Getting Started
Everything you need to make your first authenticated call to the QwikLive Onboarding API.
Prerequisites
- A registered onboarding user account (email + password) with an appropriate role.
- The base URL for your target environment (see Base URLs).
- An HTTP client —
curl, Postman, or your application's HTTP library. - The ability to generate a UUID for the
x-correlation-idheader (recommended on every request).
Login email and password values are transmitted as encrypted strings in this API. The encryption scheme and client key distribution are To be confirmed with the platform team. Examples below use the placeholders <ENCRYPTED_EMAIL> and <ENCRYPTED_PASSWORD>.
Environments
The platform is deployed to multiple environments. The values below were observed in the source collection and serve as examples; confirm the canonical hosts for your integration.
| Environment | Purpose | Observed host (example) |
|---|---|---|
| Local | Developer machine | http://localhost:9000 |
| DEV | Integration / development | https://dev.api.qwiklive.io |
| QA | Testing | https://qa.api.qwiklive.io/qlqa/ql-onboarding-backend |
| UAT | Client acceptance | To be confirmed |
| Production | Live | To be confirmed |
Base URLs
All onboarding endpoints are versioned under /v1. The full base URL is your environment host plus the version prefix:
https://{host}/v1/onboarding/... # most endpoints
https://{host}/v1/terminal-key # terminal-key endpoints (not under /onboarding)
https://{host}/v1/error-codes/list # error-code catalogTerminal-key endpoints live at /v1/terminal-key, not under /v1/onboarding. Mind the path when wiring those calls.
Authentication method
The API uses bearer (JWT) authentication. You obtain a token by logging in, then send it on subsequent requests in the Authorization header.
Authorization: Bearer <JWT_TOKEN>
Some endpoints are public (no token) — for example login, MFA status, password reset and service health. Each endpoint's authentication requirement is shown in the API Reference. For a deeper treatment, see Security.
Required headers
| Header | Required | Description |
|---|---|---|
Authorization | conditional | Bearer <JWT_TOKEN> — required on protected endpoints. |
Content-Type | conditional | application/json for JSON bodies; application/x-www-form-urlencoded for the SSO token endpoint; multipart/form-data for sub-tenant creation. |
x-correlation-id | recommended | Client-generated UUID echoed back in responses and logs for end-to-end tracing. |
First API call
Step 1 — Log in to obtain a token.
curl -X POST 'https://{host}/v1/onboarding/login/user' \
-H 'Content-Type: application/json' \
-H 'x-correlation-id: 3f1c8e9a-1234-4f56-9abc-0123456789ab' \
-d '{
"email": "<ENCRYPTED_EMAIL>",
"password": "<ENCRYPTED_PASSWORD>"
}'{
"data": "<JWT_TOKEN>",
"success": true,
"message": "Login successful",
"timestamp": "2026-06-03T10:15:30.000Z"
}Step 2 — Call a protected endpoint using the token from data.
curl -X GET 'https://{host}/v1/onboarding/me' \
-H 'Authorization: Bearer <JWT_TOKEN>' \
-H 'x-correlation-id: 3f1c8e9a-1234-4f56-9abc-0123456789ab'{
"data": {
"id": "ec7cc8b9-a485-416e-b480-63624a0f2ba1",
"userName": "jdoe",
"email": "jane.doe@example.com",
"role": "ADMIN",
"modules": []
},
"success": true
}In Postman, set a collection variable jwt-token and a test script on the login request to capture res.data automatically, then use Bearer {{jwt-token}} on other requests.
Sandbox / testing setup
- Import the downloadable Postman collection from the API Reference (a sanitized copy with no real secrets).
- Create a Postman environment with a
urlvariable pointing at your DEV/QA host. - Run Login User first to populate
jwt-token. - If MFA is enabled for your account, call
POST /v1/onboarding/login/mfa/statusand complete registration/validation — see Authentication, MFA & OTP. - Exercise read endpoints (e.g.
financial-institutions,roles/list) before write operations.
Never commit tokens, API keys, core-banking credentials, or encryption keys to source control or shared collections. Rotate any secret that may have been exposed.