Onboard an Authorised User
Authorised users are users who have have been granted access to an identity within Weavr. They are not the legal owners of the identity therefore they do not own the instruments or the funds created for the identity.
This guide demonstrates how you can enable your customers to add users to their identity.
Application-specific permissions to limit what each user can view and do need to be implemented in your application.
1. Create a New User
Use the create user API to create a new user associated with the identity that the logged-in user initiating the request belongs to.
In order to Create an Authorised User you would need a stepped-up token. After calling
you need to step-up (issue a challenge) multi/stepup/challenges/otp/{channel}
More details on how to step-up a token can be found here
Weavr returns the details of the newly created user, including the id
which is used to identify this particular user in subsequent API calls.
2. Set the User's Password
Once a user is created, the next step is for the user to set up his/her password. You can set the user's password in 2 ways:
- Via the Create Password API, if the user is already using your product
- Via the User Invitation process, if the user still needs to start using your product
Via the Create Password API
If the user is already using your product, you can use this option to quickly enable them to setup their password.
If you are not PCI compliant, you cannot handle your customers’ plain-text passwords. Instead, you must tokenise passwords. Find more information on how to transmit data securely here.
Weavr returns a token
as part of a successful response. You will need to provide the token
as part of APIs which require the user to be logged in.
Authorised Users can multiply in programmes with lots of cardholders. As an Embedder you may want to manage interactions and data around Authorised Users, so we’ve introduced an optional tag field which allows you to store custom information against those records.
The Authorised User Tag can be included in API calls as follows:
POST/users
GET/users
PATCH/user/{user_id}
The Tag is also available when filtering Authorised Users in the Embedder Portal.
Via the User Invitation Process
If you still need to onboard the user onto your product, you can use the invitation process to start this process. The invitation process is a 2 step process:
- Send an invitation email to the user
- User accepts invitation and provides their password
Use the send user invite API to send the invitation to the user on their email address.
You can brand and personalise the email content that is sent to your users. Read our guides on corporate email communications and consumer email communications for more information.
The invitation email that is sent to the user will include a URL that redirects to your application. You must create a page in your application to which this URL will point to. On this page, you must allow the consumer to input the verification code they received in the email.
The invitation expires after 30 days.
Set the user's password by submitting the verification code that the user received in the email together with the user's password.
Weavr returns a token
as part of a successful response. You will need to provide the token
as part of APIs which require the user to be logged in.
3. Enrol the user's device
Users must be enrolled with one additional authentication factor in order to perform operations that require Strong Customer Authentication (SCA).
3.1 Enrol user using OTP via SMS
You can start the enrolment process using the API. The user will receive a text message (SMS) on the mobile number that was provided when creating the user.
Verify the User's Mobile Device
You must build a page in your application where the user can enter the verification code that they received in the text message together with their password. Then, you need to submit the information using the API.
3.2 Enrol user using Push Notification
Users can select to authenticate using their mobile device using a authentication app such as a AUTHY
. You can start the enrolment of process using the below endpoint.
The user should then accept the push notification received on the device.
We currently offer SMS
, AUTHY
and BIOMETRICS
as available authentication factors. More channels are coming soon.
Twilio Authy must be activated in the Multi portal to enrol users to use this authentication method.