POST
/
v1
/
access-management
/
invite
/
customer
curl --request POST \
  --url https://api.next.orenda.finance/v1/access-management/invite/customer \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'x-program-id: <api-key>' \
  --data '
{
  "email": "grace.hopper@example.com",
  "confirmation": {
    "method": "totp",
    "totp": "123456",
    "accessToken": "eyJraWQiOiJ...inviter-access-token"
  }
}
'
{
  "success": true,
  "data": {
    "message": "Customer invitation processed successfully"
  }
}
{
"success": false,
"code": "<string>",
"message": "<string>"
}
{
"success": false,
"code": "<string>",
"message": "<string>"
}
{
"success": false,
"code": "<string>",
"message": "<string>"
}
{
"success": false,
"code": "<string>",
"message": "<string>"
}
{
"success": false,
"code": "<string>",
"message": "<string>"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

x-program-id
string
header
required

The program the request acts on.

Body

application/json

Sent by a back-office caller. Includes a confirmation step-up object — back-office invites are challenged like any other. A plain invite needs only email; setting a sub-role flag (isPrepaidCardCustomer / isCardOnly / isSpouse / isChild) makes accountId required and names the funding parent account the invitee draws against. Sub-roles are mutually exclusive — set at most one flag (zero = plain customer); two or more returns 400.

email
string<email>
required
confirmation
Passkey · object
required

Discriminated step-up (SCA) credential. passkey and totp are accepted on this endpoint (a pin confirmation is rejected with 422 SCA_INVALID_METHOD).

payInIBAN
string

Pay-in IBAN assigned to the invitee. Required when the resolved onboarding role enables pay-in (isPayInEnabled); ignored for roles without pay-in.

clientReference
string

External identity reference (max 36 chars). Required only for SSO programs (program config usesClientRefAuthentication: true, e.g. potjestaging) — there it becomes the application identity and is rejected with 400 if missing. Ignored for normal Cognito programs.

Maximum string length: 36
accountId
string<uuid>

Funding parent account the invitee draws against. Required when any sub-role flag is set. Validated up front: must exist, be ACTIVE, not be a pseudo account, and be reachable by the caller (in the caller's program; for custodians, under the inviting custodian).

isPrepaidCardCustomer
boolean
isCardOnly
boolean
isSpouse
boolean
isChild
boolean

Response

Invitation processed

success
boolean
Example:

true

data
object