EML Data Services API documentation version 1.8

https://ws.emerchants.com.au/3.0/

Introduction

This is a REST API provided by EML. It is used for performing a variety of management operations in the EML ecosystem.

Reading This Documentation

At the bottom of this page, you will find a list containing all of the resources provided by this API.

Clicking on a resource, /accounts for example, will reveal more information about its supported HTTP methods. Clicking on a method, GET for example, will bring up more detailed information, usage instructions, and examples.

Security

This API leverages OAuth 2.0 for authentication and authorization. OAuth 2 Simplified may be good to read if you want to learn more about it, though that's not necessary to use this API.

There are OAuth 2.0 client libraries available for many popular languages, which may simplify the integration process. If no library is available for your language, or you prefer to have more control, it is quite easy to implement the workflow yourself using simple HTTP and JSON.

The following paragraphs document the OAuth 2.0 workflow in detail.

Obtaining an access token

You will need to provide a valid access token when accessing any of this API's resources. Access tokens are obtained via a POST request to the /token resource.

This request must be made up of the following components:

Authorization header containing a valid client ID and secret. The value is constructed by combining the client ID and secret with a colon (id:secret), encoding the result using the RFC2045-MIME variant of Base64, and prepending Basic .
Content-Type header set to application/x-www-form-urlencoded
Body containing grant_type=client_credentials

See the example below:

  POST /3.0/token HTTP/1.1
  Host: ws.emerchants.com.au
  Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
  Content-Type: application/x-www-form-urlencoded

  grant_type=client_credentials

Given valid client credentials, the API will return a 200 OK response containing the following:

  {
      "access_token": "AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=",
      "token_type": "bearer",
      "expires_in": 43199
  }

You should keep the value from access_token to include in subsequent requests, and be prepared to get a new access token before this one expires in expires_in seconds.

Using the access token

The access token obtained in the previous step can be used to access resources by sending it in the Authorization header of each request using the format: Bearer access_token. Here is an example of retrieving an account:

  GET /3.0/accounts HTTP/1.1
  Host: ws.emerchants.com.au
  Authorization: Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=

Token expiration

You should continue to re-use the same access token until shortly before it expires. At this time, you should repeat the above steps to get a new access token.

The strategy you use to keep your access token valid is up to you, but one example strategy is as follows:

If, when attempting to use your current access token, there is less than 10 minutes remaining before it expires, trigger an asynchronous process to get a new access token.
If you receive a 401 UNAUTHORIZED response, trigger a synchronous process to get a new access token, and try again.

Access tokens will remain valid until they expire. It is safe to use multiple tokens concurrently while you complete the process of getting a new access token, and propagating it through your system.

IP Whitelisting

In addition to the OAuth 2.0 authentication and authorization, EML Payments maintains a whitelist of I.P. addresses which are permitted to access the API. Before you can access either the test or the production endpoints, you will need to contact EML Payments and provide us with the public IP addresses from which you wish to access the API. You may provide one or more IP addresses (or subnets) to be whitelisted in each environment. Be aware that we will not whitelist subnets larger than /29 (IPv4).

Please note that our policy dictates that a single IP address cannot be simultaneously whitelisted in both the test and production environments.

Be advised that there is some lead time involved with adding or modifying the whitelist.

Rate Limiting

Requests to the EML APIs is subject to rate limiting as follows:

calls to APIs are limited to 1,000 requests per 10 seconds against each whitelisted IP address.
calls exceeding this limit will be rejected for up to 10 seconds, with a return response code of 429 "Too Many Requests"

Important Usage Note

All JSON sent to and from the API must be sent with the Content-Type HTTP header set to application/vnd.eml+json. This is to prevent any confusion caused by intermediate proxies and gateways which may send application/json under some conditions.

Test Environment

There is a test environment available at https://beta.emerchants.com.au/3.0/ which can be used for testing.

Code Examples

Below are some simple code snippets aimed at guiding you towards your implementation. These examples are written in C# .NET using a library called Flurl. This library wraps the standard HTTP classes in a fluent API, which should aid in understanding the code, even if C# isn't your language of choice.

Getting a token

private async Task<string> GetToken(string clientId, string clientSecret)
{
  try
  {
      dynamic json = await new Url("https://ws.emerchants.com.au/3.0/token")
          .WithHeader("Accept", "application/vnd.eml+json")
          .WithBasicAuth(clientId, clientSecret)
          .PostUrlEncodedAsync(new
          {
              grant_type = "client_credentials"
          })
          .ReceiveJson();

      // 200 OK

      string token = json.access_token;
      return token;
  }
  catch (FlurlHttpException ex)
  {
      switch (ex.Call.HttpStatus)
      {
          case HttpStatusCode.BadRequest: // usage doesn't match documentation
              throw;
          case HttpStatusCode.Unauthorized: // invalid client-id and/or client-secret
              throw;
          case HttpStatusCode.InternalServerError: // something happened on EML's end
              throw;
          default: // undocumented status code
              throw;
      }
  }
}

/token

/token post

post

Request an access token using the specified client credentials.

Headers

Authorization: required (string)
Constructed by combining the client ID and secret with a colon (id:secret), encoding the result using the RFC2045-MIME variant of Base64, and prepending Basic .
Example:
```
Basic W91cl9jbGllbnRfaWQ6eW91cl9jbGllbnRfc2VjcmV0
```

HTTP status code 200

You were authenticated and a token was generated successfully.

Body

Media type: application/vnd.eml+json

Type: object

Properties

access_token: required (string)
token_type: required (string)
expires_in: required (number)

Example:

{
    "access_token": "AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=",
    "token_type": "bearer",
    "expires_in": 43200
}

HTTP status code 400

The request cannot be processed due to a problem with it. Check the error code and consult this documentation.

Possible error codes:

invalid_request
unsupported_grant_type
invalid_client (credentials are missing or incomplete)

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 401

The client credentials that were provided are incorrect. Please check them and try again.

Possible error codes:

invalid_client (credentials are incorrect)

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

/reporting

/policy

/policy/{id}/categories get post

get

This is a simplified version of /policy endpoint. It returns only the merchant category code rules

post

Add or Remove a Merchant Category Code to a policy

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (number)
The Program Id (Company Id) of the program.

Body

Media type: application/vnd.eml+json

Type: object

Properties

reason: (string)
The reason to change the merchant category code rules
require_approval: (boolean)
Reserved for future use. Please keep this field as false
add: (array of integer)
The merchant category codes to be added. For open loop program, blacklist rules will be added; for close loop program, whitelist rules will be added.
remove: (array of integer)
The merchant category codes to be removed from blacklist or whitelist rules. Note that this will only remove the rules, not the category codes.

Example:

{
  "reason": "blacklist mcc 1751",
  "add":[1751]
}

HTTP status code 200

The operation was successful, and the category rules were updated successfully

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The requested company does not have policy configured.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/policy/{id}/merchants get post

get

This is a simplified version of /policy endpoint. It returns only the card acceptor rules

post

Add or Remove a Merchant to a policy.
Requires the Acquirer ID and Card Acceptor ID of the Merchant

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (number)
The Program Id (Company Id) of the program.

Body

Media type: application/vnd.eml+json

Type: object

Properties

reason: (string)
The reason to change the merchant rules
require_approval: (boolean)
Reserved for future use. Please keep this field as false
add: (array of RanPolicyCardAcceptor)
The merchants to be added. Note that we use Merchants and Card Acceptors interchangeably in this document. For open loop program, blacklist rules will be added; for close loop program, whitelist rules will be added.
Items: RanPolicyCardAcceptor
- acquirer_id: required (integer)
- card_acceptor_id: required (string)
- description: required (string)
remove: (array of RanPolicyCardAcceptorIdentifier)
Collection of ids of merchants to be removed from blacklist or whitelist rules. Note that this will only remove the rules, not the merchants.
Items: RanPolicyCardAcceptorIdentifier
- acquirer_id: required (integer)
- card_acceptor_id: required (string)

Example:

{
  "reason": "blacklist card acceptor 5 and 6",
  "add": [
           {
              "acquirer_id": 121,
              "card_acceptor_id": "ca-5",
              "description": "test acceptor 5"
           },
           {
              "acquirer_id": 123,
              "card_acceptor_id": "ca-6",
              "description": "test acceptor 5"
           }
         ],
  "remove": [
              {
                 "acquirer_id": 1,
                 "card_acceptor_id": "ca-1"
              },
              {
                 "acquirer_id": 2,
                 "card_acceptor_id": "ca-2"
              }
            ]
}

HTTP status code 200

The operation was successful, and the merchant rules were updated successfully

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The requested company does not have policy configured.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/policy/{id}/terminals get post

get

This is a simplified version of /policy endpoint. It returns only the terminal rules

post

Add or Remove a specific Terminal for a Merchant to a policy.
Requires the Acquirer ID and Card Acceptor ID and Terminal ID of the Terminal.

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (number)
The Program Id (Company Id) of the program.

Body

Media type: application/vnd.eml+json

Type: object

Properties

reason: (string)
The reason to change the terminal rules
require_approval: (boolean)
Reserved for future use. Please keep this field as false
add: (array of RanPolicyTerminal)
The terminals to be added. For open loop program, blacklist rules will be added; for close loop program, whitelist rules will be added.
Items: RanPolicyTerminal
- acquirer_id: required (integer)
- card_acceptor_id: required (string)
- terminal_id: required (string)
- card_acceptor_name_location: (string)
- description: (string)
remove: (array of RanPolicyTerminalIdentifier)
Collection of ids of terminals to be removed from blacklist or whitelist rules. This will only remove the rules, not the merchants. Note this is the Id field of a terminal rule, not the terminalId property.
Items: RanPolicyTerminalIdentifier
- acquirer_id: required (integer)
- card_acceptor_id: required (string)
- terminal_id: required (string)

Example:

{
  "reason": "blacklist terminals 5 and 6",
  "add": [
           {
              "acquirer_id": 121,
              "card_acceptor_id": "ca-5",
              "terminal_id":"term5",
              "card_acceptor_name_location":"Brisbane city",
              "description": "test terminal_5"
           },
           {
              "acquirer_id": 123,
              "card_acceptor_id": "ca-6",
              "terminal_id":"term6",
              "card_acceptor_name_location":"Brisbane city",
              "description": "test terminal_6"

           }
         ],
  "remove":[
              {
                 "acquirer_id": 111,
                 "card_acceptor_id": "ca-1",
                 "terminal_id":"term1"
              }
           ]
}

HTTP status code 200

The operation was successful, and the terminal rules were updated successfully

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The requested company does not have policy configured.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts

/accounts get post

get

Retrieve Accounts linked by a common Client Account Key

post

Create a new account

Retrieve Accounts linked by a common Client Account Key

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Query Parameters

client_id: required (string)
The Client of the customer.
client_account_key: required (string)
The ClientAccountKey of the customer.
with_personal: (string)
Allows the caller to control whether the personal property is present on each element of the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_personal=1. To omit the property, simply omit this query parameter.
with_directentry: (string)
Allows the caller to control whether the direct_entry_bsb and direct_entry_account_number properties are present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_directentry=1. To omit the property, simply omit this query parameter.
with_freetext: (string)
Allows the caller to control whether the free_text property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_freetext=1. To omit the property, simply omit this query parameter.
with_bpay: (string)
Allows the caller to control whether the bpay_biller_code and bpay_reference_number properties are present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_bpay=1. To omit the property, simply omit this query parameter.
page_number: (string)
The page number to retrieve. Valid values are between 1 and X-TotalPages inclusive. (see response headers for more information)
page_size: (string)
The number of records to retrieve in each page. There may be an internal minimum and maximum for this value. The X-PageSize header on the response shows which page size was applied.

HTTP status code 200

Headers

X-PageSize: required (number)
The size of each page in the result set. May differ from the page_size in the query string if the size requested was smaller than the minimum or larger than the maximum.
X-TotalPages: required (number)
The total number of pages in the result set.
X-TotalItems: required (number)
The total number of records in the result set.

Body

Media type: application/vnd.eml+json

Type: array of AccountDetailsLite

Items: Account

balance: required (number)
The balance of the account.
card_number: required (string)
The masked credit card number
company_id: required (integer)
The company id
external_account_id: required (string)
The external reference id
plastic_expiry: required (datetime)
The plastic expiration date
product_type: required (one of reloadable, gift, loyalty)
status: required (one of active, pre_active, inactive, deactivated, lost_or_stolen, expired, suspected_fraud, closed, inactive_pin_tries_exceeded, eml_inactive, replaced)
The status of the account.
is_plastic_enabled: required (boolean)
The plastic_enabled flag. Either true or false.
first_transaction_occurred_at: (datetime)
The first time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
last_transaction_occurred_at: (datetime)
The last time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
account_id: required (string)
The External Account Id (EAID)
display_name: (string)
The client-supplied display name for the account. For salary packaging, this will include the employer name and benefit type.
account_expiry: required (datetime)
The account expiration date
name_on_card: (string)
The cardholder name engrossed on the physical card
is_compliant: (boolean)
account_type: required (one of proxy, ledger)
The type of account. Either a proxy card or a salary-packaging ledger (benefit).
bpay_biller_code: (string)
bpay_reference_number: (string)
direct_entry_bsb: (string)
direct_entry_account_number: (string)
personal: (object)
The registered personal information for the account holder.
- title: (string - maxLength: 50)
- first_name: required (string - maxLength: 50)
- middle_name: (string - maxLength: 50)
- last_name: required (string)
- primary_address: required (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - address_line3: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: required (string - maxLength: 6)
  - country: required (string)
    ISO3166 Alpha-2 Country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- alternate_address: (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: (string - maxLength: 6)
  - country: (string)
    ISO3166 Alpha-2 country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- sex: (string)
  Client gender; Must be either 'M' or 'F'
- mobile_number: (string - maxLength: 50)
  Mandatory if you'd like to reveal pin or tokenise a card.
- phone_number: (string - maxLength: 50)
- date_of_birth: required (datetime)
  The date is in ISO 8601 UTC format. For example: 2000-10-02T01:00:01Z
- email_address: (string)
  Client email address; Must be a valid email addresss. Mandatory if you'd like to reveal pin or tokenise a card.
- driver_licence_number: (string - maxLength: 30)
- passport: (object)
  Passport is not a required field however if you use passport all the associated passport fields marked as required must be used.
  - passport_number: required (string - maxLength: 10)
  - passport_expiry: required (datetime)
    Passport expiration date. Must be later than current date. The date is in ISO 8601 UTC format. For example: 2028-10-02T09:02:10Z
  - passport_issuing_country: required (string)
    ISO 3166 Alpha-3 country code Eg. Australia is AUS
free_text: (object)
The free text information for the account holder.
- free_text1: required (string)
- free_text2: required (string)
- free_text3: required (string)
- free_text4: required (string)
- free_text5: required (string)
- free_text6: required (string)
- free_text7: required (string)
- free_text8: required (string)
- free_int1: required (string)
- free_int2: required (string)
- free_dec1: required (string)
- free_dec2: required (string)
portal_identifier: (object)
The portal identifier associated with this account.
- client_id: required (string)
  The client id assigned to the account
- program_id: required (string)
  The program id assigned to the account
- cardholder_id: required (string)
  The cardholder id assigned to the account
mdes_config_id: (string)
A card specific Issuer Product Configuration ID for MasterCard Digital Enablement Service.
client_account_key: (string - maxLength: 255)
The client account key for salary packaging programs; valid characters are within the range of ASCII code 0x20 and 0x7E inclusive

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

Create a new account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

company_id: required (integer)
The company id in which the account will be created
initial_load_amount: required (number)
The amount to be loaded into the account. This value should be zero or more.
Integers can be expressed in decimal (base 10), hexadecimal (base 16), octal (base 8). We strong recommend using base 10 only.
Decimal integer literal consists of a sequence of digits without a leading 0 (zero).
Numbers with decimal point can only be expressed in base 10 format.
Leading 0 (zero) on an integer literal, or leading 0o (or 0O) indicates it is in octal. Octal integers can include only the digits 0-7.
Leading 0x (or 0X) indicates hexadecimal. Hexadecimal integers can include digits (0-9) and the letters a-f and A-F.
name_on_card: (string - minLength: 2 - maxLength: 19)
The card holder name to be printed on the physical card; valid characters include 0-9, A-Z, -, /, and .
client_account_key: (string - maxLength: 255)
The client account key for salary packaging programs; valid characters are within the range of ASCII code 0x20 and 0x7E inclusive
display_name: (string - maxLength: 100)
The display name for FBT card program
initiating_user_id: (string)
The user who initiated this request
is_plastic_enabled: (boolean)
The plastic enabled flag; the default value is true.
Plastic needs to be enabled to allow transactions with the physical card or online transactions using the Card details (Card Number, Expiry and CVV)
plastic_expiry: (datetime)
The plastic Expiry of the card. This field is only effective for card manufacturing batch with AllowCustomPlasticExpiry enabled.
The date is in ISO 8601 UTC format. For example: 2028-02-24T09:02:10Z
registration: required (object)
The client details including name, address and passport
- title: (string - maxLength: 50)
- first_name: required (string - maxLength: 50)
- middle_name: (string - maxLength: 50)
- last_name: required (string)
- primary_address: required (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - address_line3: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: required (string - maxLength: 6)
  - country: required (string)
    ISO3166 Alpha-2 Country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- alternate_address: (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: (string - maxLength: 6)
  - country: (string)
    ISO3166 Alpha-2 country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- sex: (string)
  Client gender; Must be either 'M' or 'F'
- mobile_number: (string - maxLength: 50)
  Mandatory if you'd like to reveal pin or tokenise a card.
- phone_number: (string - maxLength: 50)
- date_of_birth: required (datetime)
  The date is in ISO 8601 UTC format. For example: 2000-10-02T01:00:01Z
- email_address: (string)
  Client email address; Must be a valid email addresss. Mandatory if you'd like to reveal pin or tokenise a card.
- driver_licence_number: (string - maxLength: 30)
- passport: (object)
  Passport is not a required field however if you use passport all the associated passport fields marked as required must be used.
  - passport_number: required (string - maxLength: 10)
  - passport_expiry: required (datetime)
    Passport expiration date. Must be later than current date. The date is in ISO 8601 UTC format. For example: 2028-10-02T09:02:10Z
  - passport_issuing_country: required (string)
    ISO 3166 Alpha-3 country code Eg. Australia is AUS
portal_identifier: (object)
The portal identifier associated with this account. This identifier in conjunction with The Card Management Portal (CMP). This is not a required field however if you use it all the associated fields marked as required must be used.
- client_id: required (string)
  The client id assigned to the account
- program_id: required (string)
  The program id assigned to the account
- cardholder_id: required (string)
  The cardholder id assigned to the account
mdes_config_id: (string - maxLength: 10)
A card specific Issuer Product Configuration ID for MasterCard Digital Enablement Service (Ie. Apple/Google/Samsung Pay).
account_expiry: (datetime)
The Account Expiry of the card. Used on gift cards to set an expiration date on a card that differs from the plastic expiry.
The date is in ISO 8601 UTC format. For example: 2029-08-02T09:02:10Z
corresponding_account_id: (string)
The External Account Id (EAID) of an account for a card that that you are replacing with a new card. For example, the old card is expiring, or has been reported lost or stolen.
You must provide the corresponding_account_id of the old card if your cardholders use the Card Activation Portal to activate their new card. In this case, the status of the account for the old card will be set to Closed when the new card is activated. Note that the Card Activation Portal will not be able to close the account if it has a positive or negative balance. You will need a separate process to transfer funds before closing the card.
NOTE: if you are replacing a card with status Lost or Stolen then you must provide the EAID of the old card in the account_id_to_replace field.
card_holder_type: (integer)
Type of card holder. 1 for Primary, 2 for Secondary.
request_type: (one of new, replace)
Option of selecting what kind of request this is. Default value is new.
account_id_to_replace: (string)
The External Account Id (EAID) of the account for which replacement card is to be created. For replacement to be successful, the status of this account must be Lost or Stolen. This field is required if request_type is replace.

Example:

{
  "company_id": 123456,
  "initial_load_amount": 10,
  "registration": {
    "first_name": "test",
    "last_name": "user",
    "email_address": "[email protected]",
    "primary_address": {
      "address_line1": "test address",
      "country": "AU",
      "state": "QLD"
    },
    "passport": {
      "passport_issuing_country": "AUS",
      "passport_expiry": "2028-10-31T01:00:00Z",
      "passport_number": "abc"
    },
    "sex": "M",
    "date_of_birth": "2000-10-01T01:00:01Z"
  },
  "initiating_user_id": "testuser",
  "corresponding_account_id": "accountId",
  "card_holder_type": 0,
  "request_type": "new", // This value can either be new or replace, default is new
  "account_id_to_replace": "A1BC23D41" // Only required when replacing a card
}

HTTP status code 201

The operation was successful, and the account was created successfully

Body

Media type: application/vnd.eml+json

Type: object

Properties

balance: required (number)
The balance of the account.
card_number: required (string)
The masked credit card number
company_id: required (integer)
The company id
external_account_id: required (string)
The external reference id
plastic_expiry: required (datetime)
The plastic expiration date
product_type: required (one of reloadable, gift, loyalty)
status: required (one of active, pre_active, inactive, deactivated, lost_or_stolen, expired, suspected_fraud, closed, inactive_pin_tries_exceeded, eml_inactive, replaced)
The status of the account.
is_plastic_enabled: required (boolean)
The plastic_enabled flag. Either true or false.
first_transaction_occurred_at: (datetime)
The first time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
last_transaction_occurred_at: (datetime)
The last time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/company/{companyid} get

get

Gets accounts within a Company based on search parameters

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

companyid: required (string)

Query Parameters

client_id: (string)
The client id assigned to the account.
program_id: (string)
The program id assigned to the account.
status: (string)
The status of the account.
first_name: (string)
The account holders first name.
last_name: (string)
The account holders last name.
mobile: (string)
The account holders mobile number.
with_personal: (string)
Allows the caller to control whether the personal property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_personal=1. To omit the property, simply omit this query parameter.
page_number: (string)
The page number to retrieve. Valid values are between 1 and {{X-TotalPages}}inclusive. (see response headers for more information)
page_size: (string)
The number of records to retrieve in each page. There may be an internal minimum and maximum for this value. The X-PageSize header on the response shows which page size was applied.

HTTP status code 200

Body

Media type: application/vnd.eml+json

Type: object

Properties

balance: required (number)
The balance of the account.
card_number: required (string)
The masked credit card number
company_id: required (integer)
The company id
external_account_id: required (string)
The external reference id
plastic_expiry: required (datetime)
The plastic expiration date
product_type: required (one of reloadable, gift, loyalty)
status: required (one of active, pre_active, inactive, deactivated, lost_or_stolen, expired, suspected_fraud, closed, inactive_pin_tries_exceeded, eml_inactive, replaced)
The status of the account.
is_plastic_enabled: required (boolean)
The plastic_enabled flag. Either true or false.
first_transaction_occurred_at: (datetime)
The first time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
last_transaction_occurred_at: (datetime)
The last time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
account_id: required (string)
The External Account Id (EAID)
display_name: (string)
The client-supplied display name for the account. For salary packaging, this will include the employer name and benefit type.
account_expiry: required (datetime)
The account expiration date
name_on_card: (string)
The cardholder name engrossed on the physical card
is_compliant: (boolean)
account_type: required (one of proxy, ledger)
The type of account. Either a proxy card or a salary-packaging ledger (benefit).
bpay_biller_code: (string)
bpay_reference_number: (string)
direct_entry_bsb: (string)
direct_entry_account_number: (string)
personal: (object)
The registered personal information for the account holder.
- title: (string - maxLength: 50)
- first_name: required (string - maxLength: 50)
- middle_name: (string - maxLength: 50)
- last_name: required (string)
- primary_address: required (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - address_line3: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: required (string - maxLength: 6)
  - country: required (string)
    ISO3166 Alpha-2 Country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- alternate_address: (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: (string - maxLength: 6)
  - country: (string)
    ISO3166 Alpha-2 country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- sex: (string)
  Client gender; Must be either 'M' or 'F'
- mobile_number: (string - maxLength: 50)
  Mandatory if you'd like to reveal pin or tokenise a card.
- phone_number: (string - maxLength: 50)
- date_of_birth: required (datetime)
  The date is in ISO 8601 UTC format. For example: 2000-10-02T01:00:01Z
- email_address: (string)
  Client email address; Must be a valid email addresss. Mandatory if you'd like to reveal pin or tokenise a card.
- driver_licence_number: (string - maxLength: 30)
- passport: (object)
  Passport is not a required field however if you use passport all the associated passport fields marked as required must be used.
  - passport_number: required (string - maxLength: 10)
  - passport_expiry: required (datetime)
    Passport expiration date. Must be later than current date. The date is in ISO 8601 UTC format. For example: 2028-10-02T09:02:10Z
  - passport_issuing_country: required (string)
    ISO 3166 Alpha-3 country code Eg. Australia is AUS
free_text: (object)
The free text information for the account holder.
- free_text1: required (string)
- free_text2: required (string)
- free_text3: required (string)
- free_text4: required (string)
- free_text5: required (string)
- free_text6: required (string)
- free_text7: required (string)
- free_text8: required (string)
- free_int1: required (string)
- free_int2: required (string)
- free_dec1: required (string)
- free_dec2: required (string)
portal_identifier: (object)
The portal identifier associated with this account.
- client_id: required (string)
  The client id assigned to the account
- program_id: required (string)
  The program id assigned to the account
- cardholder_id: required (string)
  The cardholder id assigned to the account
mdes_config_id: (string)
A card specific Issuer Product Configuration ID for MasterCard Digital Enablement Service.
client_account_key: (string - maxLength: 255)
The client account key for salary packaging programs; valid characters are within the range of ASCII code 0x20 and 0x7E inclusive

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id} get put

get

Get the details of the account

put

Update account details

Get the details of the account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Query Parameters

with_personal: (string)
Allows the caller to control whether the personal property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_personal=1. To omit the property, simply omit this query parameter.
with_directentry: (string)
Allows the caller to control whether the direct_entry_bsb and direct_entry_account_number properties are present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_directentry=1. To omit the property, simply omit this query parameter.
with_freetext: (string)
Allows the caller to control whether the free_text property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_freetext=1. To omit the property, simply omit this query parameter.
with_bpay: (string)
Allows the caller to control whether the bpay_biller_code and bpay_reference_number properties are present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_bpay=1. To omit the property, simply omit this query parameter.
with_tokeninfo: (string)
Allows the caller to control whether the mdes_config_id property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_tokeninfo=1. To omit the property, simply omit this query parameter.
with_correspondingaccountid: (string)
Allows the caller to control whether the corresponding_account_id property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_correspondingaccountid=1. To omit the property, simply omit this query parameter.
with_cardholdertype: (string)
Allows the caller to control whether the card_holder_type property is present on the response. To include the property, supply any non-whitespace value for the parameter, e.g., ?with_cardholdertype=1. To omit the property, simply omit this query parameter.

HTTP status code 200

Body

Media type: application/vnd.eml+json

Type: object

Properties

balance: required (number)
The balance of the account.
card_number: required (string)
The masked credit card number
company_id: required (integer)
The company id
external_account_id: required (string)
The external reference id
plastic_expiry: required (datetime)
The plastic expiration date
product_type: required (one of reloadable, gift, loyalty)
status: required (one of active, pre_active, inactive, deactivated, lost_or_stolen, expired, suspected_fraud, closed, inactive_pin_tries_exceeded, eml_inactive, replaced)
The status of the account.
is_plastic_enabled: required (boolean)
The plastic_enabled flag. Either true or false.
first_transaction_occurred_at: (datetime)
The first time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
last_transaction_occurred_at: (datetime)
The last time a transaction was made. These transactions can include any transactions, transfers or fee that effects the balance of the account.
account_id: required (string)
The External Account Id (EAID)
display_name: (string)
The client-supplied display name for the account. For salary packaging, this will include the employer name and benefit type.
account_expiry: required (datetime)
The account expiration date
name_on_card: (string)
The cardholder name engrossed on the physical card
is_compliant: (boolean)
account_type: required (one of proxy, ledger)
The type of account. Either a proxy card or a salary-packaging ledger (benefit).
bpay_biller_code: (string)
bpay_reference_number: (string)
direct_entry_bsb: (string)
direct_entry_account_number: (string)
personal: (object)
The registered personal information for the account holder.
- title: (string - maxLength: 50)
- first_name: required (string - maxLength: 50)
- middle_name: (string - maxLength: 50)
- last_name: required (string)
- primary_address: required (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - address_line3: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: required (string - maxLength: 6)
  - country: required (string)
    ISO3166 Alpha-2 Country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- alternate_address: (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: (string - maxLength: 6)
  - country: (string)
    ISO3166 Alpha-2 country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- sex: (string)
  Client gender; Must be either 'M' or 'F'
- mobile_number: (string - maxLength: 50)
  Mandatory if you'd like to reveal pin or tokenise a card.
- phone_number: (string - maxLength: 50)
- date_of_birth: required (datetime)
  The date is in ISO 8601 UTC format. For example: 2000-10-02T01:00:01Z
- email_address: (string)
  Client email address; Must be a valid email addresss. Mandatory if you'd like to reveal pin or tokenise a card.
- driver_licence_number: (string - maxLength: 30)
- passport: (object)
  Passport is not a required field however if you use passport all the associated passport fields marked as required must be used.
  - passport_number: required (string - maxLength: 10)
  - passport_expiry: required (datetime)
    Passport expiration date. Must be later than current date. The date is in ISO 8601 UTC format. For example: 2028-10-02T09:02:10Z
  - passport_issuing_country: required (string)
    ISO 3166 Alpha-3 country code Eg. Australia is AUS
free_text: (object)
The free text information for the account holder.
- free_text1: required (string)
- free_text2: required (string)
- free_text3: required (string)
- free_text4: required (string)
- free_text5: required (string)
- free_text6: required (string)
- free_text7: required (string)
- free_text8: required (string)
- free_int1: required (string)
- free_int2: required (string)
- free_dec1: required (string)
- free_dec2: required (string)
portal_identifier: (object)
The portal identifier associated with this account.
- client_id: required (string)
  The client id assigned to the account
- program_id: required (string)
  The program id assigned to the account
- cardholder_id: required (string)
  The cardholder id assigned to the account
mdes_config_id: (string)
A card specific Issuer Product Configuration ID for MasterCard Digital Enablement Service.
client_account_key: (string - maxLength: 255)
The client account key for salary packaging programs; valid characters are within the range of ASCII code 0x20 and 0x7E inclusive
corresponding_account_id: (string)
The External Account Id (EAID) of an account for a card that that you are replacing with a new card. For example, the old card is expiring, or has been reported lost or stolen.
You must provide the corresponding_account_id of the old card if your cardholders use the Card Activation Portal to activate their new card. In this case, the status of the account for the old card will be set to Closed when the new card is activated. Note that the Card Activation Portal will not be able to close the account if it has a positive or negative balance. You will need a separate process to transfer funds before closing the card.
NOTE: if you are replacing a card with status Lost or Stolen then you must provide the EAID of the old card in the account_id_to_replace field.
card_holder_type: (integer)
Type of card holder. 1 for Primary, 2 for Secondary.
card_network: required (one of Mastercard, Visa, Eftpos)
The Card Network of the card, we support Mastercard, Visa and EftPos.

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

Update account details

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

client_account_key: (string - maxLength: 255)
The client account key for salary packaging programs; valid characters are within the range of ASCII code 0x20 and 0x7E inclusive
display_name: (string - maxLength: 100)
The display name for FBT card program
initiating_user_id: (string)
The user who initiated this request
registration: required (object)
The client details including name, address and passport
- title: (string - maxLength: 50)
- first_name: required (string - maxLength: 50)
- middle_name: (string - maxLength: 50)
- last_name: required (string)
- primary_address: required (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - address_line3: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: required (string - maxLength: 6)
  - country: required (string)
    ISO3166 Alpha-2 Country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- alternate_address: (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: (string - maxLength: 6)
  - country: (string)
    ISO3166 Alpha-2 country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- sex: (string)
  Client gender; Must be either 'M' or 'F'
- mobile_number: (string - maxLength: 50)
  Mandatory if you'd like to reveal pin or tokenise a card.
- phone_number: (string - maxLength: 50)
- date_of_birth: required (datetime)
  The date is in ISO 8601 UTC format. For example: 2000-10-02T01:00:01Z
- email_address: (string)
  Client email address; Must be a valid email addresss. Mandatory if you'd like to reveal pin or tokenise a card.
- driver_licence_number: (string - maxLength: 30)
- passport: (object)
  Passport is not a required field however if you use passport all the associated passport fields marked as required must be used.
  - passport_number: required (string - maxLength: 10)
  - passport_expiry: required (datetime)
    Passport expiration date. Must be later than current date. The date is in ISO 8601 UTC format. For example: 2028-10-02T09:02:10Z
  - passport_issuing_country: required (string)
    ISO 3166 Alpha-3 country code Eg. Australia is AUS
portal_identifier: (object)
The portal identifier associated with this account.
- client_id: required (string)
  The client id assigned to the account
- program_id: required (string)
  The program id assigned to the account
- cardholder_id: required (string)
  The cardholder id assigned to the account
mdes_config_id: (string - minLength: 1 - maxLength: 10)
A card specific Issuer Product Configuration ID for MasterCard Digital Enablement Service.
account_expiry: (datetime)
The Account Expiry of the card. The date is in ISO 8601 UTC format. For example: 2029-08-02T09:02:10Z

Example:

{
  "display_name": "test user",
  "client_account_key": "client account 1",
  "registration": {
    "first_name": "test",
    "last_name": "user",
    "email_address": "[email protected]",
    "primary_address": {
      "address_line1": "test address",
      "country": "AU",
      "state": "QLD"
    },
    "passport": {
      "passport_issuing_country": "AUS",
      "passport_expiry": "2028-10-31T01:00:00Z",
      "passport_number": "abc"
    },
    "sex": "M",
    "date_of_birth": "2000-10-01T01:00:01Z"
  },
  "initiating_user_id": "testuser"
}

HTTP status code 200

The operation was successful, and the account was updated successfully

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support. Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/transactions get

get

Get transaction history for the account.
The following limits apply on this endpoint based on of account volume, you may call multiple times to get transaction for period you need.
- Account has more than 5 Million transactions per months then can query for 1 day per request
- Account has more than 1 Million transactions less than 5 millions per months then can query for 3 days per request
- Account has less than 1 Million transactions per month can query up to 180 days per request
The configuration based on account volume average over the last 3 months.

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Query Parameters

start_date: (datetime)
Return transactions not before the specified date. The date is in ISO 8601 UTC format. For example: 2018-02-24T09:02:10Z. If no start_date is sent, then it will be set as today - 90 days.
end_date: (datetime)
Return transactions no later than the specified date. The date is in ISO 8601 UTC format. For example: 2018-02-24T09:02:10Z. If no end_date is sent, then it will be set as today.
view_type: (one of default, simplified )
Defines the type of view to return. When missing, it defaults to 'default'.
page_number: (string)
The page number to retrieve. When missing it will default to a page_number 1. Valid values are between 1 and X-TotalPages inclusive. (see response headers for more information)
page_size: (string)
The number of records to retrieve in each page. When missing it will default to a page_size of 10. There may be an internal minimum and maximum for this value. The X-PageSize header on the response shows which page size was applied.
exclude_transaction_types: (string)
Comma-separated list of transaction types to exclude from the results. For example 1700,1702,1703,1704,1115,1117,3003,3120

HTTP status code 200

The operation was successful, and the transaction history items are presented in the response.

Headers

X-PageSize: required (number)
The size of each page in the result set. May differ from the page_size in the query string if the size requested was smaller than the minimum or larger than the maximum.
X-TotalPages: required (number)
The total number of pages in the result set. To reduce the time taken to generate responses for this request, this header will only be calculated on page 1. Any subsequent queries will return 0 as the value
X-TotalItems: required (number)
The total number of records in the result set. To reduce the time taken to generate responses for this request, this header will only be calculated on page 1. Any subsequent queries will return 0 as the value

Body

Media type: application/vnd.eml+json

Type: array of object

Items: TransactionHistoryItem

id: required (string)
The identifier of this transaction.
parent_id: required (string)
The identifier of the parent transaction, if applicable.
type: required (string)
The four digit transaction type code for this transaction.
type_description: required (string)
The transaction type description.
account_id: required (string)
The external account id (EAID) for the account which performed this transaction.
occurred_at: required (string)
The date/time of the transaction in ISO 8601 format. Expect the timezone to be in UTC.
amount: required (number)
The base value of the transaction. Generally, the amount which was charged at POS or was withdrawn from an ATM.
amount_currency: required (string)
The ISO 4217 alphabetic code of the currency of the transaction amount. Currently only AUD.
fee_amount: required (number)
The value of any fees which were applied to this transaction.
fee_amount_currency: required (string)
The ISO 4217 alphabetic code of the currency of the fee amount. Currently only AUD.
running_balance_amount: required (number)
The running balance of the account as a result of this transaction.
running_balance_amount_currency: required (string)
The ISO 4217 alphabetic code of the currency of the running balance amount. Currently only AUD.
merchant_category_code: required (string)
The ISO 18245 four digit code identifying the category of the merchant.
acquirer_id: required (string)
The acquirer identifier for this transaction.
card_acceptor_id: required (string)
The card acceptor (merchant) identifier for this transaction.
card_acceptor_location: required (string)
The card acceptor (merchant) name and location for this transaction.
terminal_id: required (string)
The terminal identifier for this transaction.
reference: required (string)
The reference data of this transaction.

HTTP status code 400

The Account is considered as a big account, limit the search to 3 days gap.
or
The Account is considered as a very big account, limit the search to 1 day gap.
or
StartDate should be earlier than EndDate.
or
Invalid pageNumber or pageSize.

Possible responses:

"error": "The account (xxxxxxxx) is considered a very big account, limit the search to 1 day(s) gap",
"error_reference": "08e7d6f403674c3ca09a6d5d323cffe5"

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/transactions/discount get

get

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Query Parameters

start_date: (datetime)
Return transactions not before the specified date. The date is in ISO 8601 UTC format. For example: 2018-02-24T09:02:10Z. If no start_date is sent, then it will be set as today -90 days.
end_date: (datetime)
Return transactions no later than the specified date. The date is in ISO 8601 UTC format. For example: 2018-02-24T09:02:10Z. If no end_date is sent, then it will be set as today.
view_type: (one of default, simplified )
Defines the type of view to return. When missing, it defaults to 'default'.
exclude_transaction_types: (string)
Comma-separated list of transaction types to exclude from the results. For example 1700,1702,1703,1704,1115,1117,3003,3120
page_number: (string)
The page number to retrieve. When missing it will default to a page_number 1. Valid values are between 1 and X-TotalPages inclusive. (see response headers for more information)
page_size: (string)
The number of records to retrieve in each page. When missing it will default to a page_size of 10. There may be an internal minimum and maximum for this value. The X-PageSize header on the response shows which page size was applied.

HTTP status code 200

The operation was successful, and the transaction history items are presented in the response.

Headers

X-PageSize: required (number)
The size of each page in the result set. May differ from the page_size in the query string if the size requested was smaller than the minimum or larger than the maximum.
X-TotalPages: required (number)
The total number of pages in the result set. To reduce the time taken to generate responses for this request, this header will only be calculated on page 1. Any subsequent queries will return 0 as the value
X-TotalItems: required (number)
The total number of records in the result set. To reduce the time taken to generate responses for this request, this header will only be calculated on page 1. Any subsequent queries will return 0 as the value

Body

Media type: application/vnd.eml+json

Type: array of object

Items: TransactionHistoryDiscount

id: required (string)
The identifier of this transaction.
parent_id: required (string)
The identifier of the parent transaction, if applicable.
type: required (string)
The four digit transaction type code for this transaction.
type_description: required (string)
The transaction type description.
account_id: required (string)
The external account id (EAID) for the account which performed this transaction.
occurred_at: required (string)
The date/time of the transaction in ISO 8601 format. Expect the timezone to be in UTC.
amount: required (number)
The base value of the transaction. Generally, the amount which was charged at POS or was withdrawn from an ATM.
amount_currency: required (string)
The ISO 4217 alphabetic code of the currency of the transaction amount. Currently only AUD.
fee_amount: required (number)
The value of any fees which were applied to this transaction.
fee_amount_currency: required (string)
The ISO 4217 alphabetic code of the currency of the fee amount. Currently only AUD.
running_balance_amount: required (number)
The running balance of the account as a result of this transaction.
running_balance_amount_currency: required (string)
The ISO 4217 alphabetic code of the currency of the running balance amount. Currently only AUD.
merchant_category_code: required (string)
The ISO 18245 four digit code identifying the category of the merchant.
acquirer_id: required (string)
The acquirer identifier for this transaction.
card_acceptor_id: required (string)
The card acceptor (merchant) identifier for this transaction.
card_acceptor_location: required (string)
The card acceptor (merchant) name and location for this transaction.
terminal_id: required (string)
The terminal identifier for this transaction.
reference: required (string)
The reference data of this transaction.
discount_amount: required (number)
The discount amount. Currently only AUD.

HTTP status code 400

Possible responses:

"error": "The account (xxxxxxxx) is considered a very big account, limit the search to 1 day(s) gap",
"error_reference": "08e7d6f403674c3ca09a6d5d323cffe5"

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/status get put

get

Retrieve basic details of the account including Status and Balance

put

Updates the status of the account - Active, Inactive, Lost_Stolen or Closed

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

status: required (one of active, inactive, lost_or_stolen, closed)
If an account is in the following status's it can only be changed by EML staff
suspected_fraud (can be set to closed via api), eml_inactive (can be set to closed via api), expired, closed

Example:

{
  "status": "active"
}

HTTP status code 200

The operation was successful, and the account status has been updated. The following status codes are available:

active, pre_active, inactive, lost_or_stolen, inactive_pin_tries_exceeded

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Following status's can only be set by EML:

deactivated, suspected_fraud, expired, eml_inactive

If an account is closed it can only be activated again by EML:

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/velocity get put

get

get card velocities

put

Updates card velocities

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

card_velocities: required (array of CardVelocity)
Items: CardVelocity
- velocity_type: required (one of max_balance, max_pos_credit_per_day, max_debit_per_day, max_pos_credit_count_per_day, max_debit_count_per_day, max_atm_debit_count_per_day, max_transfer_from, max_transfer_to, max_atm_debit, max_pos_debit, max_transfer_from_count_per_day, max_transfer_to_count_per_day, max_atm_debit_per_day, max_pos_debit_per_day)
- multiplier: required (one of one, zero, half, none, double, triple, times5, times10)
  The multiplier applied to the base company velocity setting. For example: the effective max_balance is 5,000 if company max_balance is 10,000 and card velocity multiplier is half.

Example:

{
  "card_velocities": [
      {
          "velocity_type": "max_balance",
          "multiplier": "half"
      },
      {
          "velocity_type": "max_pos_credit_per_day",
          "multiplier": "double"
      },
      {
          "velocity_type": "max_debit_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_pos_credit_count_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_debit_count_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_atm_debit_count_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_transfer_from",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_transfer_to",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_atm_debit",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_pos_debit",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_transfer_from_count_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_transfer_to_count_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_atm_debit_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_pos_debit_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_de_in_amount",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_de_in_count_per_day",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_de_out_amount",
          "multiplier": "one"
      },
      {
          "velocity_type": "max_de_out_count_per_day",
          "multiplier": "one"
      }
  ]
}

HTTP status code 200

The operation was successful, and the card velocities have been updated.

HTTP status code 403

The user is not authorised to the specified company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/directentryout post

post

Perform Direct Entry Out transfer

/accounts/{id}/transfer post

post

Perform Card to card transfer

/accounts/{id}/plastic put

put

Updates the Plastic Enabled flag of the account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

plastic_enabled: required (boolean)
initiating_user_id: (string)

Example:

{
"initiating_user_id":"test user",
"plastic_enabled": false
}

HTTP status code 200

The operation was successful, and the Plastic Enabled flag has been updated.

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/wallet/{provider} post

post

Get Samsung, Google and Apple pay Wallet Data for account. (for use by SDK)

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.
provider: required (string)
The Wallet Provider. Supported providers include Samsung, Google and Apple.

Body

Media type: application/vnd.eml+json

Type: object

Properties

token_unique_reference: (string)
initiating_user_id: (string)
client_wallet_account_id Beta: (string)
Client-provided consumer ID that identifies the Wallet Account Holder entity. It must match the value TWP will send in the token provision request
client_device_id Beta: (string)
Stable device identification set by Wallet Provider. Could be computer identifier or ID tied to hardware such as TEE_ID or SE_ID. It must match the clientDeviceID TWP will send in token provision request.
nonce: (string)
Nonce field for ApplePay. Required only for ApplePay, ignored for other wallet types.
nonce_signature: (string)
NonceSignature field for ApplePay. Required only for ApplePay, ignored for other wallet types.
certificates: (array of string)
Certificates field for ApplePay. Required only for ApplePay, ignored for other wallet types.

HTTP status code 200

The operation was successful.

Body

Media type: application/vnd.eml+json

Type: object

Properties

pan_last_four: required (string)
provider: required (one of mastercard, visa)
pruduct_type: required (one of reloadable, gift, loyalty)
registration: required (object)
- title: (string - maxLength: 50)
- first_name: required (string - maxLength: 50)
- middle_name: (string - maxLength: 50)
- last_name: required (string)
- primary_address: required (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - address_line3: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: required (string - maxLength: 6)
  - country: required (string)
    ISO3166 Alpha-2 Country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- alternate_address: (object)
  - address_line1: (string - maxLength: 50)
  - address_line2: (string - maxLength: 50)
  - city: (string - maxLength: 50)
    City or suburb.
  - state: (string - maxLength: 6)
  - country: (string)
    ISO3166 Alpha-2 country code Eg. Australia is AU
  - postcode: (string - maxLength: 30)
    Postcode in alphanumeric characters
- sex: (string)
  Client gender; Must be either 'M' or 'F'
- mobile_number: (string - maxLength: 50)
  Mandatory if you'd like to reveal pin or tokenise a card.
- phone_number: (string - maxLength: 50)
- date_of_birth: required (datetime)
  The date is in ISO 8601 UTC format. For example: 2000-10-02T01:00:01Z
- email_address: (string)
  Client email address; Must be a valid email addresss. Mandatory if you'd like to reveal pin or tokenise a card.
- driver_licence_number: (string - maxLength: 30)
- passport: (object)
  Passport is not a required field however if you use passport all the associated passport fields marked as required must be used.
  - passport_number: required (string - maxLength: 10)
  - passport_expiry: required (datetime)
    Passport expiration date. Must be later than current date. The date is in ISO 8601 UTC format. For example: 2028-10-02T09:02:10Z
  - passport_issuing_country: required (string)
    ISO 3166 Alpha-3 country code Eg. Australia is AUS
issuer_initiated_digitization_data: required (string)
Mastercard issuerInitiatedDigitizationData. Required for Samsung and Google Pay
activation_data: required (string)
ApplePay ActivationData. Required for ApplePay
encrypted_pass_data: required (string)
ApplePay EncryptedPassData. Required for ApplePay
ephemeral_public_key: required (string)
ApplePay EphemeralPublicKey. Required for ApplePay

HTTP status code 404

The supplied provider was invalid or input parameters validation error.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/tokens get

get

Get all moble wallet tokens associated with the account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

HTTP status code 200

Body

Media type: application/vnd.eml+json

Type: array of object

Items: WalletToken

storage_technology: required (one of unknown, device_memory, device_memory_protected_by_tpm, server, trusted_execution_environment, secure_element, virtual_execution_environment)
The architecture or technology used for token storage.
device: required (object)
Device type defined by Mastercard.
- device_id: (string)
  Serial number of the device provisioned with the token. May be masked.
- device_name: (string)
  Nickname of the device provisioned with the token.
- secure_element_id: (string)
  Identifier of the secure element provisioned with the token.
- device_type: (one of unknown, watch1, smartphone_with_fixed_secure_element, tablet_or_ereader_with_fixed_secure_element, smartphone_with_payment_app_in_host_processor, tablet_or_ereader_with_payment_app_in_tee, watch_with_payment_app_in_tee, watch_with_payment_app_in_host_processor, phone, tablet, watch2, sticker, personal_computer, device_peripheral, tag, jewelry, fashion_accessory, garment, domestic_appliance, vehicle, media_or_gaming_device, undefined)
  Type of the device provisioned with the token.
last_comment_id: required (string)
Identifier of the last comment associated with the token.
token_type: required (one of unknown, embedded_secure_element_token, master_card_cloud_based_payments_token, cof_token)
payment_app_instance_id: (string)
Identifier of the Payment App instance within a device that will be provisioned with a token.
wallet_id: (string)
Identifier of the Wallet Provider who requested the digitization or tokenization.
token_requestor_name: (string)
The legal name of the token requestor. There can be more than one Token Requestor Id per Token Requester Name (legal name). So it is important to use both parameters to uniquely identify a token requestor. String, up to 100 characters.
token_assurance_level: required (string)
Indicates the level of Identification and Verification performed to validate the Cardholder and the Cardholder's account at the time the Token was issued (or at any subsquent time post-issuance). Only present when a token has a Token Assurance Level assigned. Supported values are 0 (Not Authenticated) and non-zero (Authenticated).
token_requestor_id: required (string)
Per EMV Co, the entity uniquely recognized by Mastercard as the Token Service Provider. String, up to 11 characters.
provisioning_status_description: (string)
Description of the provisioning statu.
provisioning_status_code: (one of unknown, token_being_prepared, awaiting_cardholder_tc_acceptance, token_being_delivered, awaiting_activation, success, failed)
Current provisioning status of the token.
suspenders: (array of string)
Suspender(s) of the token when the token current status is SUSPENDED.
current_status_date_time: required (datetime)
Date and time the status was updated. string, ISO 8601 format – YYYY-MM-DDThh:mm:ssTZD
current_status_code: required (one of unknown, unmapped, active, suspended, deleted)
Current status of the Token.
correlation_id: (string)
Value linking pre-digitization messages generated during provisioning.
activation_code_expiration_date_time: (datetime)
Date and time when an Activation Code will expire.
final_tokenization_decision: (one of unknown, digitisation_declined, digitisation_approved, digitisation_approved_prior_authentication_required)
Final decision related to the digitization of the Account PAN for this token.
token_activated_date_time: (datetime)
Date and time that the token was activated.
digitization_request_date_time: (datetime)
Date and time of the initial request for digitization of the Account PAN for this token.
account_pan_sequence_number: required (string)
The Account PAN Sequence Number associated with a specific token, as provided to MDES previously by the issuer. It may be used to distinguish between multiple cardholders for a single Account PAN, to represent an issuance number of a specific card, or to distinguish between different card products, such as debit or credit, that share the same Account PAN. Conditional field, present when successfully assigned. 3 characters in length, max. Supported values - 000 to 099.
expiration_date: required (string)
Expiration date of token. Conditional field, present once the token has been designated for the digitization. Four digit string. Format "mmyy".
token_suffix: (string)
Last 4 digits of token in a 4 character string
primary_account_number_unique_reference: (string)
Unique reference to the Account PAN originally digitized. Conditional field, present when successfully assigned.
token_unique_reference: required (string)
A unique reference assigned following the allocation of a token used to identify the token for the duration of its lifetime. Conditional field, present when successfully assigned. 48 character string.
current_status_description: required (string)
Description of the current status.
token_deleted_from_consumer_app: required (boolean)
Indicates whether or not a token has been deleted from the consumer app by the token requestor.

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/expiry put

put

Updates the Expiry Date of the account.

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

account_expiry: required (datetime)
The account expiration date

Example:

{
"account_expiry":"[DateTime_Offset]"
}

HTTP status code 200

The operation was successful, and the account expiry date has been updated.

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/freefields get put

get

Get all free text information associated with an account

put

Updates the free text information of the account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

free_text1: required (string)
free_text2: required (string)
free_text3: required (string)
free_text4: required (string)
free_text5: required (string)
free_text6: required (string)
free_text7: required (string)
free_text8: required (string)
free_int1: required (string)
free_int2: required (string)
free_dec1: required (string)
free_dec2: required (string)

Example:

{
  "free_text1": "text1",
  "free_text2": "text2",
  "free_text3": "text3",
  "free_text4": "text4",
  "free_text5": "text5",
  "free_text6": "text6",
  "free_text7": "text7",
  "free_text8": "text8",
  "free_int1": "int1",
  "free_int2": "int2",
  "free_dec1": "dec1",
  "free_dec2": "dec2"
}

HTTP status code 200

The operation was successful, and the free text information has been updated.

HTTP status code 404

The supplied account_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/directentryaccount put delete

put

Adds/Updates a direct entry account

delete

Deletes a direct entry account

Adds/Updates a direct entry account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

direct_entry_account_id: required (number)
A Unique ID given to each Direct Entry Account Saved. * If this is null, 0 or less than 0 then a new entry will be created. *
bsb: required (string)
BSB of the Account to be used with Direct Entry
account_number: required (string)
Account Number of the Account to be used with Direct Entry
name: required (string)
Account Name of the Account to be used with Direct Entry
enabled: required (boolean)
Whether this account is currently enabled or disabled

Example:

{
  "direct_entry_account_id": "DirectEntryAccountId",
  "bsb": "bsb",
  "account_number": "account number",
  "name": "name",
  "enabled": true
}

HTTP status code 200

The operation was successful, and the Direct Entry Account has been added/updated.

HTTP status code 400

Your request was invalid. Correct your request and try again.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user is not authorised to the specified company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

Deletes a direct entry account

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: number

Example:

{
  "direct_entry_account_id": DirectEntryAccountId
}

HTTP status code 200

The operation was successful, and the Direct Entry Account has been deleted.

HTTP status code 400

Your request was invalid. Correct your request and try again.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user is not authorised to the specified company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/dip post

post

Retrieve encrypted data that includes Card Details

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

application_id: required (string)
The UUID which identifies the requesting application.
key_id: required (string)
The UUID which identifies application key in use by the consuming application.
ephemeral_key: required (string)
A random, single-use, 256-bit (32 byte) value, encoded as a Base64 string.

Example:

{
  "application_id": "4bdb92b7-e22e-4012-aed4-9276ec67ead7",
  "key_id": "d7d5b030-e94f-43f7-942d-3d6703236b84",
  "ephemeral_key": "pwmbH/7quy8Jo0YtcPqz8oRqD53WCa4cHDaKkYueBLk="
}

HTTP status code 200

The operation was successful, and the encrypted DIP data is enclosed in the response body. See the DIP documentation for more info.

Body

Media type: application/octet-stream

Type: string

HTTP status code 400

Your request was invalid. Correct your request and try again.

Possible error codes:

bad_application_id
bad_key_id
bad_ephemeral_key
bad_account

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/migrate post

post

Migrate account from one company to another

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

destination_company_id: required (string)
The company ID of the destination account
client_account_key: required (string)
The client_account_key of the account to be migrated

Example:

{
    "destination_company_id": "123456",
    "client_account_key": "client account 1"
}

HTTP status code 200

The operation was successful, and the account was migrated successfully

HTTP status code 404

The supplied account_id or company_id was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support. Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/authenticate post

post

Authenticate a card for OTP

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

application_id: required (string)
Name of calling application.
ip_address: required (string)
IP address of the client.

Example:

{
  "application_id": "ConsoleApp1",
  "ip_address": "192.168.0.1"                     
}

HTTP status code 200

The operation was successful.

Body

Media type: application/vnd.eml+json

Type: object

Properties

token_id: required (string)
The token id returned by EML; required for {id}/initiate
email_address: required (string)
The email address of the cardholder.
mobile: required (string)
The mobile of the cardholder.

HTTP status code 400

The supplied account email and mobile is empty.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.
Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/initiate post

post

Initiate OTP for card

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

ip_address: required (string)
IP address of the client.
token_id: required (string)
TokenId from /authenticate response.
communication_method: required (one of email, sms)
The method for sending OTP.
operation_type: required (one_time_pass_code)
Operation of request.

Example:

{
  "ip_address ": "192.168.0.1",
  "token_id": "token_id",
  "communication_method": "sms",
  "operation_type": "one_time_pass_code"
}

HTTP status code 200

The operation was successful, and the OTP was sent.

Body

Media type: application/vnd.eml+json

Type: object

Properties

operation_id: required (string)
The operation id returned by EML; required for {id}/activate

HTTP status code 401

The supplied token_id, ip_address, communication_method, operation_type or account is invalid.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.
Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/{id}/activate post

post

Activate a card with OTP - Used to activate auto renewal card

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The External Account Id (EAID) of the account.

Body

Media type: application/vnd.eml+json

Type: object

Properties

validation_data: required (object)
- operation_id: required (string)
  The operation id returned by {id}/initiate
- security_code: required (string)
  OTP received by cardholder
- ip_address: required (string)
  IP address of the client
enable_plastic: (string)
Enable plastic of card if true; if plastic already enabled no action taken

Example:

{
  "validation_data":
      {
          "operation_id": "a2c9acbc-bafc-4cf0-923f-1e3d7cc6b727",
          "security_code": "123456789",
          "ip_address": "192.168.0.1"
      },
  "enable_plastic ": "false"                     
}

HTTP status code 200

The operation was successful, and the account is now active.

HTTP status code 400

The supplied account was invalid or could not be activated.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.
Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/transfer/batch post

post

Perform Batch transfer. If a batch fails at the processing time or finish partially, we will push a webhook notification to your webhook if you have set up webhook notification. Our webhook documents can be found at https://developer.emerchants.com.au/notification/webhook.html - BETA
Batch processing is async and all batches for all clients get queued and processed after each other.This means they may see delays in processing. Batch processing is scheduled to be triggered every hour, 24 times a day all days including weekends and public holidays.
1. If Client-A pushes a Batch-A at 8:01, it is going to be processed at 9:00 provided there are no other pending batches.
2. If Client-A pushes a Batch-A at 8:01 and there are other pending batches, then Batch-A will be processed only after all the other pending batches created before it are processed.
3. If Client-A pushes a Batch-A at 8:01 and Client-B pushes a Batch-B at 8:03 then Batch-A is processed first and Batch-B will be processed after Batch-A is processed.

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

initiator_username: required (string - maxLength: 36)
The user who initiated this request.
request_id: required (string - maxLength: 36)
The user provided id for tracking the Batch transfer transaction. Request with requested_id set will be cached for 30 days. If a transfer is handled successfully, any following request with the same request_id will be delivered the same cached response.
company_id: required (integer)
The company id that has credential to perform card to card transaction.
transfers: required (array of Transfers)
Number of transfers limited to 10,000 transfers per batch.
Items: Transfers
- amount: required (number)
  The amount to be transfered. This must be positive. Integers can be expressed in decimal (base 10), hexadecimal (base 16), octal (base 8). We strong recommend using base 10 only. Decimal integer literal consists of a sequence of digits without a leading 0 (zero). Numbers with decimal point can only be expressed in base 10 format. Leading 0 (zero) on an integer literal, or leading 0o (or 0O) indicates it is in octal. Octal integers can include only the digits 0-7. Leading 0x (or 0X) indicates hexadecimal. Hexadecimal integers can include digits (0-9) and the letters a-f and A-F.
- source_reference: required (string - maxLength: 75)
- destination_reference: required (string - maxLength: 75)
- source_account_id: required (string)
  The external account id of the source account.
- destination_account_id: required (string)
  The external account id of the destination account.
- transaction_type: required (integer)
  2902 for Card to Card transfer.
- row_id: required (integer)
  The row id of the transfer within the batch. Should be unique for each row within this batch.

Example:

{
  "initiator_username": "user",
  "request_id" : "requestId",
  "company_id" : 12345678,
  "transfers": [
      {
          "row_id": 1,
          "source_reference": "source reference1",
          "destination_reference": "destination reference1",
          "amount": 5.47,
          "source_account_id": "A1BC23D41",
          "destination_account_id": "A1BC23D42",
          "transaction_type": 2902
      }, 
      {
          "row_id": 2,
          "source_reference": "source reference2",
          "destination_reference": "destination reference2",
          "amount": 10.75,
          "source_account_id": "A1BC23D43",
          "destination_account_id": "A1BC23D44",
          "transaction_type": 2902
      }
  ]
}

HTTP status code 200

The operation was successful.

Body

Media type: application/vnd.eml+json

Type: object

Properties

batch_id: (string)
The batch id returned by EML; this field is empty if anything goes wrong
success: (boolean)
The status of the transfer, successful or not.

HTTP status code 400

Your request was invalid. Correct your request and try again.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/activate post

post

Activate a physical card. For use in IVR systems only
See PUT /accounts/{id}/status to activate using an Account ID

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

card_number: required (string - maxLength: 16)
Card number; only digits 0-9 are allowed.
secure_code: required (string - maxLength: 20)
Secure code stored against the requested account.

Example:

{
  "card_number": "card_number",
  "secure_code": "secure_code"                     
}

HTTP status code 200

The operation was successful, and the account is now active.

HTTP status code 403

The user does not have proper permission on the company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The supplied account was invalid or could not be activated.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/accounts/balance post

post

Retrieve the balance of a physical card. For use in IVR systems only
See GET /accounts/{id}/status to retrieve the balance of an Account using an Account ID

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

card_number: required (string - maxLength: 16)
Card number; only digits 0-9 are allowed.
card_pin: required (string - maxLength: 4)
Card pin; only digits 0-9 are allowed.

Example:

{
  "card_number": "card_number",
  "card_pin": "card_pin"                     
}

HTTP status code 200

The operation successfully returned the account balance/s.

Body

Media type: application/vnd.eml+json

Type: array of object

Items: AccountBalanceResponse

account_code: required (one of 01 - Standard Account, 02 - Living Expence or Salary Packaging Account, 03 - Meal & Entertainment)
Account code/type returned by EML.
balance: required (number)
The balance of the account.
status: required (one of active, pre_active, inactive, deactivated, lost_or_stolen, expired, suspected_fraud, closed, inactive_pin_tries_exceeded, eml_inactive, replaced)
The status of the account.
plastic_status: required (one of true - Plastic is Enabled, false - Plastic is Disabled)
The status of the physical card.

HTTP status code 403

The user does not have proper permission on the company.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 404

The supplied account was invalid or could not be found.

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/companies

/companies/{id}/velocity get put

get

Get company velocities.

put

Update company velocities

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

URI Parameters

id: required (string)
The company id.

Body

Media type: application/vnd.eml+json

Type: object

Properties

company_velocities: required (array of CompanyVelocity)
Items: CompanyVelocity
- velocity_type: required (one of max_balance, max_pos_credit_per_day, max_debit_per_day, max_pos_credit_count_per_day, max_debit_count_per_day, max_atm_debit_count_per_day, max_transfer_from, max_transfer_to, max_atm_debit, max_pos_debit, max_transfer_from_count_per_day, max_transfer_to_count_per_day, max_atm_debit_per_day, max_pos_debit_per_day)
- value: required (integer)
is_default: (boolean)
True if the company velocities are not configured and global default setting is requested

Example:

{
 "company_velocities": [
     {
         "velocity_type": "max_balance",
         "value": 9999
     },
     {
         "velocity_type": "max_pos_credit_per_day",
         "value": 9851
     },
     {
         "velocity_type": "max_debit_per_day",
         "value": 8888
     },
     {
         "velocity_type": "max_pos_credit_count_per_day",
         "value": 1000000
     },
     {
         "velocity_type": "max_debit_count_per_day",
         "value": 1000
     },
     {
         "velocity_type": "max_atm_debit_count_per_day",
         "value": 1000
     },
     {
         "velocity_type": "max_transfer_from",
         "value": 2500
     },
     {
         "velocity_type": "max_transfer_to",
         "value": 1000000
     },
     {
         "velocity_type": "max_atm_debit",
         "value": 2000
     },
     {
         "velocity_type": "max_pos_debit",
         "value": 2000
     },
     {
         "velocity_type": "max_transfer_from_count_per_day",
         "value": 20
     },
      {
          "velocity_type": "max_transfer_to_count_per_day",
          "value": 10000
      },
      {
          "velocity_type": "max_atm_debit_per_day",
          "value": 999999
      },
      {
          "velocity_type": "max_pos_debit_per_day",
          "value": 999999
      },
      {
          "velocity_type": "max_de_in_amount",
          "value": 999999
      },
      {
          "velocity_type": "max_de_in_count_per_day",
          "value": 25
      },
      {
          "velocity_type": "max_de_out_amount",
          "value": 999999
      },
      {
          "velocity_type": "max_de_out_count_per_day",
          "value": 25
      }
        ]
}

HTTP status code 200

The operation was successful, and the account was updated successfully

Body

Media type: application/vnd.eml+json

Type: object

Properties

company_velocities: required (array of CompanyVelocity)
Items: CompanyVelocity
- velocity_type: required (one of max_balance, max_pos_credit_per_day, max_debit_per_day, max_pos_credit_count_per_day, max_debit_count_per_day, max_atm_debit_count_per_day, max_transfer_from, max_transfer_to, max_atm_debit, max_pos_debit, max_transfer_from_count_per_day, max_transfer_to_count_per_day, max_atm_debit_per_day, max_pos_debit_per_day)
- value: required (integer)
is_default: (boolean)
True if the company velocities are not configured and global default setting is requested

HTTP status code 403

The user is not authorised to the specified company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/pin

/pin/initiate post

post

Initiate Pin Operation

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

eaid: required (string)
The external account id of the card to be operated
device_id: required (string)
The device id of the wallet
ip_address: required (string)
The ip address of the device or the caller. Note that we are not checking the ip address, but the ip address is required to be exactly the same for the pin change session.
communication_method: required (one of sms, email)

Example:

{
   "eaid": "TH5803VR7",
   "device_id":"device id",
   "ip_address":"49.255.157.198",
   "communication_method":"sms"
}

HTTP status code 200

The operation was successful

Body

Media type: application/vnd.eml+json

Type: object

Properties

operation_id: required (string)
The operation id for this the pin operation session. This is essentially session key.
pin_operations_supported: (array of string)
The Pin operations supported for this card. This value will be null if the card does not support either Pin Change or Pin Reveal operation. The array will contain change for Pin Change and reveal for Pin Reveal.

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/pin/validate post

post

Validate Pin Change

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

operation_id: required (string)
The operation id of this pin change session
device_id: required (string)
The device id of the wallet
ip_address: required (string)
The ip address of the device or the caller. Note that we are not checking the ip address, but the ip address is required to be exactly the same for the pin change session.
encrypted_data: required (string)
The hex encoded AES encrypted secure data. The secure data is in json string format. For example: { "otp":"65349728" }
public_key_fingerprint: required (string)
The RSA public key certificate fingerprint
encrypted_key: required (string)
The hex encoded AES ephemeral key used for encoding the secure data
oaep_hashing_algorithm: required (string)
The oaep hashing algorithm of RSA encryption. The value is either SHA256 or SHA512
iv: required (string)
The hex encoded initialisation vector of AES

Example:

{
     "operation_id": "a2c9acbc-bafc-4cf0-923f-1e3d7cc6b727",
     "device_id": "device id",
     "ip_address": "49.255.157.198",
     "encrypted_data": "EEA0C70090F168ADD98714778F60498322122047A5465F866290E16B0B3799C3",
     "public_key_fingerprint": "C42A1DADFC20F865FEBFCE471A7BF1E16D9C2A14",
     "encrypted_key": "776B855936259409B0C25B60074FA1C10904D87F906EEB3AD3FE8CD44E50A3854E1275388B99A361DD7ABB88DF706D6652AD7A704E4BF4718BE5FA6D5A8B74AC3D1D6F8B0A2DE844590C286BE24E79F33DD8A32559F6105D3A4543550CC305B1C65D757ADED34A8D2E45EA4EB010D4B180B9B1E416B10460009F1780F89B3C4E64275035AFCDAD09CC0A06399C35725687ED277E4ABE8122AB800FD86CE69EB35D7BA7348E6FCFAA74914F151AE607A0E3B1F4EBB852B62475C5D44C39FB6CE25E88CB4BDD54DB079A60AA60130098582C59016471E166BCAD5D7CCE7E25359310FDF19A68D3127BD1F8D12F6E4BA93675AD9A6D3790A3AF438833426301CF1AA58A3CF5E21D1B4DA8D2A464F5DC160F770607D89A3FF9315E3EA574BB9B3E862DBF90135939FAEA30D1FBF4AE0B714E051429935197B89934D5A6F31853D7BA12CF1275C162E69459BD7542458FB16264F89622A13B4EA57E834B72CEF77CDA5E5ACF5399E0B49A0DE1B148DF307359EC0D7890C4687CF1A75E60F24B19D279D94E3E8093AA71C068E21BAB2B81D15452ADCD62C2D76217A05AA41E5A444DA0ED1C09FE6356E88D8583CB074887AD519DE35DA4CC7D2FD7176765BC27DC223A79FC555118FC8BAFEEBA2C20DE41CFEE960C202C710175D56EF868BA44A568C33AA503F7DBB14985CD9526C9E2BD78C80B82D0B02ECBA9701DE9DBB37E53981A",
     "oaep_hashing_algorithm": "SHA256",
     "iv": "6055856297D945743E501C67EF0A7176"
}

HTTP status code 200

The operation was successful

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/pin/reveal post

post

Reveal Pin

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

operation_id: required (string)
The operation id of this pin reveal session
device_id: required (string)
The device id of the wallet
ip_address: required (string)
The ip address of the device or the caller. Note that we are not checking the ip address, but the ip address is required to be exactly the same for the pin reveal session.
encrypted_data: required (string)
The hex encoded AES encrypted secure data. The secure data is in json string format. For example: { "otp":"65349728" }
public_key_fingerprint: required (string)
The RSA public key certificate fingerprint
encrypted_key: required (string)
The hex encoded AES ephemeral key used for encoding the secure data
oaep_hashing_algorithm: required (string)
The oaep hashing algorithm of RSA encryption. The value is either SHA256 or SHA512
iv: required (string)
The hex encoded initialisation vector of AES

Example:

{
     "operation_id": "a2c9acbc-bafc-4cf0-923f-1e3d7cc6b727",
     "device_id": "device id",
     "ip_address": "49.255.157.198",
     "encrypted_data": "EEA0C70090F168ADD98714778F60498322122047A5465F866290E16B0B3799C3",
     "public_key_fingerprint": "C42A1DADFC20F865FEBFCE471A7BF1E16D9C2A14",
     "encrypted_key": "776B855936259409B0C25B60074FA1C10904D87F906EEB3AD3FE8CD44E50A3854E1275388B99A361DD7ABB88DF706D6652AD7A704E4BF4718BE5FA6D5A8B74AC3D1D6F8B0A2DE844590C286BE24E79F33DD8A32559F6105D3A4543550CC305B1C65D757ADED34A8D2E45EA4EB010D4B180B9B1E416B10460009F1780F89B3C4E64275035AFCDAD09CC0A06399C35725687ED277E4ABE8122AB800FD86CE69EB35D7BA7348E6FCFAA74914F151AE607A0E3B1F4EBB852B62475C5D44C39FB6CE25E88CB4BDD54DB079A60AA60130098582C59016471E166BCAD5D7CCE7E25359310FDF19A68D3127BD1F8D12F6E4BA93675AD9A6D3790A3AF438833426301CF1AA58A3CF5E21D1B4DA8D2A464F5DC160F770607D89A3FF9315E3EA574BB9B3E862DBF90135939FAEA30D1FBF4AE0B714E051429935197B89934D5A6F31853D7BA12CF1275C162E69459BD7542458FB16264F89622A13B4EA57E834B72CEF77CDA5E5ACF5399E0B49A0DE1B148DF307359EC0D7890C4687CF1A75E60F24B19D279D94E3E8093AA71C068E21BAB2B81D15452ADCD62C2D76217A05AA41E5A444DA0ED1C09FE6356E88D8583CB074887AD519DE35DA4CC7D2FD7176765BC27DC223A79FC555118FC8BAFEEBA2C20DE41CFEE960C202C710175D56EF868BA44A568C33AA503F7DBB14985CD9526C9E2BD78C80B82D0B02ECBA9701DE9DBB37E53981A",
     "oaep_hashing_algorithm": "SHA256",
     "iv": "6055856297D945743E501C67EF0A7176"
}

HTTP status code 200

The operation was successful

Body

Media type: application/vnd.eml+json

Type: object

Properties

encrypted_data: required (string)
The hex encoded AES encrypted secure data. The secure data is in json string format. For example: { "pin":"1234" }
public_key_fingerprint: required (string)
The RSA public key certificate fingerprint
encrypted_key: required (string)
The hex encoded AES ephemeral key used for encoding the secure data
oaep_hashing_algorithm: required (string)
The oaep hashing algorithm of RSA encryption. The value is either SHA256 or SHA512
iv: required (string)
The hex encoded initialisation vector of AES

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

/pin/execute post

post

Execute Pin Change

Secured by OAuth2

OAuth 2.0 is used for authenticating all API requests.

Body

Media type: application/vnd.eml+json

Type: object

Properties

operation_id: required (string)
The operation id of this pin change session
device_id: required (string)
The device id of the wallet
ip_address: required (string)
The ip address of the device or the caller. Note that we are not checking the ip address, but the ip address is required to be exactly the same for the pin change session.
encrypted_data: required (string)
The hex encoded AES encrypted secure data. The secure data is in json string format. For example: { "otp":"65349728", "pin":"1321" }
public_key_fingerprint: required (string)
The RSA public key certificate fingerprint
encrypted_key: required (string)
The hex encoded AES ephemeral key used for encoding the secure data
oaep_hashing_algorithm: required (string)
The oaep hashing algorithm of RSA encryption. The value is either SHA256 or SHA512
iv: required (string)
The hex encoded initialisation vector of AES

Example:

{
   "operation_id": "a2c9acbc-bafc-4cf0-923f-1e3d7cc6b727",
   "device_id":"device id",
   "ip_address":"49.255.157.198",
   "encrypted_data": "EEA0C70090F168ADD98714778F60498322122047A5465F866290E16B0B3799C3",
   "public_key_fingerprint": "C42A1DADFC20F865FEBFCE471A7BF1E16D9C2A14",
   "encrypted_key": "776B855936259409B0C25B60074FA1C10904D87F906EEB3AD3FE8CD44E50A3854E1275388B99A361DD7ABB88DF706D6652AD7A704E4BF4718BE5FA6D5A8B74AC3D1D6F8B0A2DE844590C286BE24E79F33DD8A32559F6105D3A4543550CC305B1C65D757ADED34A8D2E45EA4EB010D4B180B9B1E416B10460009F1780F89B3C4E64275035AFCDAD09CC0A06399C35725687ED277E4ABE8122AB800FD86CE69EB35D7BA7348E6FCFAA74914F151AE607A0E3B1F4EBB852B62475C5D44C39FB6CE25E88CB4BDD54DB079A60AA60130098582C59016471E166BCAD5D7CCE7E25359310FDF19A68D3127BD1F8D12F6E4BA93675AD9A6D3790A3AF438833426301CF1AA58A3CF5E21D1B4DA8D2A464F5DC160F770607D89A3FF9315E3EA574BB9B3E862DBF90135939FAEA30D1FBF4AE0B714E051429935197B89934D5A6F31853D7BA12CF1275C162E69459BD7542458FB16264F89622A13B4EA57E834B72CEF77CDA5E5ACF5399E0B49A0DE1B148DF307359EC0D7890C4687CF1A75E60F24B19D279D94E3E8093AA71C068E21BAB2B81D15452ADCD62C2D76217A05AA41E5A444DA0ED1C09FE6356E88D8583CB074887AD519DE35DA4CC7D2FD7176765BC27DC223A79FC555118FC8BAFEEBA2C20DE41CFEE960C202C710175D56EF868BA44A568C33AA503F7DBB14985CD9526C9E2BD78C80B82D0B02ECBA9701DE9DBB37E53981A",
   "oaep_hashing_algorithm": "SHA256",
   "iv": "6055856297D945743E501C67EF0A7176"
}

HTTP status code 200

The operation was successful

HTTP status code 400

Invalid request fields. The invalid fields are listed in the response error message

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 403

The user does not have proper permission on the company

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

HTTP status code 500

An internal server error occurred. Try again soon, or contact support.

Possible error codes:

server_error

Body

Media type: application/vnd.eml+json

Type: object

Properties

error: required (string)
error_description: (string)

Secured by OAuth2

Headers

Authorization: required (string)
Should contain a valid OAuth 2.0 access token. For example, Bearer AcMCRbJRSmyLFbIRQxMvFB5xZ6cBjghjN3/YEoxGKWkKNZkqnfE=.

HTTP status code 401

Invalid or expired token.

EML Data Services API documentation version 1.8

Obtaining an access token

Using the access token

Token expiration

IP Whitelisting

Rate Limiting

Getting a token

/token

post /token

Headers

HTTP status code 200

Body

HTTP status code 400

Body

HTTP status code 401

Body

HTTP status code 500

Body

/reporting

get /reporting/templates/{templatename}

URI Parameters

Query Parameters

HTTP status code 200

Body

HTTP status code 400

Body

HTTP status code 409

Body

HTTP status code 500

Body

Secured by OAuth2

Headers

HTTP status code 401

get /reporting/templates/{templatename}/reports/{reportid}

URI Parameters

HTTP status code 200

Body

HTTP status code 204

Body

HTTP status code 400

Body

HTTP status code 500

Body

Secured by OAuth2

Headers

HTTP status code 401

/policy

get /policy/mccodes

Query Parameters

HTTP status code 200

Headers

Body

HTTP status code 500

Body

Secured by OAuth2

Headers

HTTP status code 401

get /policy/{id}/restrictions

URI Parameters

HTTP status code 200

Body

HTTP status code 500

Body

Secured by OAuth2

Headers

HTTP status code 401

get /policy/{id}/policy

URI Parameters

HTTP status code 200

Body

HTTP status code 500

Body

Secured by OAuth2

Headers

HTTP status code 401

get /policy/{id}/categories

URI Parameters

HTTP status code 200

Body

HTTP status code 500