Operators act on a customer through customer-scoped endpoints (legacy-style paths, no /v1 prefix). Authorisation is the operator’s bearer token plus the per-endpoint permission claim.
Acting on a customer’s behalf is enabled only for PCI- or Compliance-approved workflows — it is not available to every program. Talk to Orenda before building on these endpoints.

Accounts

GET /customers/{customerId}/accounts (claim accounts.list) — the customer’s accounts with balances and bank details. In sandbox, most providers return mock data.

Payments

  • POST /customers/{customerId}/accounts/{accountId}/payments (claim payments.create) — send a payment for the customer. Body: beneficiaryId, amount, paymentRef (required); scheduledDate + frequency for scheduled/recurring; waiveFee to skip the fee. P2P transfers are detected automatically from the destination identifiers.
  • POST /customers/{customerId}/accounts/{accountId}/payments/fee (claim payments.create) — preview the fee: body amount (+ optional waiveFee), returns feeAmount. Responds 501 on programs without fee preview.

Beneficiaries

  • POST /customers/{customerId}/beneficiaries?accountId=… (claim beneficiaries.create) — create a payee for the customer. The destination fields follow the program’s rails (UK accountNumber+sortCode, EU iban). Operator (SSO) calls bypass the customer step-up confirmation.
  • GET /customers/{customerId}/beneficiaries (claim beneficiaries.view) — list payees.
  • DELETE /customers/{customerId}/accounts/{accountId}/beneficiaries/{beneficiaryId}/delete (claim beneficiaries.delete) — remove a payee. Blocked while pending, scheduled, or batch payments still reference it.

Batch payments

The same single-endpoint, action-driven flow as the customer API:
  1. POST /customers/{customerId}/payments/batch with action: "verify" — validates items and runs the name check (CoP for UK, VoP for EU). Large batches verify asynchronously: poll until status: "COMPLETED", then read validPayments / invalidPayments.
  2. action: "initiate" — returns the scaChallenge (hash, nonce, timestamp).
  3. action: "submit" — sends the batch with the challenge and authentication.
Track with GET /payments/batch/{batchId} — back-office roles see all items; customer sessions only their own.
For oversight across customers — held payments, searches, exports — see Payment approvals and Search. The batch endpoints have interactive Try it pages under Batch payments in the API Reference.