# Onboarding
Onboarding your Users with Connect allows:
- Users to create their account themselves using a public endpoint
- You to use our OAuth provider to authenticate your Users, provides permissions management and a lost password feature
- You to see all Users in pending KYC pre-review status in the Dashboard
When onboarding with Connect, your Users have two distinct IDs:
- A
trzConnectUserIdused initially during the Connect Onboarding, and when changing password - A
userIdused accross the whole API to identify the User
# Configuration
Onboarding Users with Connect requires the following initial configuration.
# Parameters
| Attribute | Description |
|---|---|
onboardingSuccessCallBack | The URL the User is redirected to, upon successful activation of their account |
onboardingErrorCallBack | The URL the User is redirected to, upon failure of the activation of their account |
# Creation
To create the User via Connect, you can use the following public endpoint.
# Parameters
| Attribute | Description |
|---|---|
email | The email address of the User. It must be a unique and valid email address. |
password | The password chosen by the User. It is expected in cleartext and must currently pass the /^\S*(?=\S{8,})(?=\S*[\d])\S*$/ (opens new window) regular expression (opens new window). |
Any parameter accepted by the POST /v1/users endpoint can also be provided to this endpoint but are all optional.
Responds with a 201 HTTP Status Code without any content and sends a confirmation email to the User's email address, to validate their account.
Tip – Emails are customizable
The associated Templates are email.user.onboarding_confirmation_html and email.user.onboarding_confirmation_text
When the User clicks on the link contained in the email:
- A
user.createwebhook is sent - The User becomes usable across the API
- The User is redirected to the configured callback URL with query parameters containing the
autorization_codeand thetrzConnectUserIdsuch as{onboardingSuccessCallBack}?authorization_code={autorization_code}&trzConnectUserId={trzConnectUserId}
# Retrieving the User ID
To retrieve the User's ID (userId), you can use the following request.
This request also authenticates the User without them having to enter their email or password again.
# Parameters
| Attribute | Description |
|---|---|
grant_type | Set to authorization_code in this context. |
client_id | Your client ID |
code | The authorization_code provided in the previous step (it can be extracted from the query parameters using JavaScript). |
Returns a JSON Web Token (JWT) that contains the User's ID along with other information.
Your application can extract the userId by decoding the JWT using an appropriate decoding library.
This JWT also allows the User to be authenticated against our OAuth provider and the Treezor API for subsequent requests.
# List complete vs. unfinished onboardings
You can list Users that are completely onboarded via Connect and users that have not finished the onboarding (not validated their email) using the following requests.
# Completely onboarded
Returns the list of TrzConnectUsers.
# Unfinished onboarding
Returns the list of TrzConnectUsers.
💡 You can also distinguish a completely onboarded Users by the presence of a populated userId attribute. Users that have not finished the onboarding will have a null userId attribute.
# Passwords
Two methods are available to change a password, one is while logged-in, the other is logged-out.
# Configuration
Changing passwords using Connect requires an initial configuration step.
Using the following request, you can configure the password policy and an URL where the user is redirected after clicking on the password change link contained in an email.
# Parameters
| Attribute | Description |
|---|---|
passwordChangeRedirectUrl | Defines the URL where the User is redirected when clicking on the link. |
passwordPattern.minLength | Requires a minimum length to the password (the lowest accepted value is 12). |
passwordPattern.requireLetters | Requires the presence of letters. |
passwordPattern.requireCaseDiff | Requires the presence of both uppercases and lowercases letters. |
passwordPattern.requireNumbers | Requires the presence of numbers. |
passwordPattern.requireSpecialCharacter | Requires the presence of specials characters. |
# While logged-in
If the User is logged-in and has the read_write scope, they can change their password using the following request
# Parameters
trzConnectUserIdis theirtrzConnectUserIdas seen in previous stepspasswordis their new password, complying to the previously defined password policy.
# While logged-out
If the User has lost their password, changing it happens in the following sequence:
- The User first requests a password change using the
POST /core-connect/password/forgotpublic endpoint and their email address - The User receives an email containing a link
- The User clicks the link which takes them to
passwordChangeRedirectUrl(a form on your application or website) - The User enters a new password in your form and posts it to the
PUT /core-connect/password/changepublic endpoint, along with thetokenprovided in the url's query parameters
To request a password change, the User can use the following request.
# Parameters
emailmandatory, is the User's email
Reponds with a 204 HTTP Status Code in all cases, even if the email address doesn't exist.
If the email address exists, and email is sent to it.
The User clicks the link and is redirected to the passwordChangeRedirectUrl url (a password change form hosted on your application or website). A unique token is added to the URL as a query parameter, allowing you to pass it to the next endpoint.
The User enters a new password and posts the form to the following public endpoint
# Parameters
tokenis a unique token provided to you in a query parameteremailis the current email of the userpasswordis the new password of the user, complying to the previously defined password policy
The token is valid for 24 hours and can only be used once.
# If the change is successful
A 204 HTTP Status Code is returned, without content.
# If the change fails
A 400 HTTP Status Code is returned with one of the following errors :
- Expired token
- Invalid token
- Token has already been used