---
swagger: "2.0"
info:
description: This APIs provide a unified login for each and every digital/consumer
channel. They also provide a CCS DB storage mechanism to allow migration from
Tandem systems
version: 1.0.0
title: XLG-SEC-P-ConsumerSecurity
x-ibm-name: xlg-sec-p-consumersecurity
basePath: /api
schemes:
- https
produces:
- application/json
paths:
/v1/x-global/security/login/validate:
post:
tags:
- mx-retail-banking-prelogin
summary: API to perform prelogin process for credential
description: This API is a prelogin for retail banking customer. It validates
the customers prelogin information before creating or updating a registry
for the user credential on CCS and proceeding with the login
operationId: mx-retail-banking-prelogin
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: loginRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/preLoginRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
schema:
$ref: '#/definitions/preLoginResponse'
500:
description:
Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
schema:
$ref: '#/definitions/ErrorResponse'
/v2/x-global/security/login/validate:
post:
tags:
- mx-retail-banking-prelogin-v2
summary: API to perform prelogin process for credential
description: This API is a prelogin for retail banking customer. It validates
the customers prelogin information before creating or updating a registry
for the user credential on CCS and proceeding with the login
operationId: mx-retail-banking-prelogin-v2
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: loginRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/BankingPreLoginRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
schema:
$ref: '#/definitions/preLoginResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/login:
post:
tags:
- mx-retail-banking-login
summary: API to authenticate and open session with backend systems
description: This API opens session on PSG session, Functional Server, S015
and Mobile Middleware session. To call this API, you need to go through Platform
E2E Encryption APIs schema first in order to get a propper sid.
operationId: mx-retail-banking-login
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: loginRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/loginRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
cookieValue:
type: string
description: Data of the backend (middleware) session.
schema:
$ref: '#/definitions/loginResponse'
400:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid Parameters |
error | cannotDecryptData | Cannot
decrypt, please validate the encrypted value |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | Authorization
credentials are missing or invalid. |
invalid | authenticationFailed | 206-federated
password authentication fails |
bad_credentials | 6666 | Verify
your customer number and / or password. If you have failed repeatedly
it is likely that your service is blocked, unblock it in the main menu
with your NetKey Banamex |
general_error | 8005 | There
was a communication error, please try again |
bloqued_user | 8006 | Verify
your customer number and / or password. If you have failed repeatedly
it is likely that your service is blocked, unblock it in the main menu
with your NetKey Banamex |
usertype_error | 8007 | Verify
your customer number and / or password. If you have failed repeatedly
it is likely that your service is blocked, unblock it in the main menu
with your NetKey Banamex |
duplicate_session | 8008 | Verify
your customer number and / or password. If you have failed repeatedly
it is likely that your service is blocked, unblock it in the main menu
with your NetKey Banamex |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
schema:
$ref: '#/definitions/ErrorResponse'
404:
description: Type | Code | Details |
error | userIdNotFound | Master
userID not found |
error | federatedProfileNotFound | 751-Federated
Profile does not exist |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/logout:
delete:
tags:
- mx-retail-banking-logout
summary: API to close current users session
description: This API closes the users session on PSG session, Functional Server,
S015 and Mobile Middleware session. This is a post-login API, so in order
to call it, you must have opened a session through mx-retail-banking-login
API.
operationId: mx-retail-banking-logout
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
responses:
200:
description: Request successful.
401:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid parameters. |
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/customers/credentials/validate:
post:
tags:
- mx-retail-banking-credentials-validation
summary: API for validating the customer credential information
description: This API is used when the data of the customer card or customer
number needs to be validated
operationId: mx-retail-banking-credentialsvalidation
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: CustomerCredentialsRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/CustomerCredentialsRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
schema:
$ref: '#/definitions/CredentialsValidationResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/customers/card-plastic/information/validate:
post:
tags:
- mx-retail-banking-plastic-info-validation
summary: API to validate card information
description: This API is called when the channel needs to validate information
proper of the card which was entered in the previous step
operationId: mx-retail-banking-plastic-info-validation
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: CardPlasticInformationRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/cardPlasticInformationRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
400:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid Parameters |
error | cannotDecryptData | Cannot
decrypt, please validate the encrypted value |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | Authorization
credentials are missing or invalid. |
invalid | credentialValidationFailed | Invalid
Credentials |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
schema:
$ref: '#/definitions/ErrorResponse'
422:
description: Type | Code | Details |
error | businessValidationFailed | Business
validation error occured on one or more parameter |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/customers/mobile-phone/validate:
post:
tags:
- mx-retail-banking-cellphone-validation
summary: API to validate the customer cellphone number
description: This API provide the customerId of the client throug the ccsId
and helps in the cellPhone process validation
operationId: mx-retail-banking-cellphone-validation
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: CellphoneValidationRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/cellphoneValidationRequest'
responses:
200:
description: Authentication Successful
schema:
$ref: '#/definitions/cellphoneValidationResponse'
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
400:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid Parameters |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | Authorization
credentials are missing or invalid. |
invalid | credentialValidtionFailed | Invalid
Credentials |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
schema:
$ref: '#/definitions/ErrorResponse'
404:
description: Type | Code | Details |
error | userIdNotFound | Master
userID not found |
schema:
$ref: '#/definitions/ErrorResponse'
422:
description: Type | Code | Details |
error | businessValidationFailed | Business
validation error occured on one or more parameter |
schema:
$ref: '#/definitions/ErrorResponse'
423:
description: sessionError | SessionError | The
attemps per session have been exceeded |
dayError | DayError | The
attemps per day have been exceeded |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/otp/send:
post:
tags:
- mx-retail-banking-send-otp
summary: API for requesting an OTP (receiving it via SMS to the customer certified
cellphone)
description: This API helps when the OTP is required to send to the customer
via SMS
operationId: mx-retail-banking-send-otp
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: OtpRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/OtpRequest'
responses:
200:
description: Authentication Successful
400:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid parameters |
error | cannotDecryptData | Cannot
decrypt, please validate the encrypted value |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | Authorization
credentials are missing or invalid. |
invalid | credentialValidtionFailed | Invalid
Credentials |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
schema:
$ref: '#/definitions/ErrorResponse'
422:
description: Type | Code | Details |
error | businessValidationFailed | Business
validation error occured on one or more parameter |
schema:
$ref: '#/definitions/ErrorResponse'
423:
description: sessionError | SessionError | The
attemps per session have been exceeded |
dayError | DayError | The
attemps per day have been exceeded |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/customers/access/set:
post:
tags:
- mx-retail-banking-new-access-credential
summary: API for validating the OTP asked and set a new password
description: This API helps in the validation of the OTP and the change of the
customer access credential, decrypting the information and returning the proper
response
operationId: mx-retail-banking-new-access-credential
consumes:
- application/json
produces:
- application/json
parameters:
- name: businessCode
in: header
description: 3 character business code
required: true
type: string
default: GCB
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
default: MX
- name: channelId
in: header
description: channel ID used by the user, it is required for the first call
in a new session.
required: true
type: string
- name: Accept-Language
in: header
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
required: true
type: string
default: es
- name: Content-Type
in: header
description: Content-Types that are sent in the request
required: true
type: string
default: application/json
- name: 'uuid '
in: header
description: Random 128 bit UUID generated uniquely for every request from
the Customer, which will represent transaction unique identifier and it
is recommended to send.
required: true
type: string
- name: sid
in: header
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
required: true
type: string
- name: client_id
in: header
description: The client ID you received during application registration in
the developer portal
required: true
type: string
- name: Authorization
in: header
description: Bearer token adquired from API Gateway OAUTH service.
required: true
type: string
- in: body
name: NewCredentialsValidationRequest
description: Request body to authenticate Citibanamex retail banking customer.
required: true
schema:
$ref: '#/definitions/newCredentialValidationRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIDExpTime:
type: string
description: Event ID expiration time encrypted with session key.
400:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid parameters |
error | cannotDecryptData | Cannot
decrypt, please validate the encrypted value |
error | Credential
Invalid | The password does not complies with the standars |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | Authorization
credentials are missing or invalid. |
invalid | credentialValidtionFailed | Invalid
Credentials |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
schema:
$ref: '#/definitions/ErrorResponse'
422:
description: Type | Code | Details |
error | businessValidationFailed | Business
validation error occured on one or more parameter |
schema:
$ref: '#/definitions/ErrorResponse'
423:
description: sessionError | SessionError | The
attemps per session have been exceeded |
dayError | DayError | The
attemps per day have been exceeded |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
fatal | backendError | Failed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/customers/credentials:
post:
tags:
- set-customer-credentials
operationId: set-customer-credentials
summary: To perform a set or change the password of a client
description: This API is used for helping in the change or set a password of
a client when a client requires
consumes:
- application/json
produces:
- application/json
parameters:
- name: client_id
in: header
required: true
type: string
description: Client ID generated during application registration
- name: Authorization
in: header
required: true
type: string
description: The Authorization Token received during login
- name: businessCode
in: header
required: true
type: string
description: 3 character business code identified during application registration
- name: Accept
in: header
required: true
type: string
description: Content-Types that are acceptable for the response
- name: uuid
in: header
required: true
type: string
description: 128 bit UUID that you generate for every request
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
- name: Accept-Language
in: header
required: false
type: string
description: Language to be send to the backend systems. The supported values
are es for spanish and en for english.
default: es
- name: Content-Type
in: header
required: true
type: string
description: Content-Types that are sent in the request
- name: channelId
in: header
required: true
type: string
description: Channel where request originated
- name: sid
in: header
required: true
type: string
description: Session is generated and returned on the first API call as response
header, which needs to be resent on succesive calls of same session
- in: body
name: setCustomerCredentialsRequest
description: Request body for starting the set or change of a Citibanamex
Client PIN and password
required: true
schema:
$ref: '#/definitions/SetCustomerCredentialsRequest'
responses:
200:
description: Authentication Successful
headers:
eventId:
type: string
description: This is a unique event id generated and encrypted with
session key, which can be used to send in the next encrypted payload
to validate.
eventIdExpTime:
type: string
description: Event ID expiration time encrypted with session key.
400:
description: Type | Code | Details |
invalid | invalidRequest | Missing
or invalid Parameters |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | Authorization
credentials are missing or invalid. |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | accessNotConfigured | The
request operation is not configured to access this resource. |
schema:
$ref: '#/definitions/ErrorResponse'
422:
description: Type | Code | Details |
error | businessValidationFailed | Business
validation error occured on one or more parameter |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
schema:
$ref: '#/definitions/ErrorResponse'
/v1/x-global/security/customers/credentials/status:
post:
tags:
- customer-credentials-status
operationId: customer-credentials-status
summary: API to provide a status detail for a customer that previously open
a session in IVR or authentication in Branches.
description: This API is used to provide a status detail for a customer that
previously open a session in IVR or authentication in Branches
consumes:
- application/json
produces:
- application/json
parameters:
- name: client_id
in: header
required: true
type: string
description: Client ID generated during application registration
- name: Authorization
in: header
required: true
type: string
description: The Authorization Token received during login
- name: businessCode
in: header
required: true
type: string
description: 3 character business code identified during application registration
- name: uuid
in: header
required: true
type: string
description: 128 bit UUID that you generate for every request
- name: countryCode
in: header
description: 2 character ISO country code
required: true
type: string
- name: Accept-Language
in: header
required: false
type: string
description: Language to be send to the backend systems must be es for spanish
and en for english
default: es
- name: Content-Type
in: header
required: true
type: string
description: Content-Types that are sent in the request
- name: channelId
in: header
required: true
type: string
description: Channel where request originated
- name: customerCredentialsStatusRequest
in: body
description: Request body to retrieve detailed status of a customer
required: true
schema:
$ref: '#/definitions/CustomerCredentialsStatusRequest'
responses:
200:
description: Successful operation.
schema:
$ref: '#/definitions/CustomerCredentialsStatusResponse'
400:
description: Type | Code | Details |
error | badRequest | Request
was not processed |
schema:
$ref: '#/definitions/ErrorResponse'
401:
description: Type | Code | Details |
error | unAuthorized | The
request has not been applied |
schema:
$ref: '#/definitions/ErrorResponse'
403:
description: Type | Code | Details |
error | forbidden | You
do not have permission to access |
schema:
$ref: '#/definitions/ErrorResponse'
404:
description: Type | Code | Details | More
Info |
error | resourceNotFound | The requested
resource was not found | Empty resource/resource not found |
schema:
$ref: '#/definitions/ErrorResponse'
500:
description: Type | Code | Details |
fatal | serverUnavailable | The
request failed due to an internal error/server unavailability |
error | backendError | TFailed
during a call to backend service |
schema:
$ref: '#/definitions/ErrorResponse'
definitions:
preLoginRequest:
type: object
properties:
encryptedUserId:
type: string
description: Customer Number or Customer Card Number (Credit or Debit). This
parameter is encrypted by the frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
vascoDeviceId:
type: string
example: f96dd4b2dc083008f786950fee311df1
description: MBK Specific. Identifier generated by Vasco SDK.
description: Prelogin Request.
BankingPreLoginRequest:
type: object
properties:
encryptedUserId:
type: string
description: Customer Number or Customer Card Number (Credit or Debit). This
parameter is encrypted by the frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
vascoDeviceId:
type: string
example: f96dd4b2dc083008f786950fee311df1
description: MBK Specific. Identifier generated by Vasco SDK.
instanceId:
description: MBK Specific. Unique identifier for the middleware instance
of Mobile architecture. This value is generated by the front end.
type: string
example: p6
description: Prelogin Request.
preLoginResponse:
type: object
properties:
ccsId:
type: string
description: Customer CCS ID.
encryptedLoginId:
type: string
description: Citibanamex Customer Number. This parameter is encrypted by the
frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
maskedCustomerName:
type: string
example: A***** H******** R******
description: Masked name of the customer.
nextLoginActionCode:
type: integer
format: int32
example: 1
description: Depending of the Electronic Bank Status and the Black List Status,
the client can be redirected to a different login.
nextLoginActionDescription:
type: string
example: '0: The client have to make an onboarding'
description: Description for next login action.
registrationStatus:
type: string
example: "0"
description: Customer registration status regarding Banca Movil regulation.
registrationStatusDescription:
type: string
example: The client is not registered in Banca Movil
description: Status description of the registration in Banca Movil.
mobileBankingDeviceStatus:
type: string
example: "0"
description: Identifier to validate if the client is using the same device
registered in Banca Movil.
mobileBankingDeviceStatusDescription:
type: string
example: The device Id does not exist
description: Status Description of the device in Banca Movil
description: Prelogin Response.
loginRequest:
type: object
required:
- customerCredentials
properties:
customerCredentials:
$ref: '#/definitions/customerCredentials'
vascoDeviceId:
type: string
example: f96dd4b2dc083008f786950fee311df1
description: MBK Specific. Identifier generated by Vasco SDK.
applicationDeviceId:
type: string
example: 8f786950fee311df1f96dd4b2dc08300
description: Identifier of the device, this is neccesary when a the channel
requires to do a login through Biologin.
instanceId:
type: string
example: /v1/abc/xyz
description: MBK Specific. Endpoint to generate a session in the current
Middleware instance of Mobile arquitecture. This value is generated by the
front end.
mobileAML:
$ref: '#/definitions/mobileAML'
description: Login Request.
customerCredentials:
type: object
required:
- credentialType
- encryptedCredentialvascoDeviceId
- userId
properties:
userId:
type: string
example: "140946519"
description: Customer login ID. Currently only customer number its being supported.
userIdType:
type: string
description: Type of the loginId parameter used to authenticate. Default value
is set in case this parameter does not come in the request.
default: CUSTOMER_NUM
encryptedCredential:
type: string
description: Customers credential (PIN) used for authentication. This is encrypted
by the frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
credentialType:
type: integer
description: Type of credential which the customer has entered. Default value
is set in case this parameter doesnt come in the request. The values can
be the following:
Value | Details |
1 | BancaNet
numeric PIN. |
2 | BancaNet alphanumeric PIN. |
3 | BancaNet
Biotoken. |
description: Object containing retail banking customers credentials.
mobileAML:
properties:
ipAddress:
type: string
example: 10.102.54.64
description: 'Internet Protocol address: a number which is given to a computer
when it is connected to the internet (client IP address)'
rsaVersion:
type: string
example: 3.4.1.1
description: Version of the RSA that generates the data in the client (Browsers
or Mobile Apps).
queryTime:
type: string
format: date
example: "2019-09-22T04:14:00+1:00"
description: Time at which the request is launched, this data comes from the
time of the smartPhone.
rsaDeviceId:
type: string
example: "-1"
description: Device identifier, if the RSA SDK in the mobile app can not recover
it, it returns -1. It is based upon the RSA security.
simID:
type: string
example: "425010770666253"
description: Identifier of the SIM card of the device, if the RSA SDK in mobile
app can not recover it, it returns -1.
phoneNumber:
type: string
example: "-1"
description: Phone number of the device, if the SDK can not recover it, it
returns -1.
rsaApplicationKey:
type: string
example: 10F29219081905EC2BEBFF5AD779EE48
description: Key that identifies the RSA SDK.
mobileCompromisedIndicator:
type: integer
format: int32
example: 1
description: 'It indicates if the smartphone is altered (Root or Jailbreak).
The values for this parameter can be the following: 0- disabled,1- enabled.
Value | Details |
0 | Disabled |
1 | Enabled |
'
mobileEmulatorIndicator:
type: integer
format: int32
example: 1
description: 'It indicates if the RSA SDK is running in simulator or in a
physical device.The values for this parameter can be the following: 0- disabled,1-
enabled.
Value | Details |
0 | Disabled |
1 | Enabled |
'
description: This object contains the data needed to execute Mexico AML functionalities
for MX Mobile frontend. This an optional object, it is required only
when the frontend is a MX Mobile App and it has integrated on its layer an AML
engine like CMAMT or something alike.
loginResponse:
type: object
properties:
customerName:
type: string
example: ARTURO HERNANDEZ RAMIREZ
description: Customers full name.
lastChannelId:
type: string
example: MOVIL
description: Last channel ID in which the customer logged in. This parameter
comes from the backend.
lastLoginDate:
type: string
example: "2019-09-22T04:14:00+1:00"
description: Last login access date.
tokenStatus:
type: string
example: sdasdsa321ne2iuoi28d
description: Customer token status. This token refers to the customer netkey
device, which it can be a hardtoken or a softoken. The values can be the
following:
Value | Description |
6 | BASIC.
The customer can not execute high risk transactions. |
56 | PRO.
The customer can execute high risk transactions using its hardtoken as MFA
method. |
64 | SOFTTOKEN_PRE_ASSIGNED. The customer
can not execute high risk transactions but can reactivate its softoken. |
66 | SOFTTOKEN_ACTIVATED.
The customer can execute high risk transactions using its softoken as a
MFA method. |
63 | SOFTTOKEN_DEACTIVATED. The customer
can not execute high risk transactions but can reactivate its sofoken. |
tokenStatusDescription:
type: string
example: BASIC
description: Description of tokens status value of the customer.
customerType:
type: integer
example: 1551
description: This is a Mexico legacy parameter. The first two digits of the
value represents the customers service type (i.e. 15 stands for Electronic
Banking Service), and the last two digits represents the customers type
of person. To sumarize, the values can be the following:
Value | Description |
1506 | Moral
person. |
1521 | Physical person with enterprise activity. |
1551 | Physical
person. |
customerTypeDescription:
type: string
example: Individual
description: Description of customer types value.
credentialStatus:
type: string
example: NEW
description: This parameter represents the status of the credential which
was used to authenticate. Depending on the value, the frontend application
needs to enforce the action to follow. The values can be the following:
Value | Description |
NONE | The
current Password is ok. |
NEW | Login with Temporal
PIN. PIN and Password do not exist. Both have to be created. |
RPIN | Login
with Temporal PIN. PIN and Password is expired. Both have to be created. |
ACPWD | Login
with PIN. Password is expired. It has to be created. |
CHPWD | Login
with Password. Password is expired after an unlock. It has to be created. |
credentialStatusDescription:
type: string
example: ""
description: Description if credentialStatus value.
termsAndConditionsAcceptedFlag:
type: boolean
example: true
description: Flag which indicates if the customer has already accepted Citibanamex
electronic Terms & Conditions.
registrationStatus:
type: string
example: "0"
description: Customer registration status regarding Banca Movil regulation.
registrationStatusDescription:
type: string
example: The client is not registered in Banca Movil
description: Status description of the registration in Banca Movil.
mobileBankingDeviceStatus:
type: string
example: "0"
description: Identifier to validate if the client is using the same device
registered in Banca Movil.
mobileBankingDeviceStatusDescription:
type: string
example: The device Id does not exist
description: Status Description of the device in Banca Movil
description: Response parameters of retail banking login for Mexico customers.
CustomerCredentialsRequest:
type: object
properties:
encryptedUserId:
type: string
description: Customer Number or Customer Card Number (Credit or Debit). This
parameter is encrypted by the frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
required:
- encryptedUserId
description: Prelogin Request.
CredentialsValidationResponse:
type: object
properties:
ccsId:
type: string
description: Customer CCS ID.
encryptedLoginId:
type: string
description: Citibanamex Customer Number. This parameter is encrypted by the
frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
maskedCustomerName:
type: string
example: A***** H******** R******
description: Masked name of the customer.
registrationStatus:
type: string
example: "0"
description: Customer registration status regarding Banca Movil regulation.
registrationStatusDescription:
type: string
example: The client is not registered in Banca Movil
description: Status description of the registration in Banca Movil.
mobileBankingDeviceStatus:
type: string
example: "0"
description: Identifier to validate if the client is using the same device
registered in Banca Movil.
mobileBankingDeviceStatusDescription:
type: string
example: The device Id does not exist
description: Status Description of the device in Banca Movil
description: Customer credentials response.
cardPlasticInformationRequest:
type: object
properties:
ccsId:
type: string
example: "2264"
description: Customer CCS ID.
encryptedCredentialAccess:
type: string
example: "1234"
description: Customer Number(NIP). This parameter is encrypted by the frontends
using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
expirationCardDate:
type: string
example: "0520"
description: Date when the card will expire (MMYY)
required:
- ccsId
- encryptedCredentialAccess
- expirationCardDate
description: Request parameters are require for getting for starting the card
validation process.
cellphoneValidationRequest:
type: object
properties:
ccsId:
type: string
example: "2264"
description: Customer CCS ID.
phoneNumber:
type: string
example: "5556093218"
description: Customer cellphone Number (certified). This parameter is required
from the backends for getting the cellphone client validation
isFirstTime:
type: boolean
example: false
description: Flag to tell if it is the operation for first time login or it
is for forgotten password
required:
- ccsId
- cellPhoneNumber
- isFirstTime
description: Request parameters are require for starting the cellphone validation
process.
cellphoneValidationResponse:
type: object
properties:
bestPhoneFlag:
type: boolean
example: false
description: Flag to tell if the phone validated is best phone (branch registered
phone or alerts and notifications phone)
OtpRequest:
type: object
properties:
ccsId:
type: string
example: "2264"
description: Customer CCS ID.
authType:
type: integer
example: 3
description: Factor by which the user will be authenticated Value | Description |
0 | =
Softtoken VASCO / Hardtoken SPA |
1 | Hardtoken SPA |
2 | Softtoken
VASCO |
3 | SMS OTP (Validates registred device) |
4 | voice
OTP |
5 | Single use phone |
| |
6 | SMS
OTP (Validates standard Operation OTP) |
| |
isFirstTime:
type: boolean
example: false
description: Flag to tell if it is the operation for first time login or it
is for forgotten password
required:
- ccsId
- authType
- isFirstTime
description: Request parameters are require for starting the cellphone validation
process.
newCredentialValidationRequest:
type: object
properties:
ccsId:
type: string
example: "2264"
description: Customer CCS ID.
newEncryptedAccessCredential:
type: string
example: Mexico10
description: This parameter is the new credential which going to replace the
old customer credential access (password)
encryptedOtp:
type: string
example: 01784763
description: One time password received in a previous step
isFirstTime:
type: boolean
example: false
description: Flag to tell if it is the operation for first time login or it
is for forgotten password
required:
- ccsId
- newEncryptedAccessCredential
- encryptedOtp
- isFirstTime
description: Request parameters are require for starting the cellphone validation
process.
SetCustomerCredentialsRequest:
type: object
properties:
credentialStatus:
type: string
example: NEW
description: 'Object parameter retrieved from Login response which will indicate
the operation for executing:
Value | Details |
None | password
active. |
New | password expired and without acceptance. |
RPIN | PIN
expired |
ACPWD | PIN Active |
CHPWD | Password
expired |
'
newEncryptedAccessNumber:
type: string
example: "30203020"
description: New Customer credential (PIN) used for authentication. This is
encrypted by the frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
newEncryptedAccessCredential:
type: string
example: mobile20
description: New Customer credential (Password) used for authentication. This
is encrypted by the frontends using Platform
End-to-End encryption APIs. The encoding used here must be HEX.
description: Request parameters for setting the new customer access credentials.
CustomerCredentialsStatusRequest:
type: object
properties:
customerId:
description: Customer client number
type: string
example: "15000010"
maxLength: 12
legalRepresentativeId:
description: Legal representative number
type: string
example: "12"
maxLength: 2
required:
- customerId
CustomerCredentialsStatusResponse:
type: object
properties:
pinDetail:
$ref: '#/definitions/PinDetail'
passwordDetail:
$ref: '#/definitions/PasswordDetail'
PinDetail:
type: object
properties:
pinStatus:
description: Current pin status, A-ACTIVE, I-INACTIVE, R-RESTARTED, O-OTHER
type: string
example: A
maxLength: 1
lastPinChangeDate:
type: string
format: date
description: Last time the user has changed the PIN
example: "2019-05-15"
maxLength: 10
activationDate:
type: string
format: date
description: Last time the user has changed the PIN
example: "2019-05-15"
maxLength: 10
lastResetDate:
type: string
format: date
description: Last time the user has reset the PIN
example: "2019-06-15"
maxLength: 10
cancellationDate:
type: string
format: date
description: Date when the PIN was canceled
example: "2019-06-20"
maxLength: 10
lastInvalidLoginDate:
type: string
format: date
description: Last time the user entered an invalid PIN
example: "2019-06-22"
maxLength: 10
lastBlockDate:
type: string
format: date
description: Last time user was blocked due to entering wrong PIN more than
5 times
example: "2019-06-22"
maxLength: 10
lastStatusChangeDate:
type: string
format: date
description: When the pin status has been changed
example: "2019-06-22"
maxLength: 10
pinLocked:
description: Pin locked indicator, D-ONE DAY, S-UNDEFINED, I-PREVENTIVE, O-UNEXPECTED
VALUE
type: string
example: A
maxLength: 1
lastLoginDate:
type: string
format: date
description: Last date the user entered a valid PIN, and was validated by
legacy system (S045)
example: "2019-06-22"
maxLength: 10
changedCount:
type: integer
description: How many times user has changed the PIN
example: 3
maxLength: 2
PasswordDetail:
type: object
properties:
passwordStatus:
description: Current password status, A-ACTIVE, I-INACTIVE, R-RESTARTED, O-OTHER
type: string
example: A
maxLength: 1
lastPasswordChangeDate:
type: string
format: date
description: Last time the user has changed the Password
example: "2019-05-15"
maxLength: 10
lastResetDate:
type: string
format: date
description: Last time the user has reset the Password
example: "2019-06-15"
maxLength: 10
activationDate:
type: string
format: date
description: Last time the user has reset the Password
example: "2019-06-15"
maxLength: 10
cancellationDate:
type: string
format: date
description: Date when the Password was canceled
example: "2019-06-20"
maxLength: 10
lastInvalidLoginDate:
type: string
format: date
description: Last time the user entered an invalid Password
example: "2019-06-22"
maxLength: 10
lastBlockDate:
type: string
format: date
description: Last time user was blocked due to entering wrong Password more
than 5 times
example: "2019-06-22"
maxLength: 10
lastStatusChangeDate:
type: string
format: date
description: When the password status has been changed
example: "2019-06-22"
maxLength: 10
passwordLocked:
description: Password locked indicator, D-ONE DAY, S-UNDEFINED, I-PREVENTIVE,
O-UNEXPECTED VALUE
type: string
example: A
maxLength: 1
lastLoginDate:
type: string
format: date
description: Last date the user entered a valid Password, and was validated
by legacy system (S045)
example: "2019-06-22"
maxLength: 10
changedCount:
type: integer
description: How many times user has changed the Password
example: 3
maxLength: 2
ErrorResponse:
required:
- code
- details
- type
properties:
type:
type: string
description: Invalid - Request did not confirm to the specification and was
unprocessed and rejected. Please fix the value and try again
enum:
- error
- warn
- invalid
- fatal
code:
type: string
description: Error code which qualifies the error
details:
type: string
description: Human readable explanation specific to the occurrence of the
problem
location:
type: string
description: The name of the field that resulted in the error
moreInfo:
type: string
description: URI to human readable documentation of the error
x-ibm-configuration:
enforced: true
testable: true
phase: realized
securityDefinitions:
OAuth2 Application Flow:
type: oauth2
description: ""
flow: application
scopes:
/api/v1: ""
tokenUrl: https://api.banamex.com/mx-gcgapi/api/v1/oauth/token
Client ID:
type: apiKey
description: ""
in: header
name: X-IBM-Client-Id
security:
- OAuth2 Application Flow:
- /api/v1
Client ID: []
x-ibm-endpoints:
- endpointUrl: https://api.banamex.com/mx-gcgapi
type:
- production
- development
...