Onboard an Authorised User
Authorised Users are users who have been granted access to an identity within Weavr. They are not the legal owners of the identity therefore they do not own the instruments or the funds created for the identity.
Authenticated Authorised Users can perform operations on the identity and its instruments, via the multiMulti Weavr Multi is an embedded finance solution that allows you to integrate financial services into your own application, providing a seamless experience for your customers. It enables you to offer managed accounts, managed cards, and transactions without requiring financial expertise. API and SDKs.
If you are running a programme where corporatesCorporates Business entities that can be onboarded as identities on Weavr. Corporate identities represent companies and require Know Your Business (KYB) verification. They can have multiple authorised users and issue cards to card assignees. issue cards, the card assignee must be created as an Authorised User and linked to the card before it can be used.
Application-specific permissions to limit what each Authorised User can view and do need to be implemented in your application.
This guide demonstrates how you can enable your customers to add users to their identity.
1. Create a New User
Use the create user API to create a new user associated with the identity that the logged-in user initiating the request belongs to.
In order to Create an Authorised User, the logged-in user requires a stepped-up token. Before calling the Create User endpoint, you need to step-up (issue and complete a challenge). More details on how to step-up a token can be found here
When creating an Authorised User, you must provide some basic personal information about the user since they have access to conduct financial operations. Although fields such as mobile and dateOfBirth are optional when calling the API, if the Authorised User is intended to be assigned a card, this information becomes mandatory before they can use a card.
Weavr returns the details of the newly created user, including the id which is used to identify this particular user in subsequent API calls.
2. Set the User's Password
Once a user is created, the next step is for the user to set up his/her password. You can set the user's password in 2 ways:
- Via the Create Password API, if the user is already using your product
- Via the User Invitation process, if the user still needs to start using your product
Via the Create Password API
If the user is already using your product, you can use this option to quickly enable them to setup their password.
If you are not PCI compliant, you cannot handle your customers’ plain-text passwords. Instead, you must tokenise passwords. Find more information on how to transmit data securely here.
Weavr returns a token as part of a successful response. Provide the token as part of APIs which require the user to be logged in.
Authorised Users can multiply in programmes with lots of card assigneesCard Assignee The person that a card is assigned to and who will use the card. For consumers, the card owner and card assignee are the same person. For corporates, the card assignee and card owner are different entities - the corporate is the card owner and the person using the card is the card assignee. Card assignees must be created as Authorised Users.. As an EmbedderEmbedder A company or developer that integrates Weavr's embedded finance services into their own application to provide financial services to their end customers. you may want to manage interactions and data around Authorised Users, so we’ve introduced an optional tag field which allows you to store custom information against those records.
The Authorised User Tag can be included in API calls as follows:
POST/usersGET/usersPATCH/user/{user_id}
The Tag is also available when filtering Authorised Users in the Embedder PortalEmbedder Portal A web-based portal where embedders can access their Weavr account, manage API credentials, configure settings, view dashboards, and access documentation. The portal provides access to both sandbox and production environments, with separate credentials for each..
Via the User Invitation Process
If you still need to onboard the user onto your product, you can use the invitation method to start this process. The invitation process has 2 steps:
- SendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary. an invitation email to the user.
- User accepts invitation and provides their password.
Use the sendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary. user invite API to sendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary. the invitation to the user on their email address.
You can brand and personalise the email content that is sent to your users. Read our guides on corporate email communications and consumer email communications for more information.
The invitation email sent to the user includes a URL that redirects to your application. You must create a page in your application to which this URL points. On this page, you must allow the consumer to input the verification code they received in the email.
The invitation expires after 30 days.
Set the user's password by submitting the verification code that the user received in the email together with the user's password.
Weavr returns a token as part of a successful response. Provide the token as part of APIs which require the user to be logged in.
3. Enrol the user's device
Users must be enrolled with at least one additional authentication factor to perform step-up authentication for operations that require Strong Customer Authentication (SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics).).
3.1 Enrol user using OTP via SMS
You can start the enrolment process using the API. The user receives a text message (SMS) on the mobile number provided when creating the user.
Verify the User's Mobile Device
You must build a page in your application where the user can enter the verification code that they received in the text message together with their password. Then, you need to submit the information using the API.
3.2 Enrol user using Push Notification
Users can select to authenticate using their mobile device using a authentication app such as a AUTHY. You can start the enrolment of process using the below endpoint.
The user should then accept the push notification received on the device.
Twilio Authy must be activated in the MultiMulti Weavr Multi is an embedded finance solution that allows you to integrate financial services into your own application, providing a seamless experience for your customers. It enables you to offer managed accounts, managed cards, and transactions without requiring financial expertise. portal to enrol users to use this authentication method.
3.3 Enrol a user for biometric authentication
If you have a mobile app, we offer an embeddable Biometrics Authentication component as an SDK. The enrolled authentication method is used instead of SMS once enrolment is complete. Enrolment for biometrics is initiated directly from the SDK, see enrolling a device for details.
The enrolment flow includes an SMS OTP that also automatically enrols SMS as an authentication factor for the user, avoiding having to complete step 3.1 separately.