Credential management

After user is created, personalized (linked with actual identity) there are several actions that can be made with those credentials. You will find those actions here.

Session management

User’s sessions in the Platform should be short-lived. User activity is tracked via frontend interaction. When user is inactive in a platform 5 min, you should call Logout API to invoke access tokens. This API should be also used when users themselves are initiating log out action. If a user is still active and continues browsing, extending a session is required by calling Refresh user token API. Currently, ConnectPay does not limit session extending count, but various user limits might be applied if suspected activity is observed – in order to protect a user. This is why managing sessions is very important.

Further authorisations

Second factor authorisation flow is same regardless of action that is being authorised. Sequence flow can be seen below:

  1. When a person using user’s credentials is initiating any kind of action, user’s access token is used in authorisation together with Platform’s credentials.
  2. When ConnectPay receives such request, SCA rules are validated. Action type is defined by ConnectPay as well. Currently there are 3 action types supported: Login, authorisation and confirmation. Based on these types SMS text is different for a user, internally – data set is a bit different. Nevertheless, a Platform always uses the same logic.
  3. When second factor authorisation is created, for any business action API response, Platform will receive "challengeStatus": "Required" together with authorisationEventId.
  4. Using that authorisationEventId a Platform should call Initiate SCA authorisation API (for login, when access token is not yet issued) and Initiate user’s SCA authorisation API for all other actions when user is logged in and Platform has access token issued. This API triggers SMS to user’s mobile phone.
  5. After a user receives SMS, they should enter OTP code in Platform’s frontend and this code should be sent to us together with authorisationEventId with Verify SCA API (if this is a login action) or with Verify user’s SCA API (for all other actions when user is logged in).
  6. If OTP is successfull, then business action is confirmed, status changed. For login action access token and refresh token pair is issued. If OTP is incorrect an error is returned. After 5 incorrect OTPs user is locked and should initiate Recover password process.

Recover password

If password is forgotten or user is locked, a Platform should call Recover password API. This API returns redirect URL to which user should be redirected to create a new password or unlock the access. If recovery is unsuccessful and 5 incorrect attempts are used, user access is blocked. Unblocking such user can be done only by ConnectPay customer support, by contacting [email protected] and performing ID verification. Platform will receive user status as blocked while trying to initiate a new Login.

User creation

Password encryption requirements

Identity verification

Open account for private user

Scroll to Top