Weavr
Powered by Redocly

Buyer Authorised Users

Buyers can invite authorised users to access their account. Once on-boarded, authorised users can transact on behalf of the identity they are on-boarded with.

Authorised users are typically employees who have access to company's banking accounts.

Note that /users endpoints are to be used only for performing operations related to authorised users - getting or updating the details of admin users is to be done via /buyers endpoints.

Create a user

Creates a user that belongs to the buyer that the logged-in user belongs to. To Create an Authorised User you would need a stepped-up token. After calling this endpoint you need to step-up ( issue a challenge /stepup/challenges/otp/{channel} ). More details on how to step-up a token can be found here Step-Up.

Once on-boarded, users have access and manage the buyer's payment runs.

Users are assigned roles which limit the level of access they have and what they can do on behalf of the buyer.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
name
required
string [ 1 .. 20 ] characters

The first name of the user.

surname
required
string [ 1 .. 20 ] characters

The last name of the user.

email
required
string <email>

E-mail Address of the user

object

Mobile number of the user

object

Date of birth of the authorised user.

roles
required
Array of strings non-empty

Roles define the level of access assigned to the user.

  • CREATOR: Users assigned this role can create, view and update payment runs.
  • CONTROLLER: Users assigned this role can view and link their company's bank accounts as well as fund payment runs.
  • USER MANAGER: Users assigned this role can manage users and their roles.
Items Enum: "CREATOR" "CONTROLLER" "USER MANAGER"
Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users
Request samples
application/json
{
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "dateOfBirth": {
    },
  • "roles": [
    ]
}
Response samples
application/json
{
  • "id": "string",
  • "buyerId": "string",
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    },
  • "roles": [
    ],
  • "addedBy": {
    }
}

Get all users

Fetches all authorised users associated with the buyer that the logged-in user belongs to.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
query Parameters
offset
integer <int32> >= 0
Default: 0

The offset value for paging, indicating the initial item number to be returned from the data set satisfying the given criteria. Leave out to fetch the first page of results.

limit
integer <int32> [ 1 .. 100 ]
Default: 100

The limit of the results for paging, starting at the offset. Limit is always capped at 100.

active
boolean

Filter for active or deactivated users. Leave out to fetch all users.

email
string <email>

Filter for users with the specified email address.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

get/v1/users
Response samples
application/json
{
  • "users": [
    ],
  • "count": 0,
  • "responseCount": 0
}

Get a user

Retrieves the user identified by the user_id path parameter.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

get/v1/users/{user_id}
Response samples
application/json
{
  • "id": "string",
  • "buyerId": "string",
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    },
  • "roles": [
    ],
  • "addedBy": {
    }
}

Update a user

Update the details of a user identified by the user_id in the the path parameter. After calling this endpoint you need to step-up ( issue a challenge /stepup/challenges/otp/{channel} ). More details on how to step-up a token can be found here Step-Up..

Only the fields that are specified in the request body will be updated. All other fields will remain unchanged.

When patching a mobile number, the new mobile number should be enrolled for Additional Factors.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
Request Body schema: application/json
required
name
string <= 20 characters

The first name of the user.

surname
string <= 20 characters

The last name of the user.

email
string <email>

E-mail Address of the user

object

Mobile number of the user

object

Date of birth of the authorised user.

roles
Array of strings non-empty

Roles define the level of access assigned to the user.

  • CREATOR: Users assigned this role can create, view and update payment runs.
  • CONTROLLER: Users assigned this role can view and link their company's bank accounts as well as fund payment runs.
  • USER MANAGER: Users assigned this role can manage users and their roles.
Items Enum: "CREATOR" "CONTROLLER" "USER MANAGER"
Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

patch/v1/users/{user_id}
Request samples
application/json
{
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "dateOfBirth": {
    },
  • "roles": [
    ]
}
Response samples
application/json
{
  • "id": "string",
  • "buyerId": "string",
  • "name": "string",
  • "surname": "string",
  • "email": "user@example.com",
  • "mobile": {
    },
  • "active": true,
  • "dateOfBirth": {
    },
  • "roles": [
    ],
  • "addedBy": {
    }
}

Activate a user

Activate the user identified by the user_id path parameter.

By default, any new users created will be automatically activated. This operation needs to be used only if the user was previously de-activated using the userDeactivate operation, or if the user was de-activated automatically after multiple incorrect login attempts.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/{user_id}/activate
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Deactivate a user

De-activate the user identified by the user_id path parameter.

Deactivated users cannot log in or execute any operations with their credentials.

This operations is not final and a user can be re-activated using the userActivate operation. Note that another active user would need to log in so as to re-activate the de-activated user.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/{user_id}/deactivate
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Send a user invite

Once a user is created using the userCreate operation, the user needs to setup his/her password.

An invitation needs to be sent to the user in order to be able to set up the password for the first time. The invitation email, which remains valid for 1 month, will contain a URL having all information required to setup the password via the userInviteConsume.

Required user roles: ADMIN OR USER MANAGER

SecurityapiKey and authToken
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/{user_id}/invite
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Validate a user invite

Check if a user's invite is still valid. This operation is useful to avoid having the user fill in a form only to be held by a validation issue (eg. expired invite).

SecurityapiKey
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
inviteCode
required
string = 6 characters ^[0-9]*$

A randomly generated one-time use code.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/{user_id}/invite/validate
Request samples
application/json
{
  • "inviteCode": "string"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Consume a user invite

Consumes an invitation previously sent to the user via userInviteSend. This is needed so that the invited user sets up the password.

Note that on the Sandbox Environment, the inviteCode is always set to "123456".

SecurityapiKey
Request
path Parameters
user_id
required
string^[0-9]+$

The unique identifier for the user.

Example: 110747174434373672
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
inviteCode
required
string = 6 characters ^[0-9]*$

A randomly generated one-time use code.

required
object

The user's password or passcode used to log in a user. Passwords must be:

  • between 8 and 30 characters
  • include a lowercase character
  • include an uppercase character
  • include a digit and a special character
  • different from any of the 5 last such passwords used.

For non-PCI compliant integrations, the password submitted must be tokenised.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

404

Not found - The requested resource couldn't be found.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/{user_id}/invite/consume
Request samples
application/json
{
  • "inviteCode": "string",
  • "password": {
    }
}
Response samples
application/json
{
  • "token": "string"
}

Send an email verification code to the authorised user

The first step in verifying an authorised user's email. The authorised user whose email address is to be verified is sent an email containing a randomly generated code.

This code must then be provided in the authorisedUserEmailVerify operation to verify the authorised user's email address.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

SecurityapiKey
Request
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
email
required
string <email>

E-mail Address of the user

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/verification/email/send
Request samples
application/json
{
  • "email": "user@example.com"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Verify email of the authorised user

The second step in verifying the authorised user's email. The randomly generated code sent to the authorised user via email, using the authorisedUserEmailVerificationCodeSend operation, is submitted here to verify the authorised user's email.

This is needed as part of the verification process for basic due diligence.

Note that on the Sandbox Environment, the verificationCode is always set to "123456".

SecurityapiKey
Request
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
email
required
string <email>

E-mail Address of the user

verificationCode
required
string = 6 characters ^[0-9]+$

A randomly generated one-time use code used to verify the user's email address or mobile number.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

409

Conflict

413

Content Too Large

422

Unprocessable Entity

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/v1/users/verification/email/verify
Request samples
application/json
{
  • "email": "user@example.com",
  • "verificationCode": "string"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}
➔ Next to Payment runs