v1Changelog

Prerequisites

📘
Note

Login email and password values are transmitted as encrypted strings in this API. The encryption scheme and client key distribution are To be confirmed with the platform team. Examples below use the placeholders <ENCRYPTED_EMAIL> and <ENCRYPTED_PASSWORD>.

Environments

The platform is deployed to multiple environments. The values below were observed in the source collection and serve as examples; confirm the canonical hosts for your integration.

EnvironmentPurposeObserved host (example)
LocalDeveloper machinehttp://localhost:9000
DEVIntegration / developmenthttps://dev.api.qwiklive.io
QATestinghttps://qa.api.qwiklive.io/qlqa/ql-onboarding-backend
UATClient acceptanceTo be confirmed
ProductionLiveTo be confirmed

Base URLs

All onboarding endpoints are versioned under /v1. The full base URL is your environment host plus the version prefix:

text
https://{host}/v1/onboarding/...      # most endpoints
https://{host}/v1/terminal-key        # terminal-key endpoints (not under /onboarding)
https://{host}/v1/error-codes/list    # error-code catalog
Important

Terminal-key endpoints live at /v1/terminal-key, not under /v1/onboarding. Mind the path when wiring those calls.

Authentication method

The API uses bearer (JWT) authentication. You obtain a token by logging in, then send it on subsequent requests in the Authorization header.

http
Authorization: Bearer <JWT_TOKEN>

Some endpoints are public (no token) — for example login, MFA status, password reset and service health. Each endpoint's authentication requirement is shown in the API Reference. For a deeper treatment, see Security.

Required headers

HeaderRequiredDescription
AuthorizationconditionalBearer <JWT_TOKEN> — required on protected endpoints.
Content-Typeconditionalapplication/json for JSON bodies; application/x-www-form-urlencoded for the SSO token endpoint; multipart/form-data for sub-tenant creation.
x-correlation-idrecommendedClient-generated UUID echoed back in responses and logs for end-to-end tracing.

First API call

Step 1 — Log in to obtain a token.

cURL — request
curl -X POST 'https://{host}/v1/onboarding/login/user' \
  -H 'Content-Type: application/json' \
  -H 'x-correlation-id: 3f1c8e9a-1234-4f56-9abc-0123456789ab' \
  -d '{
        "email": "<ENCRYPTED_EMAIL>",
        "password": "<ENCRYPTED_PASSWORD>"
      }'
json — response
{
  "data": "<JWT_TOKEN>",
  "success": true,
  "message": "Login successful",
  "timestamp": "2026-06-03T10:15:30.000Z"
}

Step 2 — Call a protected endpoint using the token from data.

cURL — request
curl -X GET 'https://{host}/v1/onboarding/me' \
  -H 'Authorization: Bearer <JWT_TOKEN>' \
  -H 'x-correlation-id: 3f1c8e9a-1234-4f56-9abc-0123456789ab'
json — response
{
  "data": {
    "id": "ec7cc8b9-a485-416e-b480-63624a0f2ba1",
    "userName": "jdoe",
    "email": "jane.doe@example.com",
    "role": "ADMIN",
    "modules": []
  },
  "success": true
}
💡
Tip

In Postman, set a collection variable jwt-token and a test script on the login request to capture res.data automatically, then use Bearer {{jwt-token}} on other requests.

Sandbox / testing setup

  1. Import the downloadable Postman collection from the API Reference (a sanitized copy with no real secrets).
  2. Create a Postman environment with a url variable pointing at your DEV/QA host.
  3. Run Login User first to populate jwt-token.
  4. If MFA is enabled for your account, call POST /v1/onboarding/login/mfa/status and complete registration/validation — see Authentication, MFA & OTP.
  5. Exercise read endpoints (e.g. financial-institutions, roles/list) before write operations.
⚠️
Warning

Never commit tokens, API keys, core-banking credentials, or encryption keys to source control or shared collections. Rotate any secret that may have been exposed.