# Onboarding

Onboarding your Users with Connect allows:

  • Users to create their account themselves using a public endpoint
  • You to use our OAuth provider to authenticate your Users, provides permissions management and a lost password feature
  • You to see all Users in pending KYC pre-review status in the Dashboard

When onboarding with Connect, your Users have two distinct IDs:

  • A trzConnectUserId used initially during the Connect Onboarding, and when changing password
  • A userId used accross the whole API to identify the User

# Configuration

Onboarding Users with Connect requires the following initial configuration.

# Parameters

Attribute Description
onboardingSuccessCallBack The URL the User is redirected to, upon successful activation of their account
onboardingErrorCallBack The URL the User is redirected to, upon failure of the activation of their account

# Creation

To create the User via Connect, you can use the following public endpoint.

# Parameters

Attribute Description
email The email address of the User. It must be a unique and valid email address.
password The password chosen by the User. It is expected in cleartext and must currently pass the /^\S*(?=\S{8,})(?=\S*[\d])\S*$/ (opens new window) regular expression (opens new window).

Any parameter accepted by the POST /v1/users endpoint can also be provided to this endpoint but are all optional.

Responds with a 201 HTTP Status Code without any content and sends a confirmation email to the User's email address, to validate their account.

Bulb icon

Tip – Emails are customizable

The associated Templates are email.user.onboarding_confirmation_html and email.user.onboarding_confirmation_text

When the User clicks on the link contained in the email:

  • A user.create webhook is sent
  • The User becomes usable across the API
  • The User is redirected to the configured callback URL with query parameters containing the autorization_code and the trzConnectUserId such as {onboardingSuccessCallBack}?authorization_code={autorization_code}&trzConnectUserId={trzConnectUserId}

# Retrieving the User ID

To retrieve the User's ID (userId), you can use the following request.

This request also authenticates the User without them having to enter their email or password again.

# Parameters

Attribute Description
grant_type Set to authorization_code in this context.
client_id Your client ID
code The authorization_code provided in the previous step (it can be extracted from the query parameters using JavaScript).

Returns a JSON Web Token (JWT) that contains the User's ID along with other information.

Your application can extract the userId by decoding the JWT using an appropriate decoding library.

This JWT also allows the User to be authenticated against our OAuth provider and the Treezor API for subsequent requests.

# List complete vs. unfinished onboardings

You can list Users that are completely onboarded via Connect and users that have not finished the onboarding (not validated their email) using the following requests.

# Completely onboarded

Returns the list of TrzConnectUsers.

# Unfinished onboarding

Returns the list of TrzConnectUsers.

💡 You can also distinguish a completely onboarded Users by the presence of a populated userId attribute. Users that have not finished the onboarding will have a null userId attribute.

# Passwords

Two methods are available to change a password, one is while logged-in, the other is logged-out.

# Configuration

Changing passwords using Connect requires an initial configuration step.

Using the following request, you can configure the password policy and an URL where the user is redirected after clicking on the password change link contained in an email.

# Parameters

Attribute Description
passwordChangeRedirectUrl Defines the URL where the User is redirected when clicking on the link.
passwordPattern.minLength Requires a minimum length to the password (the lowest accepted value is 12).
passwordPattern.requireLetters Requires the presence of letters.
passwordPattern.requireCaseDiff Requires the presence of both uppercases and lowercases letters.
passwordPattern.requireNumbers Requires the presence of numbers.
passwordPattern.requireSpecialCharacter Requires the presence of specials characters.

# While logged-in

If the User is logged-in and has the read_write scope, they can change their password using the following request

# Parameters

  • trzConnectUserId is their trzConnectUserId as seen in previous steps
  • password is their new password, complying to the previously defined password policy.

# While logged-out

If the User has lost their password, changing it happens in the following sequence:

  • The User first requests a password change using the POST /core-connect/password/forgot public endpoint and their email address
  • The User receives an email containing a link
  • The User clicks the link which takes them to passwordChangeRedirectUrl (a form on your application or website)
  • The User enters a new password in your form and posts it to the PUT /core-connect/password/change public endpoint, along with the token provided in the url's query parameters

To request a password change, the User can use the following request.

# Parameters

  • email mandatory, is the User's email

Reponds with a 204 HTTP Status Code in all cases, even if the email address doesn't exist.

If the email address exists, and email is sent to it.

The User clicks the link and is redirected to the passwordChangeRedirectUrl url (a password change form hosted on your application or website). A unique token is added to the URL as a query parameter, allowing you to pass it to the next endpoint.

The User enters a new password and posts the form to the following public endpoint

# Parameters

  • token is a unique token provided to you in a query parameter
  • email is the current email of the user
  • password is the new password of the user, complying to the previously defined password policy

The token is valid for 24 hours and can only be used once.

# If the change is successful

A 204 HTTP Status Code is returned, without content.

# If the change fails

A 400 HTTP Status Code is returned with one of the following errors :

  • Expired token
  • Invalid token
  • Token has already been used
Updated on: 4/30/2024, 12:23:09 PM