Account Management API (LATEST)

API Integration Support: integration@dintero.com License: UNLICENSED

API for managing accounts and authentication

Changelog

All notable changes to the API.

2021-02-01

Break: Require ident_type and ident to be include when requesting token with grant_type=authorization_code

Add support for sending verification code for passwordless login via SMS, and session_id={uuid} to resend the same verification code again Remove unsupported request options,send=linkandtype=account`.

2021-01-01

Add support for logging on without MFA even if configured with MFA

Add support for managing account users scopes with roles.

2020-11-01

Extend the endpoint for getting user accounts to include the accounts display_name and icon_url.

Add support for account users authenticated by external Identity providers. External authentication is limited to account users created with authentication_type=external.

Following endpoints has been updated to allow Bearer authorization using ID token issued by external Identity provider.

Account has been updated with jwks.uri property that is required to validate the ID tokens issued by external identity providers.

2020-09-01

Add new endpoint for handling HTTP redirect with ID token query parameter

Add new endpoint for uploading assets

2020-01-31

Add support for applicant.agreement.attachments

Add support for enabling MFA (OOB) for auth users.

2019-12-31

Extend the AccountApplicant with support for promo_code and utm campaign codes.

2019-11-31

Add support for creating client with description

2019-09-31

Extend settings with PayEx connections

2019-06-31

The scope required for accessing endpoint has changed, we will continue to support the old scopes but they was removed from the documentation

Support search, limit and starting_after query parameter when listing partner accounts

Support for issuing exchange token for a sub-account, to allow partner accounts to manage sub accounts.

2019-05-31

Support for including a Refresh Token when requesting an Access Token. Use grant-type=refresh_token to get an Access Token from a Refresh Token.

Support for revoking a Refresh Token

2018-12-17

Rename typo in Account definition All bussiness_name properties renamed to business_name

Authentication

clientAuth

Authorization by using the Basic schema with client_id and client_secret as username/password

Security Scheme Type HTTP
HTTP Authorization Scheme basic

JWT

Authorization by using the Bearer schema The content of the header should look like the following:

Authorization: Bearer {access_token}

where the token is JSON Web Tokens (JWT).

Security Scheme Type API Key
Header parameter name: Authorization

authenticate

Authorize Passwordless link

This endpoint is used to authorize Passwordless link sent to user by email/sms.

A valid request will redirect to This is the OAuth 2.0 grant that Client-side web apps utilize in order to access an API.

Authorizations:
path Parameters
oid
required
string <^[PT]{1}(?=(?:.{3}|.{8})$)[0-9]*$>

An id that uniquely identifies the account or owner (partner)

query Parameters
audience
required
string

The unique identifier of the target API you want to access.

response_type
required
string
Value: "authenticate"

This will specify the type of token you will receive at the end of the flow. Use token to get only an access_token

If response_type=token, after the user authenticates with the provider, this will redirect them to your application callback URL while passing the access_token in the address location.hash. This is used for Single Page Apps and on Native Mobile SDKs.

client_id
required
string

Your application's Client ID.

verification_code
required
string

one-time verification-code

scope
string
Value: "openid"

The scopes which you want to request authorization for.

state
string

An opaque value the clients adds to the initial request that Dintero includes when redirecting the back to the client. This value must be used by the client to prevent CSRF attacks.

redirect_uri
string

The URL to which Dintero will redirect the browser after authorization has been granted by the user.

The redirect_uri value must be specified as a valid callback URL under your Client's Settings.

connection
string

The name of the connection configured to your client.

Responses

Response samples

Content type
application/json
{
  • "error": {
    }
}

Passwordless

Passwordless connections do not require the user to remember a password. Instead, another mechanism is used to prove identity, such as a one-time code sent through email or SMS, every time the account user logs in.

  • The client_id/audience must have a grant with type authorization_code to allow sending verification-code
  • This endpoint is designed to be called from the client-side and is subjected to rate limits

scopes:

  • admin:accounts
  • write:accounts
  • write:accounts:/auth/passwordless
  • write:accounts:/auth/passwordless-sms
  • write:accounts:/auth/passwordless-email
Authorizations:
path Parameters
oid
required
string <^[PT]{1}(?=(?:.{3}|.{8})$)[0-9]*$>

An id that uniquely identifies the account or owner (partner)

Request Body schema: application/json
client_id
required
string
connection
required
string
Enum: "email" "sms"

How to send the code to the user.

audience
required
string

The unique identifier of the target API you want to access.

email
string

The user's email address

type
string
Default: "customer"
Enum: "company" "customer"

Passwordless for type company/customer requires that the email is registered to a customers users

send
string
Default: "code"
Value: "code"

Use code to send a verification code.

login_session_id