Skip to main content

Onboard an Authorised User

Authorised users are users who have have been granted access to an identity within Weavr. They are not the legal owners of the identity therefore they do not own the instruments or the funds created for the identity.

This guide demonstrates how you can enable your customers to add users to their identity.

info

Application-specific permissions to limit what each user can view and do need to be implemented in your application.

1. Create a New User

Use the create user API to create a new user associated with the identity that the logged-in user initiating the request belongs to.

In order to Create an Authorised User you would need a stepped-up token. After calling

you need to step-up (issue a challenge) multi/stepup/challenges/otp/{channel} More details on how to step-up a token can be found here

Weavr returns the details of the newly created user, including the id which is used to identify this particular user in subsequent API calls.

2. Set the User's Password

Once a user is created, the next step is for the user to set up his/her password. You can set the user's password in 2 ways:

  • Via the Create Password API, if the user is already using your product
  • Via the User Invitation process, if the user still needs to start using your product

Via the Create Password API

If the user is already using your product, you can use this option to quickly enable them to setup their password.

Non-PCI Compliant Innovators

If you are not PCI compliant, you cannot handle your customers’ plain-text passwords. Instead, you must tokenise passwords. Find more information on how to transmit data securely here.

Weavr returns a token as part of a successful response. You will need to provide the token as part of APIs which require the user to be logged in.

Authorised Users can multiply in programmes with lots of cardholders. As an Embedder you may want to manage interactions and data around Authorised Users, so we’ve introduced an optional tag field which allows you to store custom information against those records.

The Authorised User Tag can be included in API calls as follows:

  • POST/users
  • GET/users
  • PATCH/user/{user_id}

The Tag is also available when filtering Authorised Users in the Embedder Portal.

Via the User Invitation Process

If you still need to onboard the user onto your product, you can use the invitation process to start this process. The invitation process is a 2 step process:

  1. Send an invitation email to the user
  2. User accepts invitation and provides their password

Use the send user invite API to send the invitation to the user on their email address.

Email Branding

You can brand and personalise the email content that is sent to your users. Read our guides on corporate email communications and consumer email communications for more information.

The invitation email that is sent to the user will include a URL that redirects to your application. You must create a page in your application to which this URL will point to. On this page, you must allow the consumer to input the verification code they received in the email.

info

The invitation expires after 30 days.

Set the user's password by submitting the verification code that the user received in the email together with the user's password.

Weavr returns a token as part of a successful response. You will need to provide the token as part of APIs which require the user to be logged in.

3. Enrol the user's device

Users must be enrolled with one additional authentication factor in order to perform operations that require Strong Customer Authentication (SCA).

3.1 Enrol user using OTP via SMS

You can start the enrollment process using the API. The user will receive a text message (SMS) on the mobile number that was provided when creating the user.

Verify the User's Mobile Device

You must build a page in your application where the user can enter the verification code that they received in the text message together with their password. Then, you need to submit the information using the API.

3.2 Enrol user using Push Notification

Users can select to authenticate using their mobile device using a authentication app such as a AUTHY. You can start the enrolment of process using the below endpoint.

The user should then accept the push notification received on the device.

Supported Authentication Factors

We currently offer SMS, AUTHY and BIOMETRICS as available authentication factors. More channels are coming soon.

info

Twilio Authy must be activated in the Multi portal to enrol users to use this authentication method.