Authorize

Select the following:
Home

>

API Products

>

Singapore - Authorize API Documentation

Authorize

Summary

Authorize is our implementation of the OAuth 2.0 framework. It enables secure authorization using standard methods that can easily be integrated in your app. If you're familiar with OAuth 2.0, everything should look familiar. If not, you may want to check out the OAuth 2.0 resources here.

Want to try this API out on our Playground?

Go play now
Endpoints on this page
post /clientCredentials/oauth2/token/sg/gcb Client Credentials Grant: Retrieve Access Token
get /authCode/oauth2/authorize Authorization Code Grant: Retrieve Authorization Code
post /authCode/oauth2/token/sg/gcb Authorization Code Grant: Retrieve Access Token
post /authCode/oauth2/refresh Authorization Code Grant: Refresh Access Token
post /authCode/oauth2/revoke Authorization Code Grant: Revoke Access Token
get /oauth2/mfa Multi-Factor Authentication
post /cardAuth/oauth2/authorize/{countrycode}/{businesscode} Enroll and Generate Card Access Token
post /cardAuth/oauth2/token/{countrycode}/{businesscode} Activate Card Access Token
post /cardAuth/oauth2/refresh Refresh Card Access Token
post /cardAuth/oauth2/revoke Revoke Card Access Token
post /v1/mfa/otp Generate and Send OTP
put /v1/mfa/otp Validate OTP
get /v1/security/e2eKey Retrieve E2E Public Key

Client Credentials Grant: Retrieve Access Token

post /clientCredentials/oauth2/token/sg/gcb
Description

This API is used to retrieve the access token for your application credentials. You can use this for APIs which do not require customer credential verification and consent (e.g. Onboarding).

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
Content-Type
string required
Value should always be application/x-www-form-urlencoded
FormData Parameters
grant_type
string required
The grant type. Valid value is client_credentials.
scope
string required
The set of scopes requested to make API calls. You can pass multiple values delimted by space
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

The request has succeeded
Definitions
  • access_token
    • The access token value received after exchanging the authorization token. This field should be passed as Authorization header in API request calls
    • type : string
  • refresh_token
    • You can use this token to refresh an expired access_token.
    • type : string
  • scope
    • Set of scopes allowed by customer and separated by space
    • type : string
  • token_type
    • Type of the access token issued. This is bearer token for authorization_code grant type
    • type : string
  • expires_in
    • Validity of access token in seconds
    • type : number
Example Response for post /clientCredentials/oauth2/token/sg/gcb
400

error
invalid_request
invalid_grant
unsupported_grant_type
unauthorized_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /clientCredentials/oauth2/token/sg/gcb
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

error
invalid_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /clientCredentials/oauth2/token/sg/gcb
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

server_error
This operation returns no content.

Authorization Code Grant: Retrieve Authorization Code

get /authCode/oauth2/authorize
Description

This API is used to validate the customer credentials in Citi login Page and redirect back the authorisation code post successful validation.

Query Parameters
response_type
string required
Value MUST be set to "code"
client_id
string required
Client ID generated during application registration.
scope
string required
The set of scopes required to make the API calls. Scope is case insensitive and multiple values can be passed using space delimiter.
countryCode
string required
Country code in 2 character ISO 3166 format
businessCode
string required
The 3 character business code. Use GCB for consumer banking
locale
string required
Locale identify a specific language and geographic region, it shoule follow [language[_territory]. eg - en_US, en_SG
state
string required
Opaque value to maintain the state between request and call back. This will be used to prevent cross-site request forgery.
redirect_uri
string required
Absolute uri for user-agent redirection.You should provide the uri used during client registration process.
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Client Authentication
This operation returns no content.
302

The authorization response contains the authorization code needed to obtain an access token. Here are the parameters included in the response.
success response
field namefield typemandatorydescription
redirect_urilocationyesThis is the absolute uri provided in the request
codequeryyesThe authorization code
statequeryyesThe same value as sent by the client in the state parameter, if any

If an error occurs during authorization, two situations can occur. The first is, that the client is not authenticated or recognized. For instance, a wrong redirect URI was sent in the request. In that case the authorization server must not redirect the resource owner to the redirect URI. Instead it should inform the resource owner of the error. The second situation is that client is authenticated correctly, but that something else failed. In that case the following error response is sent to the client, included in the redirect_uri
failure response
field namefield typemandatorydescription
redirect_urilocationyesThis is the absolute uri provided in the request
statequeryyesThe same value as sent by the client in the state parameter, if any
errorqueryyes
error_descriptionqueryno
error_uriqueryno

Here is the list of errors:
error
invalid_request
unauthorized_client
unsupported_response_type
invalid_scope
access_denied
This operation returns no content.
500

server_error
This operation returns no content.
503

temporarily_unavailable
This operation returns no content.

Authorization Code Grant: Retrieve Access Token

post /authCode/oauth2/token/sg/gcb
Description

This API is used to validate the authorisation code and return back the access token.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
Content-Type
string required
Value should always be application/x-www-form-urlencoded
FormData Parameters
grant_type
string required
Authentication grant type. Valid value is authorization_code
code
string required
The code from the response of GET /authCode/oauth2/authorize
redirect_uri
string required
Absolute uri for user-agent redirection. You should provide the uri passed in GET /authCode/oauth2/authorize request
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

The request has succeeded
Definitions
  • access_token
    • The access token value received after exchanging the authorization token. This field should be passed as Authorization header in API request calls
    • type : string
  • refresh_token
    • You can use this token to refresh an expired access_token.
    • type : string
  • scope
    • Set of scopes allowed by customer and separated by space
    • type : string
  • token_type
    • Type of the access token issued. This is bearer token for authorization_code grant type
    • type : string
  • expires_in
    • Validity of access token in seconds
    • type : number
Example Response for post /authCode/oauth2/token/sg/gcb
400

error
invalid_request
invalid_grant
unsupported_grant_type
unauthorized_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /authCode/oauth2/token/sg/gcb
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

error
invalid_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /authCode/oauth2/token/sg/gcb
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

server_error
This operation returns no content.

Authorization Code Grant: Refresh Access Token

post /authCode/oauth2/refresh
Description

This API is used to exchange for a new set of valid access and refresh tokens in case access token has expired and still have a valid refresh token.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
Content-Type
string required
Content type. Value is application/x-www-form-urlencoded
FormData Parameters
grant_type
string required
The grant type. Valid value is refresh_token.
refresh_token
string required
The refresh token issued to the client
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

The request has succeeded
Definitions
  • access_token
    • This field should be passed as Authorization header in API request calls
    • type : string
  • refresh_token
    • The refresh token value
    • type : string
  • scope
    • The list of scopes separated by space
    • type : string
  • token_type
    • The token type
    • type : string
  • expires_in
    • The access token expiry time (in seconds)
    • type : number
Example Response for post /authCode/oauth2/refresh
400

error
invalid_request
invalid_grant
unsupported_grant_type
unauthorized_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /authCode/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

error
invalid_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /authCode/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

server_error
This operation returns no content.

Authorization Code Grant: Revoke Access Token

post /authCode/oauth2/revoke
Description

This API is used to revoke the access token. Along with the access token, the corresponding refresh token is also revoked and vice-versa.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
Content-Type
string required
Content type. Value is application/x-www-form-urlencoded
FormData Parameters
token
string required
The token to be revoked
token_type_hint
string required
A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. Valid values are access_token, refresh_token
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

The request has succeeded
Definitions
  • status
    • The status of the token revocation request.
    • type : string
Example Response for post /authCode/oauth2/revoke
400

error
invalid_request
invalid_grant
unauthorized_client
unsupported_grant_type
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /authCode/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

error
invalid_client
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /authCode/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

server_error
This operation returns no content.

Multi-Factor Authentication

get /oauth2/mfa
Description

This API is the first step of multi-factor authentication flow using authorization code grant. When the application gets an error response "mfaRequired", it should make a call to this API to redirect the user to Citi multi-factor authentication page.

Query Parameters
client_id
string required
Client ID generated during application registration.
mfaCode
string required
A valid mfa security token received in the 403 error response of the functional API call. Example KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
redirect_uri
string required
Absolute uri for user-agent redirection. You should provide the uri used during client registration process.
state
string required
Opaque value to maintain the state between request and call back. This will be used to prevent cross-site request forgery.
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
302

302 redirect will have the location header pointing to a new resource. The path will have specific query parameters as per the status of the response - success or failure
field namefield typedescription
redirect_urilocationThis is the absolute uri provided in the request
mfaStatusqueryreturned as 'success' when the mfa flow is completed successfully
statequeryecho back of the value sent in the request
errorqueryfield returned when an error occurs due to invalid inputs from client or server side fault. The possible values are as follows - invalid_request | unauthorized_client | access_denied | service_unavailable | temporary_unavailable
error_descriptionqueryAn optional parameter returned in few error scenarios with detailed description of the error for debugging.
This operation returns no content.

Enroll and Generate Card Access Token

post /cardAuth/oauth2/authorize/{countrycode}/{businesscode}
Description

This API is used to enroll the customer to avail services like Rewards Redemption, EPP, LOP etc. from the partner's site through a common registration.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
client_id
string required
Client ID generated during application registration.
Content-Type
string required
application/json
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
channelId
string Optional
ChannelId
ConsumerOrg
string Optional
ConsumerOrg
Body Parameters
CardAuthorizationRequest
required
CardAuthorizationRequest
Show schema
Path Parameters
countrycode
string required
Countrycode
businesscode
string required
Businesscode
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
This operation returns no content.
400

TypeCodeDetails
invalidinvalid_requestMissing or invalid Parameters
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/authorize/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/authorize/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource
errormfaRequiredMFA is required
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/authorize/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
422

TypeCodeDetails
errorregistrationFailedRegistration failed
invalidinvalid_grantThe provided access grant is invalid, expired, or revoked
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/authorize/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/authorize/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}

Activate Card Access Token

post /cardAuth/oauth2/token/{countrycode}/{businesscode}
Description

This API activates customer's access token. Separate token activation is required for each credit card held by the customer.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
client_id
string required
Client ID generated during application registration.
Content-Type
string required
application/json
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
channelId
string Optional
channelId
ConsumerOrg
string Optional
ConsumerOrg
Body Parameters
CardAuthorizationAccessTokenRequest
required
CardAuthorizationAccessTokenRequest
Show schema
Path Parameters
countrycode
string required
Countrycode
businesscode
string required
Businesscode
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
Definitions
  • token_type
    • The token type
    • type : string
  • expires_in
    • The access token expiry time (in seconds)
    • type : integer
    • format : int32
  • scope
    • The list of scopes separated by space
    • type : string
  • refresh_token
    • The refresh token value
    • type : string
  • cardId
    • The card id in encrypted format
    • type : string
  • access_token
    • This field should be passed as Authorization header in API request calls
    • type : string
  • refresh_token_expires_in
    • This refer to the time in refersh token expiry
    • type : integer
  • consented_on
    • This refer to the customer consent time for authorization
    • type : string
  • customerId
    • Customer number in the encrypted format
    • type : string
  • cardReferenceNumber
    • Partner will include Card reference number in the settlement file to sent it to Citi to aprove the purchase
    • type : string
Example Response for post /cardAuth/oauth2/token/{countrycode}/{businesscode}
400

TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/token/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/token/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/token/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
422

TypeCodeDetails
erroractivationFailedLink code activation is failed
errorexceedsMaximumAttemptsMaximum attempts exceeded for activation. Link credit card to a merchant again.
errorlinkageConfirmationCodeExpiredThe linkage confirmation Code is expired . Link credit card to a merchant again.
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/token/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/token/{countrycode}/{businesscode}
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}

Refresh Card Access Token

post /cardAuth/oauth2/refresh
Description

This API generates a fresh access token. If your access token has expired and you still have a valid refresh token, you can exchange it for a new set of valid access and refresh tokens.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
client_id
string required
Client ID generated during application registration.
Content-Type
string required
application/json
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
Body Parameters
CardAuthorizationRefreshTokenRequest
required
CardAuthorizationRefreshTokenRequest
Show schema
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
Definitions
  • token_type
    • The token type
    • type : string
  • access_token
    • This field should be passed as Authorization header in API request calls
    • type : string
  • expires_in
    • The access token expiry time (in seconds)
    • type : integer
    • format : int32
  • scope
    • The list of scopes separated by space
    • type : string
  • refresh_token
    • The refresh token value
    • type : string
  • cardId
    • The card id in encrypted format
    • type : string
Example Response for post /cardAuth/oauth2/refresh
400

TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
422

TypeCodeDetails
invalidinvalid_grantThe provided access grant is invalid, expired, or revoked
errorunsupported_grant_typegrant type not supported
errorunauthorized_clientThe client is not authorized to request an authorization code using this method
errorinvalidCustomerCustomer not found or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/refresh
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}

Revoke Card Access Token

post /cardAuth/oauth2/revoke
Description

This API is used to revoke the access token. The revoke call will terminate the access granted by Citi customer to avail services from your application.

Header Parameters
Authorization
string required
HTTP Basic authentication by passing base64 encoded value of the client id and client secret separated by colon (:).Example: Base64(client_id:client_secret) will be passed as Basic KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
client_id
string required
Client ID generated during application registration.
Content-Type
string required
application/json
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
Body Parameters
CardAuthorizationRevokeTokenRequest
required
CardAuthorizationRevokeTokenRequest
Show schema
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
This operation returns no content.
400

TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
422

TypeCodeDetails
invalidinvalid_grantThe provided access grant is invalid, expired, or revoked
errorunsupported_grant_typegrant type not supported
errorunauthorized_clientThe client is not authorized to request an authorization code using this method
errorinvalidCustomerCustomer not found or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /cardAuth/oauth2/revoke
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}

Generate and Send OTP

post /v1/mfa/otp
Description

This API allows to generate the one time password and delivers to customer.

Header Parameters
Authorization
string required
The most recent Authorization token. This will have the format Bearer + {space} + {accessToken}. Example: Bearer KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==.
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
Content-Type
string required
application/json
client_id
string required
Client ID generated during application registration.
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
Body Parameters
GeneratOTPRequest
required
OTP request with required details to generate and send OTP to customer.
Show schema
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
Definitions
  • maskedPhoneNumber
    • type : string
    • The Customer's phone number having last four digits unmasked
Example Response for post /v1/mfa/otp
400

TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
errormaximumAttemptsLimitExceededMax Attempt count reached
errorphoneNumberNotFoundMissing mobile phone number
errorsmsDeliveryFailedSMS delivery failed
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

errorunAuthorizedAuthorization credential is missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

erroraccessNotConfiguredAccess is not configured for this resource
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

fatalserverUnavailableThe request failed due to an internal error
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for post /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}

Validate OTP

put /v1/mfa/otp
Description

This API validates the OTP token submitted by the customer.

Header Parameters
Authorization
string required
The most recent Authorization token. This will have the format Bearer + {space} + {accessToken}. Example: Bearer KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==.
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
Content-Type
string required
application/json
client_id
string required
Client ID generated during application registration.
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
Body Parameters
ValidateOTPRequest
required
Otp request with the required details to validate otp token.
Show schema
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
This operation returns no content.
400

TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
errorinvalidOTPInvalid OTP
errormaximumAttemptsLimitExceededMax number of one-time password failures exceeded
errorotpTokenExpiredOTP Token Expired
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for put /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

errorunAuthorizedAuthorization credential is missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for put /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

erroraccessNotConfiguredAccess is not configured for this resource
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for put /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

fatalserverUnavailableThe request failed due to an internal error
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for put /v1/mfa/otp
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}

Retrieve E2E Public Key

get /v1/security/e2eKey
Description

This API is used by browser based applications for retrieving the public key used for encryption. It returns the modulus and exponent for setting up a business public key.

Header Parameters
Authorization
string required
The most recent Authorization token. This will have the format Bearer + {space} + {accessToken}. Example: Bearer KGNsaWVudF9pZDpjbGllbnRfc2VjcmV0KQ==.
uuid
string required
128 bit random UUID generated uniquely for every request.
Accept
string required
Content-Type that are acceptable for the response.
client_id
string required
Client ID generated during application registration.
clientDetails
string Optional
This field is used to capture device,browser and network information. Refer the developer portal for more information.These are the fields which will be passed as part of the header devicePrint,deviceTokenCookie,userIpAddress,userAgent,hardwareId,simId,deviceModel,deviceName,deviceOsName,deviceOsVersion,multitaskingSupportFlag,languageSupport,wifiMacAddress,cellTowerId,locationAreaCode,rsaApplicationKey,wapClientId,mobileCarrierCode,mobileCountryCode,osId,geoLongitude,geoLatitude,geoHorizontalAccuracy,geoAltitude,geoAltitudeAccuracy,geoSpeed,geoTimestamp,geoStatus,basicServiceSetId,signalStrength,wifiChannel,serviceSetId
  • cURL
  • Ruby
  • Python
  • PHP
  • Java
  • Node
  • Go
  • Swift

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Example Request

Responses
200

Successful operation.
Definitions
  • modulus
    • Public key modulus to be used for encrypting the password,otp..etc
    • type : string
  • exponent
    • Public key exponent to to be used for encrypting the password,otp..etc
    • type : string
Example Response for get /v1/security/e2eKey
400

TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
errorcannotRetrieveKeyInfocannot retrieve public key.
errore2eDisabledE2E is disabled.
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for get /v1/security/e2eKey
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
401

errorunAuthorizedAuthorization credentials are missing or invalid
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for get /v1/security/e2eKey
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
403

erroraccessNotConfiguredThe request operation is not configured to access this resource
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for get /v1/security/e2eKey
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
404

errorresourceNotFoundEmpty resource/resource not found
Definitions
  • error_description
    • Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred
    • type : string
  • error
    • If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    • type : string
    • enum : invalid_request, unauthorized_client, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, unsupported_token_type
  • error_uri
    • A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
    • type : string
  • required
    • error
Response Schema for get /v1/security/e2eKey
{
    "properties": {
        "error_description": {
            "description": "Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred",
            "type": "string"
        },
        "error": {
            "description": "If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.",
            "type": "string",
            "enum": [
                "invalid_request",
                "unauthorized_client",
                "access_denied",
                "unsupported_response_type",
                "invalid_scope",
                "server_error",
                "temporarily_unavailable",
                "unsupported_token_type"
            ]
        },
        "error_uri": {
            "description": "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.",
            "type": "string"
        }
    },
    "required": [
        "error"
    ]
}
500

fatalserverUnavailableThe request failed due to an internal error/server unavailability
Definitions