoc

Usage and SDK Samples

curl -X GET "http:///auth/apiDoc"
import { APIApi } from "@apiture/auth-client-sdk";

var api = new Auth.APIApi.getApiDoc()
var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
aPIApi.getApiDoc(callback);

Scopes

Parameters

Responses


Authenticator

createAuthenticator

Create a new authenticator

Create a new authenticator. This is only called during the creation of a new challenge resource, from the `createChallenge` operation. End users cannot call this operation.


/challenges/{challengeId}/authenticators

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/challenges/{challengeId}/authenticators"
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
authenticatorApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.createAuthenticator()
var challengeId = challengeId_example; // {String} The unique identifier of this challenge. This is an opaque string.
var createAuthenticator = ; // {CreateAuthenticator} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.createAuthenticator(challengeId, createAuthenticator, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
challengeId*
String
The unique identifier of this challenge. This is an opaque string.
Required
Body parameters
Name Description
createAuthenticator *

The data necessary to create a new authenticator.

Responses

Name Type Format Description
ETag String An entity tag which may be passed in the `If-Match` request header for *`PUT`* or *`PATCH`* operations which update the resource.
Location String uri The URI of the new resource. If the URI begins with / it is relative to the API root context. Else, it is a full URI starting with *`scheme`*`://host`


deleteAuthenticator

Delete this authenticator resource

Delete this authenticator resource and any resources that are owned by it. Authenticators are deleted automatically when the challenge is deleted.


/challenges/{challengeId}/authenticators/{authenticatorId}

Usage and SDK Samples

curl -X DELETE -H "API-Key: [[apiKey]]" "http:///auth/challenges/{challengeId}/authenticators/{authenticatorId}"
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
authenticatorApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.deleteAuthenticator()
var challengeId = challengeId_example; // {String} The unique identifier of this challenge. This is an opaque string.
var authenticatorId = authenticatorId_example; // {String} The unique identifier of this authenticator. This is an opaque string.

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully.');
  }
};
authenticatorApi.deleteAuthenticator(challengeId, authenticatorId, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
challengeId*
String
The unique identifier of this challenge. This is an opaque string.
Required
authenticatorId*
String
The unique identifier of this authenticator. This is an opaque string.
Required

Responses


getAuthenticator

Fetch a representation of this authenticator

Return a [HAL](http://developer.apiture.com/docs/concepts/hal) representation of this authenticator resource. This `GET` operation is available via the `self` link of the authenticators inside a challenge resource.


/challenges/{challengeId}/authenticators/{authenticatorId}

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/challenges/{challengeId}/authenticators/{authenticatorId}"
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
authenticatorApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.getAuthenticator()
var challengeId = challengeId_example; // {String} The unique identifier of this challenge. This is an opaque string.
var authenticatorId = authenticatorId_example; // {String} The unique identifier of this authenticator. This is an opaque string.
var opts = {
  'ifNoneMatch': ifNoneMatch_example // {String} The entity tag that was returned in the `ETag` response. If the resource's current entity tag matches, the `GET` will return 304 (Not Modified) and no response body, else the resource representation will be returned.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.getAuthenticator(challengeId, authenticatorId, opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
challengeId*
String
The unique identifier of this challenge. This is an opaque string.
Required
authenticatorId*
String
The unique identifier of this authenticator. This is an opaque string.
Required
Header parameters
Name Description
If-None-Match
String
The entity tag that was returned in the `ETag` response. If the resource's current entity tag matches, the `GET` will return 304 (Not Modified) and no response body, else the resource representation will be returned.

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for *`PUT`* or *`PATCH`* operations which update this authenticator resource.


getAuthenticatorTypes

Retrieve the set of authenticator types

Return the set of reserved authenticator type names. The `type` property of a authenticator must be one of these values. This set may be updated by the financial institution via the `updateAuthenticatorTypes` operation. The default list includes the following types: * `sms` * `email`


/authenticatorTypes

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/authenticatorTypes"
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
authenticatorApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.getAuthenticatorTypes()
var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.getAuthenticatorTypes(callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for operations which update the resource.

retryAuthenticator

Retry an authenticator

Retry or restart an authenticator, for example, if the authentication process failed or if the user never received confirmation. This changes the `state` property of the authenticator to `started`. This fails operation if the authenticator has been retried more than the allowed number of retries. This operation is available via the `apiture:retry` link on the authenticator resource, if and only if the authenticator is eligible for the retry operation. The response is the updated representation of the authenticator.


/retriedAuthenticators

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/retriedAuthenticators?authenticator="
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.retryAuthenticator()
var authenticator = authenticator_example; // {String} A string which uniquely identifies an authenticator. This may be the unique `_id` of the authenticator or the URI of the authenticator.
var opts = {
  'ifMatch': ifMatch_example // {String} The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.retryAuthenticator(authenticator, opts, callback);

Scopes

Parameters

Header parameters
Name Description
If-Match
String
The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
Query parameters
Name Description
authenticator*
String
A string which uniquely identifies an authenticator. This may be the unique `_id` of the authenticator or the URI of the authenticator.
Required

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for *`PUT`* or *`PATCH`* operations which update the resource.


startAuthenticator

Start an authenticator

Start a `pending` authenticator, initiating the identity verification. For example, starting a `sms` or `email` authenticator will send a unique code to the user via that channel. This changes the `state` property of the authenticator to `started` and resets the `attributes` data. A started authenticator should be verified via the `verifiedAuthenticator` operation. This operation is available via the `apiture:start` link on the authenticator resource, if and only if the authenticator is eligible for the start operation. The response is the updated representation of the authenticator.


/startedAuthenticators

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/startedAuthenticators?authenticator="
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.startAuthenticator()
var authenticator = authenticator_example; // {String} A string which uniquely identifies an authenticator. This may be the unique `_id` of the authenticator or the URI of the authenticator.
var opts = {
  'ifMatch': ifMatch_example // {String} The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.startAuthenticator(authenticator, opts, callback);

Scopes

Parameters

Header parameters
Name Description
If-Match
String
The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
Query parameters
Name Description
authenticator*
String
A string which uniquely identifies an authenticator. This may be the unique `_id` of the authenticator or the URI of the authenticator.
Required

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for *`PUT`* or *`PATCH`* operations which update the resource.


updateAuthenticatorTypes

Replace the set of authenticator types

A financial institution can use this operation to register additional types of authenticators that they may issue to their users when a service needs to issue an identify verification challenge to the user. The `type` property of an authenticator must be one of these reserved names. This operation completely replaces the set of reserved authenticator type names, so it should include all items from the `getAuthenticatorTypes` that are in use. This operation is only available to financial institution administrators.


/authenticatorTypes

Usage and SDK Samples

curl -X PUT -H "API-Key: [[apiKey]]" "http:///auth/authenticatorTypes"
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
authenticatorApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.updateAuthenticatorTypes()
var requestBody = ; // {map[String, authenticatorType]} 
var opts = {
  'ifMatch': ifMatch_example // {String} The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.updateAuthenticatorTypes(requestBody, opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Header parameters
Name Description
If-Match
String
The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
Body parameters
Name Description
requestBody *

The set of authenticator types.

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for operations which update the resource.


verifyAuthenticator

Verify a user's identity

Complete the verification of a user's identity by `POST`ing the authenticator to this path, passing the authentication data in the authenticator's `attributes`. For example, to verify an `sms` or `email` authenticator, the client should send the code that was sent to the user via SMS or email in `attributes.code`. If the authentication data is valid, this changes the `state` property of the authenticator to `verified`. In addition, if all the challenges' authenticators have been verified successfully, the challenge is also marked as `verified`. If the `attributes` data are invalid, the authenticator is marked `failed`. Failed authenticators may be retried (restarted) via the `retryAuthenticator` operation. This operation is available via the `apiture:verify` link on the authenticator resource, if and only if the authenticator is eligible for the `apiture:verify` operation. The authenticator must have been started (see the `startAuthenticator` operation and the `apiture:start` link) before being verified. The response is the updated representation of the authenticator.


/verifiedAuthenticators

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/verifiedAuthenticators"
import { AuthenticatorApi } from "@apiture/auth-client-sdk";

const authenticatorApi = new AuthenticatorApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
authenticatorApi.setApiKey(apiKey);


var api = new Auth.AuthenticatorApi.verifyAuthenticator()
var authenticator = ; // {Authenticator} 
var opts = {
  'ifMatch': ifMatch_example // {String} The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
authenticatorApi.verifyAuthenticator(authenticator, opts, callback);

Scopes

Parameters

Header parameters
Name Description
If-Match
String
The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
Body parameters
Name Description
authenticator *

The body is the authenticator object, with the `attributes` set as per the authenticator type.

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for *`PUT`* or *`PATCH`* operations which update the resource.


Challenge

createChallenge

Create a new challenge

Create a new challenge. This is called from service code when an operations requires additional user verification. By default, the resulting challenge resource will contain a list of authenticators, one for each authenticator type (see the `getAuthenticatorTypes` operation). When creating a challenge, the service can exclude authenticators with either or both `?exclude=` or specify the exact authenticator types to use with `?include=`. When an operation fails with a 401 due to required authentication response, the services embeds the challenge as the `_error._embedded.challenge` object in the response. See also the `getAuthenticator` operation and the `challenge` and `authenticator` schemas for additional details. A user may have only one active challenge at a time. Creating a new challenge for a user will delete any outstanding challenge resources for that user and any authenticators associated with those challenges. End users cannot call this operation. Challenges (and their authenticators) expire automatically some time after creation. At a later time, expired, failed, and verified challenges and authenticators are automatically deleted.


/challenges

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/challenges?include=&exclude="
import { ChallengeApi } from "@apiture/auth-client-sdk";

const challengeApi = new ChallengeApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
challengeApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
challengeApi.setApiKey(apiKey);


var api = new Auth.ChallengeApi.createChallenge()
var createChallenge = ; // {CreateChallenge} 
var opts = {
  'include': include_example, // {String} One or more authenticator _types_ or _categories_ which the challenge should exclude from its authenticators. Type names are from the `name` or `category` property of the authenticator types resource, such as `?exclude=sms`. Multiple types may be specified, separated by commas: `?exclude=sms,biometric`. This may be combined with the other filters, but excludes take precedent over `?include`. (This notation may be extended in the future to allow additional filter constraints based on authenticator type properties.)
  'exclude': exclude_example // {String} One or more authenticator _types_ or _categories_ which the challenge should exclude from its authenticators. Type names are from the `name` or `category` property of the authenticator types resource, such as `?exclude=sms`. Multiple types may be specified, separated by commas: `?exclude=sms,biometric`. If both `?include=`  and `?exclude=` are used, the exclusions take precedence inclusions. That is, for `?include=sms&exclude=sms`, the `sms` authenticator will not be used. (This notation may be extended in the future to allow additional filter constraints based on authenticator type properties.)
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
challengeApi.createChallenge(createChallenge, opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Body parameters
Name Description
createChallenge *

The data necessary to create a new challenge.

Query parameters
Name Description
include
String
One or more authenticator _types_ or _categories_ which the challenge should exclude from its authenticators. Type names are from the `name` or `category` property of the authenticator types resource, such as `?exclude=sms`. Multiple types may be specified, separated by commas: `?exclude=sms,biometric`. This may be combined with the other filters, but excludes take precedent over `?include`. (This notation may be extended in the future to allow additional filter constraints based on authenticator type properties.)
exclude
String
One or more authenticator _types_ or _categories_ which the challenge should exclude from its authenticators. Type names are from the `name` or `category` property of the authenticator types resource, such as `?exclude=sms`. Multiple types may be specified, separated by commas: `?exclude=sms,biometric`. If both `?include=` and `?exclude=` are used, the exclusions take precedence inclusions. That is, for `?include=sms&exclude=sms`, the `sms` authenticator will not be used. (This notation may be extended in the future to allow additional filter constraints based on authenticator type properties.)

Responses

Name Type Format Description
ETag String An entity tag which may be passed in the `If-Match` request header for *`PUT`* or *`PATCH`* operations which update the resource.
Location String uri The URI of the new resource. If the URI begins with / it is relative to the API root context. Else, it is a full URI starting with *`scheme`*`://host`


deleteChallenge

Delete this challenge resource

Delete this challenge resource and any authenticators that are owned by it. Challenges are also deleted at some interval after they have expired or at an interval after they have been redeemed.


/challenges/{challengeId}

Usage and SDK Samples

curl -X DELETE -H "API-Key: [[apiKey]]" "http:///auth/challenges/{challengeId}"
import { ChallengeApi } from "@apiture/auth-client-sdk";

const challengeApi = new ChallengeApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
challengeApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
challengeApi.setApiKey(apiKey);


var api = new Auth.ChallengeApi.deleteChallenge()
var challengeId = challengeId_example; // {String} The unique identifier of this challenge. This is an opaque string.

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully.');
  }
};
challengeApi.deleteChallenge(challengeId, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
challengeId*
String
The unique identifier of this challenge. This is an opaque string.
Required

Responses


getChallenge

Fetch a representation of this challenge

Return a [HAL](http://developer.apiture.com/docs/concepts/hal) representation of this challenge resource.


/challenges/{challengeId}

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/challenges/{challengeId}"
import { ChallengeApi } from "@apiture/auth-client-sdk";

const challengeApi = new ChallengeApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
challengeApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
challengeApi.setApiKey(apiKey);


var api = new Auth.ChallengeApi.getChallenge()
var challengeId = challengeId_example; // {String} The unique identifier of this challenge. This is an opaque string.
var opts = {
  'ifNoneMatch': ifNoneMatch_example // {String} The entity tag that was returned in the `ETag` response. If the resource's current entity tag matches, the `GET` will return 304 (Not Modified) and no response body, else the resource representation will be returned.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
challengeApi.getChallenge(challengeId, opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
challengeId*
String
The unique identifier of this challenge. This is an opaque string.
Required
Header parameters
Name Description
If-None-Match
String
The entity tag that was returned in the `ETag` response. If the resource's current entity tag matches, the `GET` will return 304 (Not Modified) and no response body, else the resource representation will be returned.

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for *`PUT`* or *`PATCH`* operations which update this challenge resource.


getChallenges

Return a collection of challenges

Return a [paginated](http://developer.apiture.com/docs/concepts/pagination) [sortable](http://developer.apiture.com/docs/concepts/sorting) [filterable](http://developer.apiture.com/docs/concepts/filtering) [searchable](http://developer.apiture.com/docs/concepts/searching) collection of challenges. The [links](http://developer.apiture.com/docs/concepts/links) in the response include pagination links.


/challenges

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/challenges?start=&limit=&sortBy=&filter=&q=&userId=&state="
import { ChallengeApi } from "@apiture/auth-client-sdk";

const challengeApi = new ChallengeApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
challengeApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
challengeApi.setApiKey(apiKey);


var api = new Auth.ChallengeApi.getChallenges()
var opts = {
  'start': 789, // {Long} The zero-based index of the first challenge item to include in this page. The default 0 denotes the beginning of the collection.
  'limit': 56, // {Integer} The maximum number of challenge representations to return in this page.
  'sortBy': sortBy_example, // {String} Optional sort criteria. See [sort criteria format](http://developer.apiture.com/docs/concepts/sorting), such as `?sortBy=field1,-field2`.
  'filter': filter_example, // {String} Optional filter criteria. See [filtering](http://developer.apiture.com/docs/concepts/filtering).
  'q': q_example, // {String} Optional search string. See [searching](http://developer.apiture.com/docs/concepts/searching).
  'userId': userId_example, // {String} Subset to challenges for the specified user. The value should be the unique `{userId}` (the `_id` of a User resource).
  'state': state_example // {String} Subset the challenges to those whose `state` matches this value. Use `|` to separate multiple values. For example, `?state=started` matches only items whose `state` is `started`; `?state=verified|failed` matches items whose `state` is `verified` or `failed`. This is combined with an implicit `and` with other filters if they are used. See [filtering](https://developer.apiture.com/docs/concepts/filtering).
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
challengeApi.getChallenges(opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Query parameters
Name Description
start
Long (int64)
The zero-based index of the first challenge item to include in this page. The default 0 denotes the beginning of the collection.
limit
Integer (int32)
The maximum number of challenge representations to return in this page.
sortBy
String
Optional sort criteria. See [sort criteria format](http://developer.apiture.com/docs/concepts/sorting), such as `?sortBy=field1,-field2`.
filter
String
Optional filter criteria. See [filtering](http://developer.apiture.com/docs/concepts/filtering).
q
String
Optional search string. See [searching](http://developer.apiture.com/docs/concepts/searching).
userId
String
Subset to challenges for the specified user. The value should be the unique `{userId}` (the `_id` of a User resource).
state
String
Subset the challenges to those whose `state` matches this value. Use `|` to separate multiple values. For example, `?state=started` matches only items whose `state` is `started`; `?state=verified|failed` matches items whose `state` is `verified` or `failed`. This is combined with an implicit `and` with other filters if they are used. See [filtering](https://developer.apiture.com/docs/concepts/filtering).

Responses


redeemChallenge

Redeem or use a challenge

When an operation that requires an identity challenge (passed via the `Apiture-Challenge` request header), it _redeems_ the challenge to mark it as used. Challenges have a maximum number of times that they may be redeemed. This changes the `state` property of the authenticator to `redeemed`. This operation is available via the `apiture:redeem` link on the challenge resource, if and only if the challenge is eligible for the redeem operation. The response is the updated representation of the challenge.


/redeemedChallenges

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/redeemedChallenges?challenge="
import { ChallengeApi } from "@apiture/auth-client-sdk";

const challengeApi = new ChallengeApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
challengeApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
challengeApi.setApiKey(apiKey);


var api = new Auth.ChallengeApi.redeemChallenge()
var challenge = challenge_example; // {String} A string which uniquely identifies an challenge. This may be the unique `_id` of the challenge resource or the URI of the challenge.
var opts = {
  'ifMatch': ifMatch_example // {String} The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
challengeApi.redeemChallenge(challenge, opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Header parameters
Name Description
If-Match
String
The entity tag that was returned in the `ETag` response. The `If-Match` header is optional, but if passed, this must match the current entity tag of the resource.
Query parameters
Name Description
challenge*
String
A string which uniquely identifies an challenge. This may be the unique `_id` of the challenge resource or the URI of the challenge.
Required

Responses

Name Type Format Description
ETag String The `ETag` response header specifies an entity tag which must be provided in an `If-Match` request header for *`PUT`* or *`PATCH`* operations which update the resource.


Devices

deleteDevice

Delete a device registration

Delete a specific device registration which tracks the use of a device for a user. Once deleted, the user will have to use another secondary authentication method, such as entering a code sent by SMS, when signing in.


/users/{userId}/devices/{deviceId}

Usage and SDK Samples

curl -X DELETE -H "API-Key: [[apiKey]]" "http:///auth/users/{userId}/devices/{deviceId}"
import { DevicesApi } from "@apiture/auth-client-sdk";

const devicesApi = new DevicesApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
devicesApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
devicesApi.setApiKey(apiKey);


var api = new Auth.DevicesApi.deleteDevice()
var userId = userId_example; // {String} The user ID of a user. An authenticated user can only view their own devices.
var deviceId = deviceId_example; // {String} The unique identifier of the device.

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully.');
  }
};
devicesApi.deleteDevice(userId, deviceId, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
userId*
String
The user ID of a user. An authenticated user can only view their own devices.
Required
deviceId*
String
The unique identifier of the device.
Required

Responses


getDevice

Return a device for the user

Return a specific device for a user. The `deviceId` is the unique identifier of a device resource. This operation is typically called via the `self` link for an item in the `getDevices` collection response.


/users/{userId}/devices/{deviceId}

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/users/{userId}/devices/{deviceId}"
import { DevicesApi } from "@apiture/auth-client-sdk";

const devicesApi = new DevicesApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
devicesApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
devicesApi.setApiKey(apiKey);


var api = new Auth.DevicesApi.getDevice()
var userId = userId_example; // {String} The user ID of a user. An authenticated user can only view their own devices.
var deviceId = deviceId_example; // {String} The unique identifier of the device.

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
devicesApi.getDevice(userId, deviceId, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
userId*
String
The user ID of a user. An authenticated user can only view their own devices.
Required
deviceId*
String
The unique identifier of the device.
Required

Responses


getDevices

Return a collection of devices

Return a collection of devices that the user has used to sign in. This collection is small, so this operation does not support filtering, pagination, sorting, or searching. The Authentication API's `getRoot` operation (`GET /auth/`) will include a link `apiture:getDevices`. This link's `href` will resolve the `{userId}` for the currently authenticated user.


/users/{userId}/devices

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/users/{userId}/devices"
import { DevicesApi } from "@apiture/auth-client-sdk";

const devicesApi = new DevicesApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
devicesApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
devicesApi.setApiKey(apiKey);


var api = new Auth.DevicesApi.getDevices()
var userId = userId_example; // {String} The user ID of a user. An authenticated user can only view their own devices.

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
devicesApi.getDevices(userId, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Path parameters
Name Description
userId*
String
The user ID of a user. An authenticated user can only view their own devices.
Required

Responses


Encryption

getEncryptionKeys

Get client-side encryption keys

Get encryption keys that the client should use to encrypt sensitive data such as personally identifiable information (PII) and passwords. This adds security on top of transport layer security (TLS/HTTPS) so that sensitive data is not represented as plain text in request bodies. Clients should [encrypt properties](https://developer.apiture.com/doc/concepts/encryption) that have a <code>x-apiture-encrypt: {<em>keyName</em>}</code> annotation in the schema. The client adds metadata in an `_encryption` object next to the encrypted properties in the request body.


/encryptionKeys

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/encryptionKeys?keys="
import { EncryptionApi } from "@apiture/auth-client-sdk";

const encryptionApi = new EncryptionApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
encryptionApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
encryptionApi.setApiKey(apiKey);


var api = new Auth.EncryptionApi.getEncryptionKeys()
var keys = ; // {array[String]} A list of encryption key names necessary to encrypt one or more properties in a request body. For example, if the request body schema contains two fields that are tagged `x-apiture-encrypt: secret`, use `?keys=secret`. If the schema contain two fields, one encrypted with `password` and one with the key named `pii`, use `?keys=secret,pii`

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
encryptionApi.getEncryptionKeys(keys, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Query parameters
Name Description
keys*
array[String]
A list of encryption key names necessary to encrypt one or more properties in a request body. For example, if the request body schema contains two fields that are tagged `x-apiture-encrypt: secret`, use `?keys=secret`. If the schema contain two fields, one encrypted with `password` and one with the key named `pii`, use `?keys=secret,pii`
Required

Responses


OpenIDConnect

authorize

Redirect to the authorization server for secure user login

Start OpenID Connect Authorization Code Flow by requesting client application authorization and user authentication. This request redirects the user to the identity provider login page to authenticate by securely entering their credentials. Upon a successful 302 response, the client should validate the `Location` URI then redirect to that URI.


/oauth2/authorize

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/oauth2/authorize?response_type=&scope=&client_id=&state=&redirect_uri="
import { OpenIDConnectApi } from "@apiture/auth-client-sdk";

const openIDConnectApi = new OpenIDConnectApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
openIDConnectApi.setApiKey(apiKey);


var api = new Auth.OpenIDConnectApi.authorize()
var clientId = clientId_example; // {String} This must be set to the client ID value obtained from the client application registration process in the developer portal.
var redirectUri = redirectUri_example; // {String} The callback url that the user will be redirected to after successful login and consent with the Apiture Identity Provider. This value must match the value used during the client application registration process.  The callback url will be called with the authorization code provided as a parameter. Required if using the authorization_code flow.
var opts = {
  'responseType': responseType_example, // {String} Indicates the authentication flow to be used. Use `code` to specify the usage of the OAuth 2.0 Authorization code flow and `client_credentials` for the OAuth 2.0 Client Credentials flow.
  'scope': scope_example, // {String} This must be set to `openid` to indicate a request for OpenID authentication and ID token.
  'state': state_example // {String} An arbitrary value set by the client to maintain state between the authorization request and the callback.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully.');
  }
};
openIDConnectApi.authorize(clientId, redirectUri, opts, callback);

Scopes

Parameters

Query parameters
Name Description
response_type
String
Indicates the authentication flow to be used. Use `code` to specify the usage of the OAuth 2.0 Authorization code flow and `client_credentials` for the OAuth 2.0 Client Credentials flow.
scope
String
This must be set to `openid` to indicate a request for OpenID authentication and ID token.
client_id*
String
This must be set to the client ID value obtained from the client application registration process in the developer portal.
Required
state
String
An arbitrary value set by the client to maintain state between the authorization request and the callback.
redirect_uri*
String
The callback url that the user will be redirected to after successful login and consent with the Apiture Identity Provider. This value must match the value used during the client application registration process. The callback url will be called with the authorization code provided as a parameter. Required if using the authorization_code flow.
Required

Responses

Name Type Format Description
Location String uri The redirect URI with additional parameters (`state` and `code`).


getMetadata

Returns OpenID Connect Discovery metadata.

This request returns a JSON structure containing scopes.


/openid/metadata

Usage and SDK Samples

curl -X GET -H "API-Key: [[apiKey]]" "http:///auth/openid/metadata"
import { OpenIDConnectApi } from "@apiture/auth-client-sdk";

const openIDConnectApi = new OpenIDConnectApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
openIDConnectApi.setApiKey(apiKey);


var api = new Auth.OpenIDConnectApi.getMetadata()
var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
openIDConnectApi.getMetadata(callback);

Scopes

Parameters

Responses


getToken

Obtain a secure access token.

Create or refresh an access token for client use. Depending on the value of the `grant_type` query parameter, this operation issues a new access token and a refresh token at the end of the initial authentication flow, or it can refresh an expired or expiring access token. * To issue the initial token for interactive clients, use `?grant_type=authorization_code`, passing the `code` obtained from the [`authorize`](#op-authorize) operation and the `redirect_uri` query parameters. (Both the `code` and `redirect_uri` query parameters are required for this grant type.) Clients should save the `refresh_token` from the response. * For trusted (non-web, non-mobile) clients, use `?grant_type=client_credentials` and the `authorization` header. * To refresh an expiring/expired access token, use `?grant_type=refresh_token&refresh_token={refresh_token}`, using the required `{refresh_token}` that was returned in the _original_ [`oauthToken`](#schema-oauthToken) response from the earlier call to this operation. All calls require the `Authorization` header.


/oauth2/token

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/oauth2/token?grant_type=&code=&redirect_uri=&refresh_token="
import { OpenIDConnectApi } from "@apiture/auth-client-sdk";

const openIDConnectApi = new OpenIDConnectApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
openIDConnectApi.setApiKey(apiKey);


var api = new Auth.OpenIDConnectApi.getToken()
var grantType = grantType_example; // {String} This must be set to one of the following:
• `authorization_code` if using the OAuth 2.0 Authorization code flow
• `client_credentials` when using client-supplied credentials (key and secret)
• `refresh_token` when refreshing an expired or expiring access token. var authorization = authorization_example; // {String} Authorization credentials in the form
`Basic {encoded-credentials}`
where `{encoded-credentials}` is a Base 64 encoding of the text _`client-id:client-secret`_ for the registered client. If these client credentials are supplied when using the `client_credentials` grant, the OpenID Connect handshake is shortened and no interactive redirect is used. var opts = { 'code': code_example, // {String} This must be set to the authorization code returned via a callback redirect after calling the [`authorize`](#op-authorize) operation whenusing the OAuth 2.0 Authorization code flow. This is required if `grant_type` is `authorization_code`. 'redirectUri': redirectUri_example, // {String} The callback url that the user will be redirected to after successful login and consent with the Apiture Identity Provider. This value must match the value used during the client application registration process and the value passed to [`authorize`](#op-authorize). Required if using the `authorization_code` flow. 'refreshToken': refreshToken_example // {String} The value of the `refresh_token` obtained with the original or expiring/expired access token. Required if `?grant_type=refresh_token`. }; var callback = function(error, data, response) { if (error) { console.error(error); } else { console.log('API called successfully. Returned data: ' + data); } }; openIDConnectApi.getToken(grantType, authorization, opts, callback);

Scopes

Parameters

Header parameters
Name Description
Authorization*
String
Authorization credentials in the form <br> `Basic {encoded-credentials}`<br> where `{encoded-credentials}` is a Base 64 encoding of the text _`client-id:client-secret`_ for the registered client. If these client credentials are supplied when using the `client_credentials` grant, the OpenID Connect handshake is shortened and no interactive redirect is used.
Required
Query parameters
Name Description
grant_type*
String
This must be set to one of the following:<br> &bullet; `authorization_code` if using the OAuth 2.0 Authorization code flow<br> &bullet; `client_credentials` when using client-supplied credentials (key and secret)<br> &bullet; `refresh_token` when refreshing an expired or expiring access token.
Required
code
String
This must be set to the authorization code returned via a callback redirect after calling the [`authorize`](#op-authorize) operation whenusing the OAuth 2.0 Authorization code flow. This is required if `grant_type` is `authorization_code`.
redirect_uri
String
The callback url that the user will be redirected to after successful login and consent with the Apiture Identity Provider. This value must match the value used during the client application registration process and the value passed to [`authorize`](#op-authorize). Required if using the `authorization_code` flow.
refresh_token
String
The value of the `refresh_token` obtained with the original or expiring/expired access token. Required if `?grant_type=refresh_token`.

Responses

Name Type Format Description
Location String The login and consent page of the Apiture Identity Provider.


Password

changeUserPassword

Change the user password

An authenticated user must encrypt (see [`GET /encryptionKeys`]{#op-getEncryptionKeys)) and pass `currentPassword` and `newPassword` in the request body to change its password. This operation requires both `apiKey` and `accessToken` security. This operation will return 202 Accepted if the request is valid. If the request fails, and the user does not know the current password, they can request a password reset by using `/passwordResetRequests`. This operation supports _pre-flight validation_. If invoked with the `preFlightValidate=true` query parameter, the operation only validates the `newPassword` against the password policies and returns an `_error` in the response with details of any password policy violations.


/my/password

Usage and SDK Samples

curl -X PUT -H "API-Key: [[apiKey]]" "http:///auth/my/password?preFlightValidate="
import { PasswordApi } from "@apiture/auth-client-sdk";

const passwordApi = new PasswordApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
passwordApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
passwordApi.setApiKey(apiKey);


var api = new Auth.PasswordApi.changeUserPassword()
var passwordChange = ; // {PasswordChange} 
var opts = {
  'preFlightValidate': true // {Boolean} If `true`, the operation performs pre-flight validation only of the `newPassword` and it does not attempt to update the user's password.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
passwordApi.changeUserPassword(passwordChange, opts, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Body parameters
Name Description
passwordChange *

Query parameters
Name Description
preFlightValidate
Boolean
If `true`, the operation performs pre-flight validation only of the `newPassword` and it does not attempt to update the user's password.

Responses


passwordReset

Complete a password reset flow.

Complete an unauthenticated password reset flow by passing `username`,`confirmationCode`, and `newPassword` in the request. This operation will return 202 Accepted if the request is valid. This operation supports _pre-flight validation_. If invoked with the `preFlightValidate=true` query parameter, the operation validates the `confirmationCode` against the generated code, validates the new password to ensure it complies with the financial institution’s password policy, and returns an `_error` in the response if there is not a match in the codes or with details of any password policy violations.


/passwordResets

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/passwordResets?preFlightValidate="
import { PasswordApi } from "@apiture/auth-client-sdk";

const passwordApi = new PasswordApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
passwordApi.setApiKey(apiKey);


var api = new Auth.PasswordApi.passwordReset()
var confirmPasswordReset = ; // {ConfirmPasswordReset} 
var opts = {
  'preFlightValidate': true // {Boolean} If `true`, the operation performs pre-flight validation of the request body and it does not attempt to update the user's password.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully.');
  }
};
passwordApi.passwordReset(confirmPasswordReset, opts, callback);

Scopes

Parameters

Body parameters
Name Description
confirmPasswordReset *

The data necessary to confirm a password reset

Query parameters
Name Description
preFlightValidate
Boolean
If `true`, the operation performs pre-flight validation of the request body and it does not attempt to update the user's password.

Responses


passwordResetRequest

Initiate a password reset flow.

Initiate a password reset flow by sending the user's key identifying information. A confirmation code is sent to the user via text message or email as a result of this operation if the information matches. In order to complete the flow, a `POST` request to `/passwordReset` must contain the confirmation code as well as the username and the desired new password. This operation does not create a new persistent resource; the password reset is transient and returned in the response body only.


/passwordResetRequests

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/passwordResetRequests"
import { PasswordApi } from "@apiture/auth-client-sdk";

const passwordApi = new PasswordApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
passwordApi.setApiKey(apiKey);


var api = new Auth.PasswordApi.passwordResetRequest()
var passwordResetRequest = ; // {PasswordResetRequest} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
passwordApi.passwordResetRequest(passwordResetRequest, callback);

Scopes

Parameters

Body parameters
Name Description
passwordResetRequest *

The data necessary to create a password reset resource.

Responses


User

confirmUser

Convert a user to new digital banking platform

After enabling the Apiture platform and importing customers from the banking core, a client application can use this operation to confirm and create a user's login account. The client application should prompt the user for their first and last name, date of birth, and tax identification number (such as a social security number) and submit the data here. A successful operation (the request was well formed) returns a [Challenge](#schema-challenge) resource. If this data matches a customer registered in the core, the system will connect the user resource to that customer in the banking core and create a new login account. The client should then use one of the returned challenge's [authenticators](schema-authenticator) to verify the user identity. If verified, the user enters their new username in the client application. The client should then use the [`username`](#op-createUsername) operation to validate and submit the user's new username to create the user's login account. This operation returns an error response if the data is not well formed. Since this operation is unauthenticated, the response for a well-formed request does _not_ indicate success or failure. Thus, this operation cannot be used to confirm if a customer exists or not.


/confirmedUsers

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/confirmedUsers"
import { UserApi } from "@apiture/auth-client-sdk";

const userApi = new UserApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userApi.setApiKey(apiKey);


var api = new Auth.UserApi.confirmUser()
var userConfirmation = ; // {UserConfirmation} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
userApi.confirmUser(userConfirmation, callback);

Scopes

Parameters

Body parameters
Name Description
userConfirmation *

Responses


createCredentials

Create credentials for a new digital banking platform user

After confirming the user's identity via the [`confirmUser`](#op-confirmUser) operation and completing the identity verification challenge, the user can submit their new username and password with this operation. If there are no errors in the request, the user login account is completed with the requested username and password; the end user may now log in. This operation also supports _pre-flight validation_, via the `?preFlightValidate=true` option, to request that the server validate the credentials. The `_error` object in the 200 `OK` response will list any such errors, such as username already in use, the password does not conform to the password policies, or the [Challenge ID](#schema-challenge) is invalid or expired or has already been redeemed. If the request is valid, there is no `_error` object in the pre-flight validation response. Validating the request does not count towards the challenge's maximum redemption count. This operation requires passing a valid Challenge ID in the `Apiture-Challenge` request header. **Warning**: This operation is **deprecated** and will be removed in a future release.


/credentials

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/credentials?preFlightValidate="
import { UserApi } from "@apiture/auth-client-sdk";

const userApi = new UserApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userApi.setApiKey(apiKey);


var api = new Auth.UserApi.createCredentials()
var credentials = ; // {Credentials} 
var opts = {
  'apitureChallenge': apitureChallenge_example, // {String} The unique identifier of a Challenge resource which demonstrates the user has recently verified their identity. See the discussion of _Multi-factor authentication challenges_ above. The value must be the `_id` string of a valid, redeemable Challenge resource which matches the challenge context.
  'preFlightValidate': true // {Boolean} If `true`, the operation performs pre-flight validation of the request body and it does not attempt to create a login account and credentials for the user.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
userApi.createCredentials(credentials, opts, callback);

Scopes

Parameters

Header parameters
Name Description
Apiture-Challenge
String
The unique identifier of a Challenge resource which demonstrates the user has recently verified their identity. See the discussion of _Multi-factor authentication challenges_ above. The value must be the `_id` string of a valid, redeemable Challenge resource which matches the challenge context.
Body parameters
Name Description
credentials *

Query parameters
Name Description
preFlightValidate
Boolean
If `true`, the operation performs pre-flight validation of the request body and it does not attempt to create a login account and credentials for the user.

Responses


createUsername

Assign a username for a new digital banking platform user

After confirming the user's identity via the [`confirmUser`](#op-confirmUser) operation and completing the identity verification challenge, the user can submit their new username with this operation. If there are no errors in the request, the Authentication service returns a temporary password to the user. The user should login with the temporary password, then change the password to one of their choosing. This operation also supports _pre-flight validation_, via the `?preFlightValidate=true` option, to request that the server validate the credentials. The `_error` object in the 200 `OK` response will list any such errors, such as username already in use, the password does not conform to the password policies, or the [Challenge ID](#schema-challenge) is invalid or expired or has already been redeemed. If the request is valid, there is no `_error` object in the pre-flight validation response. Validating the request does not count towards the challenge's maximum redemption count. This operation requires passing a valid Challenge ID in the `Apiture-Challenge` request header.


/username

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/username?preFlightValidate="
import { UserApi } from "@apiture/auth-client-sdk";

const userApi = new UserApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userApi.setApiKey(apiKey);


var api = new Auth.UserApi.createUsername()
var preferredUsername = ; // {PreferredUsername} 
var opts = {
  'apitureChallenge': apitureChallenge_example, // {String} The unique identifier of a Challenge resource which demonstrates the user has recently verified their identity. See the discussion of _Multi-factor authentication challenges_ above. The value must be the `_id` string of a valid, redeemable Challenge resource which matches the challenge context.
  'preFlightValidate': true // {Boolean} If `true`, the operation performs pre-flight validation of the request body and it does not attempt to create a login account and credentials for the user.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
userApi.createUsername(preferredUsername, opts, callback);

Scopes

Parameters

Header parameters
Name Description
Apiture-Challenge
String
The unique identifier of a Challenge resource which demonstrates the user has recently verified their identity. See the discussion of _Multi-factor authentication challenges_ above. The value must be the `_id` string of a valid, redeemable Challenge resource which matches the challenge context.
Body parameters
Name Description
preferredUsername *

Query parameters
Name Description
preFlightValidate
Boolean
If `true`, the operation performs pre-flight validation of the request body and it does not attempt to create a login account and credentials for the user.

Responses


usernameRequests

Request sending the user an email containing their forgotten username.

Request sending the user an email containing their forgotten username by submitting the user's key identifying information. (This operation does not create a resource.) An email containing the username is sent to the user as a result of this operation.


/usernameRequests

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/usernameRequests"
import { UserApi } from "@apiture/auth-client-sdk";

const userApi = new UserApi(configuration);

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userApi.setApiKey(apiKey);


var api = new Auth.UserApi.usernameRequests()
var usernameRequest = ; // {UsernameRequest} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
userApi.usernameRequests(usernameRequest, callback);

Scopes

Parameters

Body parameters
Name Description
usernameRequest *

The data necessary to request the user's username be sent to them.

Responses


UserSessions

continueUserSession

Continue a session. After the client refreshes the user's access token, it may post the user session to this path to indicate that it wishes to continue the virtual session, but associated with the new token. The client must call this operation with the new access token in the `Authorization` header. This operation is idempotent. If the session has already been continued, this operation returns that session.


/continuedUserSessions

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/continuedUserSessions"
import { UserSessionsApi } from "@apiture/auth-client-sdk";

const userSessionsApi = new UserSessionsApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
userSessionsApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userSessionsApi.setApiKey(apiKey);


var api = new Auth.UserSessionsApi.continueUserSession()
var userSession = ; // {UserSession} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
userSessionsApi.continueUserSession(userSession, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Body parameters
Name Description
userSession *

Client information for tracking the continuing user session. This is the `userSession` returned from either the `startUserSession` operation or from the most recent call to `continueUserSession` for this user, whichever was most recent.

Responses


endUserSession

End a user session. When the client wishes to end a user session, it can call this operation to inform the platform. The client may use an explicit logout operation, or it may end a session after a period of inactivity. Upon ending a user session, the client should purge any local cached data associated with the user and discard their access token and the `userSession` object.


/completedSessions

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/completedSessions"
import { UserSessionsApi } from "@apiture/auth-client-sdk";

const userSessionsApi = new UserSessionsApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
userSessionsApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userSessionsApi.setApiKey(apiKey);


var api = new Auth.UserSessionsApi.endUserSession()
var userSession = ; // {UserSession} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully.');
  }
};
userSessionsApi.endUserSession(userSession, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Body parameters
Name Description
userSession *

Client information for tracking the current user session. This is the `userSession` returned from either the `startSession` operation or from the most recent call to `continueSession` for this user, whichever was most recent.

Responses


startUserSession

Start a user's virtual session. Clients should call this to mark when a user logs in. This operation is not required, but using it allows the financial institution to monitor and audit users' sessions and help prevent fraudulent use. The operation returns a session identifer which the client should pass to continue or complete the session with the `continueUserSession` and `endUserSession` operations. The response contains links to these operations. The response for this operation is also passed directly to those other operations. This operation is idempotent. If the session has already been started, this operation returns that session.


/userSession

Usage and SDK Samples

curl -X POST -H "API-Key: [[apiKey]]" "http:///auth/userSession"
import { UserSessionsApi } from "@apiture/auth-client-sdk";

const userSessionsApi = new UserSessionsApi(configuration);

// Configure OAuth2 access token for authorization: accessToken
var accessToken = "YOUR ACCESS TOKEN";
userSessionsApi.setAccessToken(accessToken)

// Configure API key authorization: apiKey
var apiKey = "YOUR API KEY";
userSessionsApi.setApiKey(apiKey);


var api = new Auth.UserSessionsApi.startUserSession()
var userSessionStart = ; // {UserSessionStart} 

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
userSessionsApi.startUserSession(userSessionStart, callback);

Scopes

profiles/read Read access to user and contact related resources.
profiles/write Write (update) access to user and contact related resources.
profiles/delete Delete access to user and auth related resources.
profiles/readPii Read access to personally identifiable information such as tax ID numbers, phone numbers, email and postal addresses. This must be granted in addition to the `profiles/read` scope in order to read such data, but is included in the `profiles/full` scope.
profiles/full Full access to user and contact related resources.
admin/write Admin write (update) access to challenges and authenticators

Parameters

Body parameters
Name Description
userSessionStart *

Client information for tracking the session.

Responses