Credential management

After a user is created and personalized (linked with actual identity), there are several actions that can be made with those credentials. You will find those actions here.

Session management

User sessions on the Platform should be short-lived. User activity is tracked via frontend interaction. When user is inactive in a platform 5 min, you should call Logout API to invoke access tokens. This API should also be used when users themselves initiate a log-out action. If a user is still active and continues browsing, extending a session is required by calling the Refresh user token API. Currently, ConnectPay does not limit session extending count, but various user limits might be applied if suspected activity is observed – in order to protect a user. This is why managing sessions is very important.

Further authorisations

The second factor authorisation flow is the same regardless of the action that is being authorised. Sequence flow can be seen below:

  1. When a person using user’s credentials is initiating any kind of action, user’s access token is used in authorisation together with Platform’s credentials.
  2. When ConnectPay receives such request, SCA rules are validated. Action type is defined by ConnectPay as well. Currently there are 3 action types supported: Login, authorisation and confirmation. Based on these types SMS text is different for a user, internally – data set is a bit different. Nevertheless, a Platform always uses the same logic.
  3. When second-factor authorisation is created, the Platform will receive "challengeStatus": "Required" together with authorisationEventId for any business action API response.
  4. Using that authorisationEventId a Platform should call Initiate SCA authorisation API (for login, when the access token is not yet issued) and Initiate user’s SCA authorisation API for all other actions when the user is logged in and the Platform has access token issued. This API triggers SMS to the user’s mobile phone.
  5. After a user receives an SMS, they should enter the OTP code in the Platform’s frontend, and this code should be sent to us together with authorisationEventId with Verify SCA API (if this is a login action) or with Verify user’s SCA API (for all other actions when the user is logged in).
  6. If OTP is successfull, then business action is confirmed, status changed. For login action access token and refresh token pair is issued. If OTP is incorrect an error is returned. After 5 incorrect OTPs user is locked and should initiate Recover password process.

Recover password

If password is forgotten or user is locked, a Platform should call Recover password API. This API returns a redirect URL to which the user should be redirected to create a new password or unlock the access. If recovery is unsuccessful and 5 incorrect attempts are used, user access is blocked. Unblocking such users can be done only by ConnectPay customer support, by contacting [email protected] and performing ID verification. The platform will receive user status as blocked while trying to initiate a new Login.

User creation

Password encryption requirements

Identity verification

Open account for private user

Scroll to Top