--- swagger: "2.0" info: description: This APIs provide a unified login for each and every digital/consumer channel. They also provide a CCS DB storage mechanism to allow migration from Tandem systems version: 1.0.0 title: XLG-SEC-P-ConsumerSecurity x-ibm-name: xlg-sec-p-consumersecurity basePath: /api schemes: - https produces: - application/json paths: /v1/x-global/security/login/validate: post: tags: - mx-retail-banking-prelogin summary: API to perform prelogin process for credential description: This API is a prelogin for retail banking customer. It validates the customers prelogin information before creating or updating a registry for the user credential on CCS and proceeding with the login operationId: mx-retail-banking-prelogin consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: loginRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/preLoginRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. schema: $ref: '#/definitions/preLoginResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
schema: $ref: '#/definitions/ErrorResponse' /v2/x-global/security/login/validate: post: tags: - mx-retail-banking-prelogin-v2 summary: API to perform prelogin process for credential description: This API is a prelogin for retail banking customer. It validates the customers prelogin information before creating or updating a registry for the user credential on CCS and proceeding with the login operationId: mx-retail-banking-prelogin-v2 consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: loginRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/BankingPreLoginRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. schema: $ref: '#/definitions/preLoginResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/login: post: tags: - mx-retail-banking-login summary: API to authenticate and open session with backend systems description: This API opens session on PSG session, Functional Server, S015 and Mobile Middleware session. To call this API, you need to go through Platform E2E Encryption APIs schema first in order to get a propper sid. operationId: mx-retail-banking-login consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: loginRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/loginRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. cookieValue: type: string description: Data of the backend (middleware) session. schema: $ref: '#/definitions/loginResponse' 400: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
errorcannotDecryptDataCannot decrypt, please validate the encrypted value
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid.
invalidauthenticationFailed206-federated password authentication fails
bad_credentials6666Verify your customer number and / or password. If you have failed repeatedly it is likely that your service is blocked, unblock it in the main menu with your NetKey Banamex
general_error8005There was a communication error, please try again
bloqued_user8006Verify your customer number and / or password. If you have failed repeatedly it is likely that your service is blocked, unblock it in the main menu with your NetKey Banamex
usertype_error8007Verify your customer number and / or password. If you have failed repeatedly it is likely that your service is blocked, unblock it in the main menu with your NetKey Banamex
duplicate_session8008Verify your customer number and / or password. If you have failed repeatedly it is likely that your service is blocked, unblock it in the main menu with your NetKey Banamex
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
schema: $ref: '#/definitions/ErrorResponse' 404: description:
TypeCodeDetails
erroruserIdNotFoundMaster userID not found
errorfederatedProfileNotFound751-Federated Profile does not exist
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
fatalbackendErrorFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/logout: delete: tags: - mx-retail-banking-logout summary: API to close current users session description: This API closes the users session on PSG session, Functional Server, S015 and Mobile Middleware session. This is a post-login API, so in order to call it, you must have opened a session through mx-retail-banking-login API. operationId: mx-retail-banking-logout consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string responses: 200: description: Request successful. 401: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid parameters.
403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
fatalbackendErrorFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/customers/credentials/validate: post: tags: - mx-retail-banking-credentials-validation summary: API for validating the customer credential information description: This API is used when the data of the customer card or customer number needs to be validated operationId: mx-retail-banking-credentialsvalidation consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: CustomerCredentialsRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/CustomerCredentialsRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. schema: $ref: '#/definitions/CredentialsValidationResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/customers/card-plastic/information/validate: post: tags: - mx-retail-banking-plastic-info-validation summary: API to validate card information description: This API is called when the channel needs to validate information proper of the card which was entered in the previous step operationId: mx-retail-banking-plastic-info-validation consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: CardPlasticInformationRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/cardPlasticInformationRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. 400: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
errorcannotDecryptDataCannot decrypt, please validate the encrypted value
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid.
invalidcredentialValidationFailedInvalid Credentials
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
schema: $ref: '#/definitions/ErrorResponse' 422: description:
TypeCodeDetails
errorbusinessValidationFailedBusiness validation error occured on one or more parameter
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
fatalbackendErrorFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/customers/mobile-phone/validate: post: tags: - mx-retail-banking-cellphone-validation summary: API to validate the customer cellphone number description: This API provide the customerId of the client throug the ccsId and helps in the cellPhone process validation operationId: mx-retail-banking-cellphone-validation consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: CellphoneValidationRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/cellphoneValidationRequest' responses: 200: description: Authentication Successful schema: $ref: '#/definitions/cellphoneValidationResponse' headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. 400: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid.
invalidcredentialValidtionFailedInvalid Credentials
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
schema: $ref: '#/definitions/ErrorResponse' 404: description:
TypeCodeDetails
erroruserIdNotFoundMaster userID not found
schema: $ref: '#/definitions/ErrorResponse' 422: description:
TypeCodeDetails
errorbusinessValidationFailedBusiness validation error occured on one or more parameter
schema: $ref: '#/definitions/ErrorResponse' 423: description:
sessionErrorSessionErrorThe attemps per session have been exceeded
dayErrorDayErrorThe attemps per day have been exceeded
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
fatalbackendErrorFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/otp/send: post: tags: - mx-retail-banking-send-otp summary: API for requesting an OTP (receiving it via SMS to the customer certified cellphone) description: This API helps when the OTP is required to send to the customer via SMS operationId: mx-retail-banking-send-otp consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: OtpRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/OtpRequest' responses: 200: description: Authentication Successful 400: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid parameters
errorcannotDecryptDataCannot decrypt, please validate the encrypted value
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid.
invalidcredentialValidtionFailedInvalid Credentials
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
schema: $ref: '#/definitions/ErrorResponse' 422: description:
TypeCodeDetails
errorbusinessValidationFailedBusiness validation error occured on one or more parameter
schema: $ref: '#/definitions/ErrorResponse' 423: description:
sessionErrorSessionErrorThe attemps per session have been exceeded
dayErrorDayErrorThe attemps per day have been exceeded
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
fatalbackendErrorFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/customers/access/set: post: tags: - mx-retail-banking-new-access-credential summary: API for validating the OTP asked and set a new password description: This API helps in the validation of the OTP and the change of the customer access credential, decrypting the information and returning the proper response operationId: mx-retail-banking-new-access-credential consumes: - application/json produces: - application/json parameters: - name: businessCode in: header description: 3 character business code required: true type: string default: GCB - name: countryCode in: header description: 2 character ISO country code required: true type: string default: MX - name: channelId in: header description: channel ID used by the user, it is required for the first call in a new session. required: true type: string - name: Accept-Language in: header description: Language to be send to the backend systems. The supported values are es for spanish and en for english. required: true type: string default: es - name: Content-Type in: header description: Content-Types that are sent in the request required: true type: string default: application/json - name: 'uuid ' in: header description: Random 128 bit UUID generated uniquely for every request from the Customer, which will represent transaction unique identifier and it is recommended to send. required: true type: string - name: sid in: header description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session required: true type: string - name: client_id in: header description: The client ID you received during application registration in the developer portal required: true type: string - name: Authorization in: header description: Bearer token adquired from API Gateway OAUTH service. required: true type: string - in: body name: NewCredentialsValidationRequest description: Request body to authenticate Citibanamex retail banking customer. required: true schema: $ref: '#/definitions/newCredentialValidationRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIDExpTime: type: string description: Event ID expiration time encrypted with session key. 400: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid parameters
errorcannotDecryptDataCannot decrypt, please validate the encrypted value
errorCredential InvalidThe password does not complies with the standars
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid.
invalidcredentialValidtionFailedInvalid Credentials
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
schema: $ref: '#/definitions/ErrorResponse' 422: description:
TypeCodeDetails
errorbusinessValidationFailedBusiness validation error occured on one or more parameter
schema: $ref: '#/definitions/ErrorResponse' 423: description:
sessionErrorSessionErrorThe attemps per session have been exceeded
dayErrorDayErrorThe attemps per day have been exceeded
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
fatalbackendErrorFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/customers/credentials: post: tags: - set-customer-credentials operationId: set-customer-credentials summary: To perform a set or change the password of a client description: This API is used for helping in the change or set a password of a client when a client requires consumes: - application/json produces: - application/json parameters: - name: client_id in: header required: true type: string description: Client ID generated during application registration - name: Authorization in: header required: true type: string description: The Authorization Token received during login - name: businessCode in: header required: true type: string description: 3 character business code identified during application registration - name: Accept in: header required: true type: string description: Content-Types that are acceptable for the response - name: uuid in: header required: true type: string description: 128 bit UUID that you generate for every request - name: countryCode in: header description: 2 character ISO country code required: true type: string - name: Accept-Language in: header required: false type: string description: Language to be send to the backend systems. The supported values are es for spanish and en for english. default: es - name: Content-Type in: header required: true type: string description: Content-Types that are sent in the request - name: channelId in: header required: true type: string description: Channel where request originated - name: sid in: header required: true type: string description: Session is generated and returned on the first API call as response header, which needs to be resent on succesive calls of same session - in: body name: setCustomerCredentialsRequest description: Request body for starting the set or change of a Citibanamex Client PIN and password required: true schema: $ref: '#/definitions/SetCustomerCredentialsRequest' responses: 200: description: Authentication Successful headers: eventId: type: string description: This is a unique event id generated and encrypted with session key, which can be used to send in the next encrypted payload to validate. eventIdExpTime: type: string description: Event ID expiration time encrypted with session key. 400: description:
TypeCodeDetails
invalidinvalidRequestMissing or invalid Parameters
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedAuthorization credentials are missing or invalid.
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
erroraccessNotConfiguredThe request operation is not configured to access this resource.
schema: $ref: '#/definitions/ErrorResponse' 422: description:
TypeCodeDetails
errorbusinessValidationFailedBusiness validation error occured on one or more parameter
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
schema: $ref: '#/definitions/ErrorResponse' /v1/x-global/security/customers/credentials/status: post: tags: - customer-credentials-status operationId: customer-credentials-status summary: API to provide a status detail for a customer that previously open a session in IVR or authentication in Branches. description: This API is used to provide a status detail for a customer that previously open a session in IVR or authentication in Branches consumes: - application/json produces: - application/json parameters: - name: client_id in: header required: true type: string description: Client ID generated during application registration - name: Authorization in: header required: true type: string description: The Authorization Token received during login - name: businessCode in: header required: true type: string description: 3 character business code identified during application registration - name: uuid in: header required: true type: string description: 128 bit UUID that you generate for every request - name: countryCode in: header description: 2 character ISO country code required: true type: string - name: Accept-Language in: header required: false type: string description: Language to be send to the backend systems must be es for spanish and en for english default: es - name: Content-Type in: header required: true type: string description: Content-Types that are sent in the request - name: channelId in: header required: true type: string description: Channel where request originated - name: customerCredentialsStatusRequest in: body description: Request body to retrieve detailed status of a customer required: true schema: $ref: '#/definitions/CustomerCredentialsStatusRequest' responses: 200: description: Successful operation. schema: $ref: '#/definitions/CustomerCredentialsStatusResponse' 400: description:
TypeCodeDetails
errorbadRequestRequest was not processed
schema: $ref: '#/definitions/ErrorResponse' 401: description:
TypeCodeDetails
errorunAuthorizedThe request has not been applied
schema: $ref: '#/definitions/ErrorResponse' 403: description:
TypeCodeDetails
errorforbiddenYou do not have permission to access
schema: $ref: '#/definitions/ErrorResponse' 404: description:
TypeCodeDetailsMore Info
errorresourceNotFoundThe requested resource was not foundEmpty resource/resource not found
schema: $ref: '#/definitions/ErrorResponse' 500: description:
TypeCodeDetails
fatalserverUnavailableThe request failed due to an internal error/server unavailability
errorbackendErrorTFailed during a call to backend service
schema: $ref: '#/definitions/ErrorResponse' definitions: preLoginRequest: type: object properties: encryptedUserId: type: string description: Customer Number or Customer Card Number (Credit or Debit). This parameter is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. vascoDeviceId: type: string example: f96dd4b2dc083008f786950fee311df1 description: MBK Specific. Identifier generated by Vasco SDK. description: Prelogin Request. BankingPreLoginRequest: type: object properties: encryptedUserId: type: string description: Customer Number or Customer Card Number (Credit or Debit). This parameter is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. vascoDeviceId: type: string example: f96dd4b2dc083008f786950fee311df1 description: MBK Specific. Identifier generated by Vasco SDK. instanceId: description: MBK Specific. Unique identifier for the middleware instance of Mobile architecture. This value is generated by the front end. type: string example: p6 description: Prelogin Request. preLoginResponse: type: object properties: ccsId: type: string description: Customer CCS ID. encryptedLoginId: type: string description: Citibanamex Customer Number. This parameter is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. maskedCustomerName: type: string example: A***** H******** R****** description: Masked name of the customer. nextLoginActionCode: type: integer format: int32 example: 1 description: Depending of the Electronic Bank Status and the Black List Status, the client can be redirected to a different login. nextLoginActionDescription: type: string example: '0: The client have to make an onboarding' description: Description for next login action. registrationStatus: type: string example: "0" description: Customer registration status regarding Banca Movil regulation. registrationStatusDescription: type: string example: The client is not registered in Banca Movil description: Status description of the registration in Banca Movil. mobileBankingDeviceStatus: type: string example: "0" description: Identifier to validate if the client is using the same device registered in Banca Movil. mobileBankingDeviceStatusDescription: type: string example: The device Id does not exist description: Status Description of the device in Banca Movil description: Prelogin Response. loginRequest: type: object required: - customerCredentials properties: customerCredentials: $ref: '#/definitions/customerCredentials' vascoDeviceId: type: string example: f96dd4b2dc083008f786950fee311df1 description: MBK Specific. Identifier generated by Vasco SDK. applicationDeviceId: type: string example: 8f786950fee311df1f96dd4b2dc08300 description: Identifier of the device, this is neccesary when a the channel requires to do a login through Biologin. instanceId: type: string example: /v1/abc/xyz description: MBK Specific. Endpoint to generate a session in the current Middleware instance of Mobile arquitecture. This value is generated by the front end. mobileAML: $ref: '#/definitions/mobileAML' description: Login Request. customerCredentials: type: object required: - credentialType - encryptedCredentialvascoDeviceId - userId properties: userId: type: string example: "140946519" description: Customer login ID. Currently only customer number its being supported. userIdType: type: string description: Type of the loginId parameter used to authenticate. Default value is set in case this parameter does not come in the request. default: CUSTOMER_NUM encryptedCredential: type: string description: Customers credential (PIN) used for authentication. This is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. credentialType: type: integer description: Type of credential which the customer has entered. Default value is set in case this parameter doesnt come in the request. The values can be the following:

ValueDetails
1BancaNet numeric PIN.
2BancaNet alphanumeric PIN.
3BancaNet Biotoken.
description: Object containing retail banking customers credentials. mobileAML: properties: ipAddress: type: string example: 10.102.54.64 description: 'Internet Protocol address: a number which is given to a computer when it is connected to the internet (client IP address)' rsaVersion: type: string example: 3.4.1.1 description: Version of the RSA that generates the data in the client (Browsers or Mobile Apps). queryTime: type: string format: date example: "2019-09-22T04:14:00+1:00" description: Time at which the request is launched, this data comes from the time of the smartPhone. rsaDeviceId: type: string example: "-1" description: Device identifier, if the RSA SDK in the mobile app can not recover it, it returns -1. It is based upon the RSA security. simID: type: string example: "425010770666253" description: Identifier of the SIM card of the device, if the RSA SDK in mobile app can not recover it, it returns -1. phoneNumber: type: string example: "-1" description: Phone number of the device, if the SDK can not recover it, it returns -1. rsaApplicationKey: type: string example: 10F29219081905EC2BEBFF5AD779EE48 description: Key that identifies the RSA SDK. mobileCompromisedIndicator: type: integer format: int32 example: 1 description: 'It indicates if the smartphone is altered (Root or Jailbreak). The values for this parameter can be the following: 0- disabled,1- enabled.

ValueDetails
0Disabled
1Enabled
' mobileEmulatorIndicator: type: integer format: int32 example: 1 description: 'It indicates if the RSA SDK is running in simulator or in a physical device.The values for this parameter can be the following: 0- disabled,1- enabled.

ValueDetails
0Disabled
1Enabled
' description: This object contains the data needed to execute Mexico AML functionalities for MX Mobile frontend. This an optional object, it is required only when the frontend is a MX Mobile App and it has integrated on its layer an AML engine like CMAMT or something alike. loginResponse: type: object properties: customerName: type: string example: ARTURO HERNANDEZ RAMIREZ description: Customers full name. lastChannelId: type: string example: MOVIL description: Last channel ID in which the customer logged in. This parameter comes from the backend. lastLoginDate: type: string example: "2019-09-22T04:14:00+1:00" description: Last login access date. tokenStatus: type: string example: sdasdsa321ne2iuoi28d description: Customer token status. This token refers to the customer netkey device, which it can be a hardtoken or a softoken. The values can be the following:

ValueDescription
6BASIC. The customer can not execute high risk transactions.
56PRO. The customer can execute high risk transactions using its hardtoken as MFA method.
64SOFTTOKEN_PRE_ASSIGNED. The customer can not execute high risk transactions but can reactivate its softoken.
66SOFTTOKEN_ACTIVATED. The customer can execute high risk transactions using its softoken as a MFA method.
63SOFTTOKEN_DEACTIVATED. The customer can not execute high risk transactions but can reactivate its sofoken.

tokenStatusDescription: type: string example: BASIC description: Description of tokens status value of the customer. customerType: type: integer example: 1551 description: This is a Mexico legacy parameter. The first two digits of the value represents the customers service type (i.e. 15 stands for Electronic Banking Service), and the last two digits represents the customers type of person. To sumarize, the values can be the following:

ValueDescription
1506Moral person.
1521Physical person with enterprise activity.
1551Physical person.

customerTypeDescription: type: string example: Individual description: Description of customer types value. credentialStatus: type: string example: NEW description: This parameter represents the status of the credential which was used to authenticate. Depending on the value, the frontend application needs to enforce the action to follow. The values can be the following:

ValueDescription
NONEThe current Password is ok.
NEWLogin with Temporal PIN. PIN and Password do not exist. Both have to be created.
RPINLogin with Temporal PIN. PIN and Password is expired. Both have to be created.
ACPWDLogin with PIN. Password is expired. It has to be created.
CHPWDLogin with Password. Password is expired after an unlock. It has to be created.

credentialStatusDescription: type: string example: "" description: Description if credentialStatus value. termsAndConditionsAcceptedFlag: type: boolean example: true description: Flag which indicates if the customer has already accepted Citibanamex electronic Terms & Conditions. registrationStatus: type: string example: "0" description: Customer registration status regarding Banca Movil regulation. registrationStatusDescription: type: string example: The client is not registered in Banca Movil description: Status description of the registration in Banca Movil. mobileBankingDeviceStatus: type: string example: "0" description: Identifier to validate if the client is using the same device registered in Banca Movil. mobileBankingDeviceStatusDescription: type: string example: The device Id does not exist description: Status Description of the device in Banca Movil description: Response parameters of retail banking login for Mexico customers. CustomerCredentialsRequest: type: object properties: encryptedUserId: type: string description: Customer Number or Customer Card Number (Credit or Debit). This parameter is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. required: - encryptedUserId description: Prelogin Request. CredentialsValidationResponse: type: object properties: ccsId: type: string description: Customer CCS ID. encryptedLoginId: type: string description: Citibanamex Customer Number. This parameter is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. maskedCustomerName: type: string example: A***** H******** R****** description: Masked name of the customer. registrationStatus: type: string example: "0" description: Customer registration status regarding Banca Movil regulation. registrationStatusDescription: type: string example: The client is not registered in Banca Movil description: Status description of the registration in Banca Movil. mobileBankingDeviceStatus: type: string example: "0" description: Identifier to validate if the client is using the same device registered in Banca Movil. mobileBankingDeviceStatusDescription: type: string example: The device Id does not exist description: Status Description of the device in Banca Movil description: Customer credentials response. cardPlasticInformationRequest: type: object properties: ccsId: type: string example: "2264" description: Customer CCS ID. encryptedCredentialAccess: type: string example: "1234" description: Customer Number(NIP). This parameter is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. expirationCardDate: type: string example: "0520" description: Date when the card will expire (MMYY) required: - ccsId - encryptedCredentialAccess - expirationCardDate description: Request parameters are require for getting for starting the card validation process. cellphoneValidationRequest: type: object properties: ccsId: type: string example: "2264" description: Customer CCS ID. phoneNumber: type: string example: "5556093218" description: Customer cellphone Number (certified). This parameter is required from the backends for getting the cellphone client validation isFirstTime: type: boolean example: false description: Flag to tell if it is the operation for first time login or it is for forgotten password required: - ccsId - cellPhoneNumber - isFirstTime description: Request parameters are require for starting the cellphone validation process. cellphoneValidationResponse: type: object properties: bestPhoneFlag: type: boolean example: false description: Flag to tell if the phone validated is best phone (branch registered phone or alerts and notifications phone) OtpRequest: type: object properties: ccsId: type: string example: "2264" description: Customer CCS ID. authType: type: integer example: 3 description: Factor by which the user will be authenticated
ValueDescription
0= Softtoken VASCO / Hardtoken SPA
1Hardtoken SPA
2Softtoken VASCO
3SMS OTP (Validates registred device)
4voice OTP
5Single use phone
6SMS OTP (Validates standard Operation OTP)
isFirstTime: type: boolean example: false description: Flag to tell if it is the operation for first time login or it is for forgotten password required: - ccsId - authType - isFirstTime description: Request parameters are require for starting the cellphone validation process. newCredentialValidationRequest: type: object properties: ccsId: type: string example: "2264" description: Customer CCS ID. newEncryptedAccessCredential: type: string example: Mexico10 description: This parameter is the new credential which going to replace the old customer credential access (password) encryptedOtp: type: string example: 01784763 description: One time password received in a previous step isFirstTime: type: boolean example: false description: Flag to tell if it is the operation for first time login or it is for forgotten password required: - ccsId - newEncryptedAccessCredential - encryptedOtp - isFirstTime description: Request parameters are require for starting the cellphone validation process. SetCustomerCredentialsRequest: type: object properties: credentialStatus: type: string example: NEW description: 'Object parameter retrieved from Login response which will indicate the operation for executing:

ValueDetails
Nonepassword active.
Newpassword expired and without acceptance.
RPINPIN expired
ACPWDPIN Active
CHPWDPassword expired
' newEncryptedAccessNumber: type: string example: "30203020" description: New Customer credential (PIN) used for authentication. This is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. newEncryptedAccessCredential: type: string example: mobile20 description: New Customer credential (Password) used for authentication. This is encrypted by the frontends using Platform End-to-End encryption APIs. The encoding used here must be HEX. description: Request parameters for setting the new customer access credentials. CustomerCredentialsStatusRequest: type: object properties: customerId: description: Customer client number type: string example: "15000010" maxLength: 12 legalRepresentativeId: description: Legal representative number type: string example: "12" maxLength: 2 required: - customerId CustomerCredentialsStatusResponse: type: object properties: pinDetail: $ref: '#/definitions/PinDetail' passwordDetail: $ref: '#/definitions/PasswordDetail' PinDetail: type: object properties: pinStatus: description: Current pin status, A-ACTIVE, I-INACTIVE, R-RESTARTED, O-OTHER type: string example: A maxLength: 1 lastPinChangeDate: type: string format: date description: Last time the user has changed the PIN example: "2019-05-15" maxLength: 10 activationDate: type: string format: date description: Last time the user has changed the PIN example: "2019-05-15" maxLength: 10 lastResetDate: type: string format: date description: Last time the user has reset the PIN example: "2019-06-15" maxLength: 10 cancellationDate: type: string format: date description: Date when the PIN was canceled example: "2019-06-20" maxLength: 10 lastInvalidLoginDate: type: string format: date description: Last time the user entered an invalid PIN example: "2019-06-22" maxLength: 10 lastBlockDate: type: string format: date description: Last time user was blocked due to entering wrong PIN more than 5 times example: "2019-06-22" maxLength: 10 lastStatusChangeDate: type: string format: date description: When the pin status has been changed example: "2019-06-22" maxLength: 10 pinLocked: description: Pin locked indicator, D-ONE DAY, S-UNDEFINED, I-PREVENTIVE, O-UNEXPECTED VALUE type: string example: A maxLength: 1 lastLoginDate: type: string format: date description: Last date the user entered a valid PIN, and was validated by legacy system (S045) example: "2019-06-22" maxLength: 10 changedCount: type: integer description: How many times user has changed the PIN example: 3 maxLength: 2 PasswordDetail: type: object properties: passwordStatus: description: Current password status, A-ACTIVE, I-INACTIVE, R-RESTARTED, O-OTHER type: string example: A maxLength: 1 lastPasswordChangeDate: type: string format: date description: Last time the user has changed the Password example: "2019-05-15" maxLength: 10 lastResetDate: type: string format: date description: Last time the user has reset the Password example: "2019-06-15" maxLength: 10 activationDate: type: string format: date description: Last time the user has reset the Password example: "2019-06-15" maxLength: 10 cancellationDate: type: string format: date description: Date when the Password was canceled example: "2019-06-20" maxLength: 10 lastInvalidLoginDate: type: string format: date description: Last time the user entered an invalid Password example: "2019-06-22" maxLength: 10 lastBlockDate: type: string format: date description: Last time user was blocked due to entering wrong Password more than 5 times example: "2019-06-22" maxLength: 10 lastStatusChangeDate: type: string format: date description: When the password status has been changed example: "2019-06-22" maxLength: 10 passwordLocked: description: Password locked indicator, D-ONE DAY, S-UNDEFINED, I-PREVENTIVE, O-UNEXPECTED VALUE type: string example: A maxLength: 1 lastLoginDate: type: string format: date description: Last date the user entered a valid Password, and was validated by legacy system (S045) example: "2019-06-22" maxLength: 10 changedCount: type: integer description: How many times user has changed the Password example: 3 maxLength: 2 ErrorResponse: required: - code - details - type properties: type: type: string description: Invalid - Request did not confirm to the specification and was unprocessed and rejected. Please fix the value and try again enum: - error - warn - invalid - fatal code: type: string description: Error code which qualifies the error details: type: string description: Human readable explanation specific to the occurrence of the problem location: type: string description: The name of the field that resulted in the error moreInfo: type: string description: URI to human readable documentation of the error x-ibm-configuration: enforced: true testable: true phase: realized securityDefinitions: OAuth2 Application Flow: type: oauth2 description: "" flow: application scopes: /api/v1: "" tokenUrl: https://api.banamex.com/mx-gcgapi/api/v1/oauth/token Client ID: type: apiKey description: "" in: header name: X-IBM-Client-Id security: - OAuth2 Application Flow: - /api/v1 Client ID: [] x-ibm-endpoints: - endpointUrl: https://api.banamex.com/mx-gcgapi type: - production - development ...