/v1/access-management/ and use the operator’s bearer token plus the
x-program-id header.
Every endpoint below is also in the interactive API Reference tab — full schemas, examples, and a “try it” playground. The customer-invite flow has a dedicated walkthrough at Invite a customer.
Introspection
| Endpoint | Returns |
|---|---|
GET …/me | The caller’s profile and role. |
GET …/program-claims | The programs the caller can act on (claim * = all). |
Users
| Endpoint | Notes |
|---|---|
GET …/bo-users | All back-office users in the program (limit + nextToken pagination). |
GET …/software-users | The program’s software (machine) users. |
Inviting customers
POST …/invite/customer— a back-office caller invites either a plain customer ({ "email" }) or a sub-role member by setting a flag (isPrepaidCardCustomer/isCardOnly/isSpouse/isChild). When a sub-role flag is set,accountIdis required and names the funding parent account.payInIBANis required when the resolved onboarding role enables pay-in. Every invite carries a step-upconfirmation. See Invite a customer for the full flow — it embeds the Try it playground forPOST …/invite/customer. (Customers inviting their own sub-users use the same route on the customer API.)GET …/invited— invites this caller has sent, with live card details where linked.
Step-up authentication
Every invite requires a step-up before the invitee is created — including back-office invites. The request carries aconfirmation object, either passkey or TOTP:
- Passkey —
{ "method": "passkey", "passkeySession", "assertion" }, wherepasskeySessioncomes fromPOST /v1/auth/passkey/challengeandassertionis the JSON-stringified WebAuthn assertion. - TOTP —
{ "method": "totp", "totp", "accessToken" }, the 6-digit authenticator code plus the inviter’s Cognito access token (which must belong to the inviter).
| Situation | Result |
|---|---|
Complete passkey or TOTP confirmation | Verified, then the invite proceeds. |
Incomplete pair (e.g. totp without accessToken) | 400 VALIDATION_ERROR. |
No confirmation | 422 SCA_MISSING; no user is created. |
pin (or other unsupported) method | 422 SCA_INVALID_METHOD. |
| TOTP token not belonging to the inviter | 401 UNAUTHORIZED. |
| Verification fails | Request rejected; no user is created. |
Per-resource access grants
Fine-grained grants let an invited customer use a specific account and/or card:POST …/accesses—{ "customerId", "accountId", "cardId"?, "accountAccess"?, "cardAccess"? }; at least one access flag, andcardIdis required withcardAccess.PATCH …/accesses— same shape, toggles existing grants.