---
swagger: "2.0"
info:
version: 4.0.0
title: XLG-SEC-P-bne-MX
x-ibm-name: xlg-sec-p-bne-mx
description: ""
basePath: /api
schemes:
- https
produces:
- application/json
paths:
/v3/channels/bne/legacy/authenticate/login:
post:
description: This API is to authenticate customer
consumes:
- application/json
produces:
- application/json
tags:
- bne-legacy-login-ccs
operationId: bne-legacy-login-ccs
parameters:
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: Accept-Language
in: header
default: es
description: Language to be send to the backend systems mus bw ‘es’ for spanish
and ‘en’ for english
required: false
type: string
- name: countryCode
default: MX
in: header
description: 2 character ISO country code
required: true
type: string
- name: businessCode
default: GCB
in: header
description: 3 character business code
required: true
type: string
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token aquired from APIM token endpoint
required: true
type: string
- name: Content-Type
in: header
default: application/json
description: Content-Types that are sent in the request
required: true
type: string
- name: Accept
in: header
description: Content-Types that are acceptable for the response.
required: true
type: string
- name: Accept-Encoding
in: header
description: Encoding types accepted for the request. Used for MX RSA risk
scoring evaluation.
required: false
type: string
- in: body
name: AuthenticationRequest
description: This request is to authenticate customer
required: true
schema:
$ref: '#/definitions/requestAuthenticate'
responses:
200:
description: Authentication Successful
schema:
$ref: '#/definitions/responseAuthenticate'
400:
description: | Type | Code | Details |
| error | invalidRequest | Missing
or invalid Parameters |
| error | userAccountNotActive |
180-account not active |
| error | userAccountLocked |
15-account locked |
error | passwordExpired |
9-password has expired | | error | credentialValidationFailed | 20-master
validation failure |
| error | cannotDecryptData | 620-Cannot
decrypt, please re-check the encrypted value |
| error | aliasNotFound | Alias
not found |
| error | aliasNotFound | Alias not
found |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: | Type | Code | Details |
| error | unAuthorized | Authorization
credentials are missing or invalid |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: | Type | Code | Details |
| error | accessNotConfigured | The
request operation is not configured to access this resource |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: | Type | Code | Details |
| fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v4/channels/bne/legacy/authenticate/login:
post:
description: This API is to authenticate customer using STS E2EE for password
encryption
consumes:
- application/json
produces:
- application/json
tags:
- bne-legacy-login-sts
operationId: bne-legacy-login-sts
parameters:
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: Accept-Language
in: header
default: es
description: Language to be send to the backend systems mus bw ‘es’ for spanish
and ‘en’ for english
required: false
type: string
- name: countryCode
default: MX
in: header
description: 2 character ISO country code
required: true
type: string
- name: businessCode
default: GCB
in: header
description: 3 character business code
required: true
type: string
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token aquired from APIM token endpoint
required: true
type: string
- name: Content-Type
in: header
default: application/json
description: Content-Types that are sent in the request
required: true
type: string
- in: body
name: AuthenticationRequest
description: This request is to authenticate customer
required: true
schema:
$ref: '#/definitions/requestAuthenticate'
responses:
200:
description: Authentication Successful
schema:
$ref: '#/definitions/responseAuthenticate'
400:
description: | Type | Code | Details |
| error | invalidRequest | Missing
or invalid Parameters |
| error | userAccountNotActive |
180-account not active |
| error | userAccountLocked |
2960-account locked |
error | passwordExpired |
9-password has expired | | error | credentialValidationFailed | 0050-master
validation failure |
| error | cannotDecryptData | 620-Cannot
decrypt, please re-check the encrypted value |
| error | aliasNotFound | Alias
not found |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: | Type | Code | Details |
| error | unAuthorized | Authorization
credentials are missing or invalid |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: | Type | Code | Details |
| error | accessNotConfigured | The
request operation is not configured to access this resource |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: | Type | Code | Details |
| fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v2/channels/bne/legacy/authenticate/password:
post:
description: This API is to change corporate customer password, using STS E2EE
for password encryption and validating the new password againts the customer's
last 6 passwords History
consumes:
- application/json
produces:
- application/json
tags:
- bne-change-password
operationId: bne-change-password
parameters:
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: false
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: countryCode
default: MX
in: header
description: 2 character ISO country code
required: false
type: string
- name: businessCode
default: GCB
in: header
description: 3 character business code
required: false
type: string
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: false
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token aquired from APIM token endpoint
required: true
type: string
- name: Content-Type
in: header
default: application/json
description: Content-Types that are sent in the request
required: true
type: string
- in: body
name: ChangePasswordRequest
description: This request is used to change the password of corporate banking
customer
required: true
schema:
$ref: '#/definitions/requestChangePassword'
responses:
200:
description: Successful Change of Password
400:
description: Bad Request
| Type | Code | Details |
| invalid | invalidRequest | Missing
or invalid Parameters |
| invalid | invalidCredentials | Credentials
used in the request are invalid |
invalid | repeatedPassword
| API found that newPassword was already used before in one of
the last 6 password used by Cstomer | | error | cannotDecryptData | 620-Cannot
decrypt, please re-check the encrypted values |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Unauthorized
| Type | Code | Details |
| error | unAuthorized | Authorization
credentials are missing or invalid |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: | Type | Code | Details |
| error | accessNotConfigured | The
request operation is not configured to access this resource |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: | Type | Code | Details |
| fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/user/corporate/session/validate:
post:
tags:
- corporate-session-validate
summary: Validate the session in a specific backend.
description: This API is meant to validate the session for a specific system
and promote the scope to Customer
operationId: corporate-session-validate
consumes:
- application/json
produces:
- application/json
parameters:
- name: uuid
in: header
description: A 128 bit universally unique identifier (UUID) that you generate
for every request and is used for tracking. It is recommended to use the
output from Java UUID class or an equivalent.If not provided by, PSG will
automatically inject one.
required: true
type: string
default: a7d1e304-83a9-4413-af97-62615e57eae66807840
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: Accept
in: header
description: Content-Types that are acceptable for the response. Currently
we support application/json by default.
required: false
type: string
default: application/json
- name: Content-Type
in: header
description: application/json.If not provided, PSG will automatically inject
default (application/json)
required: true
type: string
default: application/json
- name: Accept-Language
in: header
description: HTTP Accept-Language header.If not provided, PSG will automatically
inject default (application/json)
required: false
type: string
default: en-US
- name: countryCode
in: header
description: 2 character ISO country code.If not provided, PSG will automatically
inject default (MX)
required: false
type: string
default: MX
- name: businessCode
in: header
description: 3 character business code.If not provided, PSG will automatically
inject default (GCB)
required: false
type: string
default: GCB
- name: channelId
in: header
description: channel Id used by the user.
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token aquired from APIM token endpoint
required: true
type: string
- in: body
name: SessionValidateRequest
description: Request object with the data to validate the session
required: true
schema:
$ref: '#/definitions/CorporateSessionValidateRequest'
responses:
200:
description: Session Validated successfully
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIdExpiryTime:
type: string
description: Event ID expiration time encrypted with session key
400:
description: (BAD REQUEST) - Request was not processed | Type | Code | Details |
| invalid | invalidRequest | Missing
or invalid Parameters |
| invalid | invalidHMAC | 629-HMAC
comparison failed |
| invalid | invalidServerRandom | 630-EventID/Server
random comparison failed |
| error | cannotDecryptData | 620-Cannot
decrypt, please re-check the encrypted value. |
schema:
$ref: '#/definitions/CorporateErrorResponse'
401:
description: | Type | Code | Details |
| error | unAuthorized | Invalid
session |
schema:
$ref: '#/definitions/CorporateErrorResponse'
403:
description: (FORBIDDEN) - Unauthorized to perform the requested operation
on resource | Type | Code | Details | More
Info |
| invalid | accessNotConfigured | The
request operation is not configured to access this resource | Channel/Country/Business
provided in the request is not supported currently |
schema:
$ref: '#/definitions/CorporateErrorResponse'
404:
description: | Type | Code | Details |
| error | notFound | API
not found |
schema:
$ref: '#/definitions/CorporateErrorResponse'
500:
description: (INTERNAL SERVER ERROR) - API Server Error | Type | Code | Details |
| fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
| error | hostSystemNotSupported | Host
backend system not supported. |
schema:
$ref: '#/definitions/CorporateErrorResponse'
definitions:
requestAuthenticate:
type: object
required:
- customerCredentials
- sessionRequired
- device
properties:
sessionRequired:
type: boolean
default: true
description: To create a session in Backend Systems, this is always true
customerCredentials:
$ref: '#/definitions/Credentials'
device:
$ref: '#/definitions/device'
Credentials:
type: object
required:
- loginId
- loginIdType
- legalRepresentativeId
- encryptedPasswordText
properties:
loginId:
type: string
description: cusmtomer client number or alias
maxLength: 12
loginIdType:
type: string
enum:
- ALIAS
- CUSTOMER_NUM
description: type of login ID used to authenticate
maxLength: 11
legalRepresentativeId:
type: string
description: representative number
maxLength: 2
minLength: 2
encryptedPasswordText:
type: string
description: |
"E2EE encrypted customer password, must be Alphanumeric. The first 2 must be numeric and the last 6 must be alphanumeric"
maxLength: 8
minLength: 8
applicationUrl:
type: string
description: application url
device:
properties:
devicePrint:
description: The device printId for Cyota request
type: string
deviceTokenCookie:
description: devicetokencookie to be passed for all request excluding first
request.
type: string
userAgent:
description: userAgent of the device.
type: string
ipAddress:
type: string
description: Client IP address
hardwareId:
type: string
description: Mobile Hardware Id
simId:
type: string
description: Mobile Sim Id
responseAuthenticate:
type: object
required:
- passwordExpiryDate
- contingency
- lastLoginDate
- lastLoginTime
- lastChannelId
- stationName
- virtualAccountExistsFlag
- dataCenterLocation
- customerService
- products
- fullName
properties:
passwordExpiryDate:
type: string
description: Customer expiration date in format YYYY-MM-DD
pattern: date
contingency:
type: string
enum:
- OK
- DUMMY
default: OK
description: flag to determine whether the SPA service is down and you have
to send a dummy Challenge
lastLoginDate:
type: string
description: Customer Last Date access logged in whenever channel in format
YYYY-MM-DD
format: Date
lastLoginTime:
type: string
description: Customer Last time access logged in whenever channel in format
HH:mm
lastChannelId:
type: string
description: Customer last channel id logged
stationName:
type: string
description: Station Name to use in challenge
dataCenterLocation:
description: CSI register customer
type: string
fullName:
description: Customer full name
type: string
virtualAccountExistsFlag:
description: Field to know if the Customer have Virtual Accounts
type: boolean
lastUpdatedDate:
description: Last Updated Date
type: string
format: Date
products:
type: array
items:
$ref: '#/definitions/Product'
legalRepresentativeData:
$ref: '#/definitions/Representative'
customerService:
type: array
items:
$ref: '#/definitions/Service'
description: If enrolment notification is present or not
Representative:
properties:
legalRepresentativeName:
description: Executive Name
type: string
legalRepresentativeId:
description: Number of representative
type: string
Product:
properties:
productTypeCode:
description: product Type Code
type: integer
productSubtypeCode:
description: product Sub type Code
type: integer
totalrelatedAccountsCount:
description: total related Accounts Count
type: integer
Service:
required:
- customerServiceNumber
- customerServiceType
properties:
customerServiceNumber:
type: string
description: Id of bank service used by customer
customerServiceType:
type: string
description: type of bank service used by customer
requestChangePassword:
type: object
required:
- newPassword
- oldPassword
properties:
newPassword:
type: string
description: E2EE encryptrd new Password to set.
oldPassword:
type: string
description: E2EE encrypted Old Password.
CorporateSessionValidateRequest:
type: object
required:
- customerId
- legalRepresentativeId
- sessionContext
properties:
customerId:
type: string
description: this is the customer Id of client
example: "972831"
legalRepresentativeId:
type: string
description: legal representative of client
example: "01"
sessionContext:
type: string
description: this is the session context with a length 49 positions
example: 000026202T2603C6202000010000000000000000000000000
ErrorResponse:
properties:
type:
description: Invalid - Request did not confirm to the specification and was
unprocessed and rejected. Please fix the value and try again
enum:
- error
- warn
- invalid
- fatal
type: string
code:
description: Error code which qualifies the error
type: string
details:
description: Human readable explanation specific to the occurrence of the
problem
type: string
location:
description: The name of the field that resulted in the error
type: string
moreInfo:
description: URI to human readable documentation of the error
type: string
required:
- type
- code
- details
CorporateErrorResponse:
required:
- code
- type
- details
- location
- moreInfo
- uuid
- timestamp
properties:
type:
type: string
description:
invalid - Request did not confirm to the specification and
was unprocessed & rejected. Please fix the value and try again
warn
- Request was partially processed. E.g. some of the fields are missing
in response to the system issues, request was accepted successfully but
will be processed asynchronously
error
- The request was accepted but could not be processed successfully
fatal
- There was an internal system error while processing the request. These
are technical errors and will be resolved by Citi, and the consumer should
retry after some time. Business errors will not be categorized as fatal
enum:
- error
- warn
- invalid
- fatal
code:
type: string
description: Error code which qualifies the error
details:
type: string
description: Human readable explanation specific to the occurrence of the
problem
location:
type: string
description: The name of the field that resulted in the error
moreInfo:
type: string
description: URI to human readable documentation or detailed description of
the error
uuid:
type: string
description: 128 bit UUID that you generate for every request
timestamp:
type: string
description: Timestamp of the error
x-ibm-configuration:
enforced: true
testable: true
phase: realized
securityDefinitions:
OAuth2 Application Flow:
type: oauth2
description: ""
flow: application
scopes:
/api/v1: ""
tokenUrl: https://api.banamex.com/mx-gcgapi/api/v1/oauth/token
Client ID:
type: apiKey
description: ""
in: header
name: X-IBM-Client-Id
security:
- OAuth2 Application Flow:
- /api/v1
Client ID: []
x-ibm-endpoints:
- endpointUrl: https://api.banamex.com/mx-gcgapi
type:
- production
- development
...