YCMT EU Partner Developer
API Guide
Authentication API + Customer-Context Core API | v1.0
| Field | Value |
|---|
| Document | 60_YCMT_EU_PartnerDev_API_Guide_v1_0.docx |
| Audience | Partner application developers, partner technical leads, partner QA teams |
| Scope | YCMT EU customer-facing API integration |
| Version | v1.0 |
| Status | Draft for partner onboarding use |
| API families | Authentication API and Customer-Context Core API |
| Excludes | Internal YCMT systems, internal identifiers, internal decision logic, internal databases, and internal gateway implementation |
1. Purpose and reading rules
This guide is the main human-readable API reference for partner developers integrating a branded application with the YCMT EU customer-facing API surface. It explains what to call, when to call it, which headers to send, what key request and response fields mean, and how endpoints work together.
This document is intentionally partner-facing. It does not describe YCMT internal architecture or internal compliance decisioning. Partner applications call the documented API and display YCMT-provided statuses, instructions, and remediation signals to the customer.
1.1 Partner-safe integration principle
Your application presents the branded customer experience. YCMT validates the customer, partner, KYC, sanctions, transaction, and settlement controls before any regulated action proceeds. The partner application must not create shortcuts around registration, authentication, KYC, quote acceptance, transfer confirmation, funding, cancellation, or status tracking.
1.2 How to use this guide
- Read the common request rules before implementing any endpoint.
- Implement Authentication API endpoints first: registration, login, refresh, logout, password reset, and device registration.
- Implement Customer-Context Core API endpoints next: profile, KYC, beneficiaries, quotes, disclosures, transfers, cancellation, and status polling.
- Use the Flows Guide to validate end-to-end customer journeys.
- Use the Errors, Statuses, and Retry Guide for edge cases and resilience.
- Use the OpenAPI and Postman pack for machine-readable schemas and executable examples.
2. API families
| API family | Base path | Purpose | Typical caller |
|---|
| Authentication API | /v1/auth | Customer registration, login, token refresh, logout, password reset, identifier management, and device registration | Partner application acting for the customer |
| Customer-Context Core API | /v1/core | Profile, KYC session, beneficiaries, quotes, disclosures, transfers, funding, cancellation, and transfer status | Partner application acting for the authenticated customer |
| Partner backend surfaces | Separate documents | Quote signing, webhook receipt, reporting, operational integration where applicable | Partner backend |
2.1 Environment base URLs
| Environment | Typical base URL | Use |
|---|
| Sandbox | https://sandbox.api.eu.yescash.example | Development, QA, and conformance testing |
| Production | Provided during production activation | Live customer traffic after YCMT approval |
The sandbox URL above is a placeholder format. YCMT onboarding will provide the actual URL and access credentials. Never mix sandbox and production credentials.
3. Common request rules
| Header | Required when | Description |
|---|
| Content-Type: application/json | Request has a JSON body | Send JSON request bodies unless the endpoint states otherwise. |
| Accept: application/json | All API calls | Request JSON responses. |
| X-Correlation-Id | All API calls | Partner-generated UUID used to trace a request chain with YCMT support. |
| Ocp-Apim-Subscription-Key | All partner application API calls | Partner API key issued during onboarding. Treat as a secret. |
| Authorization: Bearer <accessToken> | Customer-authenticated endpoints | Customer access token returned by the Authentication API. |
| Idempotency-Key | Idempotent write endpoints | UUID generated per business action. Reuse only when retrying the exact same action. |
3.2 Example unauthenticated request
POST /v1/auth/start HTTP/1.1
Host: sandbox.api.eu.yescash.example
Content-Type: application/json
Accept: application/json
X-Correlation-Id: 2c3eb391-57e1-4312-a59d-85f9df38cf62
Ocp-Apim-Subscription-Key: <sandbox-api-key>
{
"identifierType": "email",
"identifier": "alice.martinez@example.com"
}
3.3 Example authenticated request
GET /v1/core/profile HTTP/1.1
Host: sandbox.api.eu.yescash.example
Accept: application/json
Authorization: Bearer <customer-access-token>
X-Correlation-Id: 2c3eb391-57e1-4312-a59d-85f9df38cf62
Ocp-Apim-Subscription-Key: <sandbox-api-key>
3.4 Security rules for partner developers
- Do not log access tokens, refresh tokens, OTPs, passwords, private keys, device signing material, full identity documents, or full payment details.
- Store tokens only in secure platform storage appropriate to the channel and device type.
- Use TLS for all calls and reject invalid certificates.
- Use correlation IDs in logs so YCMT can investigate without exposing secrets.
- Show customer-facing remediation only from documented statuses, errors, and response fields.
- Do not infer internal reasons for KYC, sanctions, customer status, or transfer decisions.
4. Authentication API
The Authentication API is used before or alongside customer-context actions. It returns customer tokens, manages customer login identifiers, supports password reset, and registers the customer device used for higher-assurance transfer confirmation.
4.1 Authentication endpoint catalogue
| Endpoint | Method | Purpose | Auth required |
|---|
/v1/auth/start | POST | Start two-step login using email or phone. | No |
/v1/auth/login | POST | Complete login and receive tokens, or continue MFA challenge/enrolment when required. | No |
/v1/auth/refresh | POST | Refresh the customer access token. | No, uses refresh token in body |
/v1/auth/logout | POST | Terminate the current customer session. | Access token + refresh token |
/v1/auth/register/start | POST | Start customer registration. | No |
/v1/auth/register/verify-otp | POST | Verify registration OTP. | No |
/v1/auth/register/set-password | POST | Complete registration and receive tokens. | No |
/v1/auth/identifiers | GET | List customer login identifiers. | Yes |
/v1/auth/identifiers/add/start | POST | Start adding a new email or phone. | Yes |
/v1/auth/identifiers/add/verify-otp | POST | Complete identifier addition. | Yes |
/v1/auth/identifiers/{identifierId}/remove/start | POST | Start removing an existing identifier. | Yes |
/v1/auth/identifiers/{identifierId}/remove/verify-otp | POST | Complete identifier removal. | Yes |
/v1/auth/password/forgot | POST | Start password reset. | No |
/v1/auth/password/reset | POST | Complete password reset. | No |
/v1/auth/device-registration/start | POST | Start device registration. | Yes |
/v1/auth/device-registration/complete | POST | Complete device registration with proof of device key possession. | Yes |
4.2 Login
POST /v1/auth/start
Starts login using the customer identifier. The response returns a short-lived loginAttemptId used by /v1/auth/login.
| Request field | Required | Meaning |
|---|
| identifierType | Yes | email or phone. |
| identifier | Yes | Customer email address or E.164 phone number. |
{
"identifierType": "email",
"identifier": "alice.martinez@example.com"
}
POST /v1/auth/login
Completes login. Most successful responses return tokens and subscriptionId. Some responses may require MFA challenge or MFA enrolment; the partner app must follow the returned authStatus and next instructions.
| Request field | Required | Meaning |
|---|
| loginAttemptId | Yes | Value returned by /v1/auth/start. |
| password | Normally yes | Customer password for the normal login path. |
| mfaChallengeId / mfaCode | Conditional | Used only if the previous response requires MFA challenge completion. |
| mfaEnrolmentSessionId / mfaEnrolmentCode | Conditional | Used only if the previous response requires MFA enrolment. |
Successful token response fields
| Field | Meaning |
|---|
| accessToken | Bearer token used on customer-authenticated /v1/core calls. |
| refreshToken | Token used to obtain a new access token. Store securely. |
| tokenType | Bearer. |
| expiresIn | Access token lifetime in seconds. |
| subscriptionId | Partner-facing customer reference for this partner relationship. |
| customerStatus | Current customer status visible to the partner application. |
4.3 Token refresh and logout
| Endpoint | Request | Response / result | Implementation note |
|---|
/v1/auth/refresh | refreshToken | New token bundle. | Call before access token expiry or after receiving token-expired handling guidance. |
/v1/auth/logout | refreshToken plus current access token | Session termination result. | After success, delete local access and refresh tokens. |
4.4 Customer registration
Registration is a three-step customer-facing flow: start, verify OTP, then set password. A successful final step returns tokens and the partner-facing subscriptionId.
| Step | Endpoint | Partner app action |
|---|
| 1 | POST /v1/auth/register/start | Collect email or phone and start registration. |
| 2 | POST /v1/auth/register/verify-otp | Prompt customer for OTP and verify it. |
| 3 | POST /v1/auth/register/set-password | Collect password and complete registration. Store tokens securely. |
4.5 Identifier management
Authenticated customers may list, add, and remove login identifiers. Identifier add and remove use two-step OTP flows. The partner app must present masked identifiers and avoid exposing full values except where the customer entered them.
| Capability | Endpoints |
|---|
| List identifiers | GET /v1/auth/identifiers |
| Add identifier | POST /v1/auth/identifiers/add/start then POST /v1/auth/identifiers/add/verify-otp |
| Remove identifier | POST /v1/auth/identifiers/{identifierId}/remove/start then POST /v1/auth/identifiers/{identifierId}/remove/verify-otp |
4.6 Password reset
| Step | Endpoint | Partner app action |
|---|
| 1 | POST /v1/auth/password/forgot | Collect identifier and start reset. Display neutral response. |
| 2 | POST /v1/auth/password/reset | Collect OTP and new password. On success, ask customer to log in again or continue as instructed. |
4.7 Device registration
Device registration prepares the customer device for high-assurance transfer confirmation. The partner app starts registration, generates or selects a customer-device signing key according to the Security and Signing Guide, and completes registration by submitting the public key and proof. Private key material must never leave the customer device.
| Endpoint | Purpose | Key fields |
|---|
/v1/auth/device-registration/start | Returns a deviceRegistrationId and registrationChallenge. | deviceMetadata, stepUpToken when required |
/v1/auth/device-registration/complete | Registers the device public key and proof. | deviceRegistrationId, publicKey, registrationProof |
5. Customer-Context Core API
Every Core API endpoint requires a customer access token in the Authorization header. The partner application must treat the token as the sole customer context for the request and must not place internal customer identifiers in URLs or request bodies.
5.1 Core endpoint catalogue
| Endpoint | Method | Purpose |
|---|
/v1/core/profile | POST | Submit customer profile information. |
/v1/core/profile | GET | Read customer profile, customer status, KYC status, identifiers, and subscriptionId. |
/v1/core/kyc-sessions | POST | Start a YCMT-served KYC capture session. |
/v1/core/kyc-sessions/{kycSessionId} | GET | Read KYC session state. |
/v1/core/beneficiaries | GET | List customer beneficiaries. |
/v1/core/beneficiaries | POST | Create a beneficiary. |
/v1/core/beneficiaries/{beneficiaryId} | GET | Read beneficiary details. |
/v1/core/beneficiaries/{beneficiaryId}/archive | POST | Archive a beneficiary. |
/v1/core/quotes | POST | Create a quote for a selected beneficiary. |
/v1/core/quotes/{quoteId} | GET | Fetch quote details. |
/v1/core/quotes/{quoteId}/disclosure | GET | Fetch required disclosure for the quote. |
/v1/core/quotes/{quoteId}/accept | POST | Accept quote and receive transferId. |
/v1/core/transfers/{transferId}/submit | POST | Submit transfer details. |
/v1/core/transfers/{transferId}/confirm | POST | Confirm transfer using device assertion. |
/v1/core/transfers/{transferId}/cancel | POST | Request cancellation where allowed. |
/v1/core/transfers/{transferId} | GET | Read transfer detail and next-step fields. |
/v1/core/transfers | GET | List transfers. |
5.2 Profile
POST /v1/core/profile
Submits customer identity attributes required before KYC and money movement. The partner app should collect only the fields required by the current UI and corridor requirements, and submit them in the documented format.
| Request field | Required | Meaning |
|---|
| firstName | Yes | Customer first name. |
| lastName | Yes | Customer last name. |
| dateOfBirth | Yes | Date in YYYY-MM-DD format. |
| nationality | Yes | ISO country code as specified in onboarding materials. |
| residenceCountry | Yes | Country of residence. |
| residenceAddress | Yes | Structured address object. |
| middleNames, gender, placeOfBirth | Optional | Provide where collected or required by the customer journey. |
GET /v1/core/profile
Reads the partner-visible customer state. This is the main endpoint for the partner app to decide which customer screen to show next.
| Response field | Meaning |
|---|
| subscriptionId | Partner-facing customer reference. Safe for partner-side logging and joining. |
| status | Customer status visible to the partner app. |
| kycStatus | Current KYC state. |
| transactability | Convenience boolean indicating whether the customer can proceed with money-moving actions, subject to endpoint-specific rules. |
| customerActionExpected | Whether the app should prompt the customer for action. |
| profile | Submitted profile details. |
| identifiers | Masked or summarized login identifiers. |
5.3 KYC sessions and KYC webview
KYC capture is performed through a YCMT-served webview. The partner app opens the webviewUrl returned by /v1/core/kyc-sessions and polls the KYC session endpoint for state.
| Endpoint | Purpose | Main response fields |
|---|
POST /v1/core/kyc-sessions | Start KYC capture session. | kycSessionId, webviewUrl, expiresAt, closureCallback |
GET /v1/core/kyc-sessions/{kycSessionId} | Read KYC session state. | sessionState, openedAt, closedAt, expiresAt |
- Open the webviewUrl in the customer-facing app using the approved webview integration pattern.
- Do not intercept or modify documents, liveness capture, or verification data inside the webview.
- After the webview closes, poll the KYC session state and then refresh
/v1/core/profile to show the correct next step.
- Use documented remediation messages only; do not infer internal KYC reasons.
5.4 Beneficiaries
Beneficiaries are customer-created recipients. A beneficiary may require screening before it can be used in a transfer.
| Endpoint | Purpose | Key fields |
|---|
GET /v1/core/beneficiaries | List beneficiaries. | items, nextCursor |
POST /v1/core/beneficiaries | Create beneficiary. | firstName, lastName, dateOfBirth, address, nationality, countryOfResidence, relationshipToCustomer |
GET /v1/core/beneficiaries/{beneficiaryId} | Read beneficiary detail. | beneficiaryId, state, payout methods, identity fields |
POST /v1/core/beneficiaries/{beneficiaryId}/archive | Archive beneficiary. | beneficiaryId, state, archivedAt |
5.5 Quotes and disclosure
The quote and disclosure sequence must be implemented carefully. The customer must see the required disclosure before quote acceptance. Expired quotes must not be accepted; the app should create or fetch a new quote as instructed by the error response.
| Endpoint | Purpose | Main fields |
|---|
POST /v1/core/quotes | Create quote for a selected beneficiary. | originAmount, originCurrency, destinationCurrency, beneficiaryId |
GET /v1/core/quotes/{quoteId} | Fetch quote detail. | amounts, currencies, fxRate, fees, totalCustomerCost, quoteValidUntil |
GET /v1/core/quotes/{quoteId}/disclosure | Fetch customer disclosure. | disclosureToken, disclosureText, issuedAt, expiresAt |
POST /v1/core/quotes/{quoteId}/accept | Accept quote after disclosure. | disclosureToken, purposeOfTransfer |
Quote response fields to display
| Field | Display / handling guidance |
|---|
| originAmount and originCurrency | Amount the customer sends. |
| destinationAmount and destinationCurrency | Amount expected to be received. |
| fxRate | Exchange rate used for this quote. |
| principalFee and partnerFee | Fees where required by the customer-facing flow. |
| totalCustomerCost | Total cost to the customer. |
| quoteValidUntil | Countdown or expiry handling. |
| quoteId | Use for subsequent quote fetch, disclosure, and acceptance calls. |
5.6 Transfers
Transfers proceed through quote acceptance, transfer submission, transfer confirmation, funding, and status tracking. The partner app must follow nextStep and transferStatus fields rather than assuming a fixed timing.
| Endpoint | Purpose | Key request / response fields |
|---|
POST /v1/core/transfers/{transferId}/submit | Submit transfer details after quote acceptance. | beneficiaryId, payoutMethod, purposeOfTransfer; returns submittedAt, nextStep |
GET /v1/core/transfers/{transferId} | Read transfer detail and next action. | transferStatus, nextStep, confirmationChallenge, fundingSession, cancellation, refund |
POST /v1/core/transfers/{transferId}/confirm | Confirm transfer using device assertion. | deviceAssertion; returns fundingSession and nextStep |
POST /v1/core/transfers/{transferId}/cancel | Request cancellation where allowed. | cancellationReason; returns cancellationOutcome and refund fields if applicable |
GET /v1/core/transfers | List customer transfers. | items, nextCursor |
5.7 Funding webview
A successful transfer confirmation may return a fundingSession containing a fundingWebviewUrl. The partner app opens that URL for the customer. YCMT controls the funding flow. The partner app is a display host and must not collect or store payment credentials unless a separate written instruction explicitly allows it.
| Funding field | Meaning |
|---|
| fundingSessionId | Identifier for the funding session. |
| fundingWebviewUrl | URL to open for the customer. |
| expiresAt | Time after which the funding session is no longer valid. |
6. Statuses the partner app must handle
6.1 Customer statuses
| Status | Partner app handling |
|---|
| PENDING | Prompt customer to complete onboarding/profile/KYC steps. Money-moving actions are not available yet. |
| VALID | Allow normal customer journey subject to beneficiary, quote, transfer, and payment rules. |
| MONITORED | Allow customer journey where endpoint permits it, but show that transfers may be under review when status responses indicate this. |
| RESTRICTED | Prompt customer action when the response says customer action is expected. Do not promise release until YCMT validates remediation. |
| BLOCKED | Do not allow money-moving actions. Show generic support guidance. |
| CLOSED | Do not allow money-moving actions. Show generic account-closed/support guidance. |
6.2 Transfer handling principle
Always drive the UI from transferStatus, nextStep, customerActionExpected, confirmationChallenge fields, fundingSession fields, cancellation fields, and refund fields returned by the API. Do not hard-code transfer progress based only on elapsed time.
7. Common response and error model
Successful responses return the resource or action result described by the endpoint. Error responses use a structured error object. The partner app should map error codes to the documented handling rules in the Errors, Statuses, and Retry Guide.
7.1 Generic error response shape
{
"error": {
"code": "quote.expired",
"message": "The quote is no longer valid.",
"correlationId": "2c3eb391-57e1-4312-a59d-85f9df38cf62",
"hint": "hint.partner_app.refresh_quote",
"remediation": "remediation.customer_ux.review_new_quote"
}
}
7.2 Partner app error handling rules
- Do not display raw technical error details to customers unless the guide explicitly marks them customer-safe.
- Show the customer-safe remediation associated with the error category.
- For token expiry, refresh the token and retry where safe.
- For quote expiry, request a new quote and show the customer the new price/disclosure before acceptance.
- For validation errors, highlight the field or step the customer can correct.
- For
customer.statusBlocking, show generic support guidance and do not disclose internal reasons.
- For rate limits or temporary unavailability, follow Retry-After if provided and avoid retry storms.
8. Idempotency, pagination, and retries
8.1 Idempotency
For write operations that create or change business state, use an Idempotency-Key generated per business action. Reuse the same key only when retrying the same action after timeout or network failure. Do not reuse one key for different customer actions.
| Action type | Idempotency guidance |
|---|
| Registration, login, password reset sub-steps | Follow endpoint-specific rules in the Openapi-assets/Postman pack. |
| Profile submission, KYC session creation, beneficiary creation, quote acceptance, transfer submit/confirm/cancel | Use Idempotency-Key where specified by the contract. |
| GET requests | Do not send Idempotency-Key unless specifically instructed. |
List endpoints may return nextCursor. When nextCursor is present, call the same list endpoint again with the cursor parameter. Do not construct or modify cursor values; treat them as opaque strings.
8.3 Safe retry rules
| Situation | Partner app action |
|---|
| Network timeout before response | Retry with the same Idempotency-Key for idempotent write operations. |
| HTTP 429 rate limit | Wait according to Retry-After if present, then retry. |
| HTTP 5xx temporary failure | Retry with backoff where customer experience allows. |
| Validation error | Do not retry automatically; prompt customer or fix request. |
| Quote expired | Create or fetch a new quote and show the updated disclosure before acceptance. |
9. Minimal implementation checklist
| Area | Must be implemented before go-live |
|---|
| Headers and credentials | Base URL, API key, correlation IDs, Authorization header, secure token handling. |
| Authentication | Registration, login, refresh, logout, password reset, identifier handling where in scope. |
| Profile and KYC | Profile submit/read, KYC webview launch, KYC state polling and remediation. |
| Beneficiaries | Create/list/read/archive and beneficiary state handling. |
| Quotes and disclosure | Quote create/fetch, disclosure fetch/display, quote acceptance, quote expiry handling. |
| Transfers | Submit, read status, confirm, funding webview, cancellation, refund/status handling. |
| Security and signing | Device registration and confirmation; quote signing/webhooks where applicable. |
| Errors and retry | Structured error handling, idempotency, pagination, rate-limit handling. |
| Sandbox evidence | Positive and negative test scenarios completed and submitted to YCMT. |
10. What not to build
The partner application must not implement any workaround that bypasses YCMT controls or changes the regulatory responsibility split.
- Do not create or execute transfers outside the documented customer-context APIs.
- Do not treat partner backend credentials as authority to move customer money.
- Do not store or expose internal customer identifiers. Use subscriptionId only where the API returns it.
- Do not infer or disclose internal AML, KYC, sanctions, fraud, or customer-status reasons.
- Do not collect or store payment credentials outside the approved funding flow.
- Do not alter or suppress YCMT-required disclosures.
- Do not reuse one customer token for another customer or another partner channel.
- Do not hard-code assumptions about transfer timing, KYC outcomes, or cancellation outcomes.
11. Support and escalation
| Need | Contact route |
|---|
| Sandbox access issue | YCMT technical onboarding contact |
| API contract question | YCMT partner integration support |
| Unexpected production API error | Production support route with correlation ID, timestamp, endpoint, and sanitized request summary |
| Security incident | YCMT security incident contact immediately |
| Customer complaint or regulated issue | Partner operations escalation route, not developer support |
Appendix A. Endpoint summary by build order
| Build order | Endpoints |
|---|
| 1. Health and connectivity | Use onboarding-provided health endpoint where enabled. |
| 2. Registration/login | /auth/register/start, /auth/register/verify-otp, /auth/register/set-password, /auth/start, /auth/login |
| 3. Token lifecycle | /auth/refresh, /auth/logout |
| 4. Profile/KYC | /core/profile, /core/kyc-sessions, /core/kyc-sessions/{kycSessionId} |
| 5. Device registration | /auth/device-registration/start, /auth/device-registration/complete |
| 6. Beneficiaries | /core/beneficiaries, /core/beneficiaries/{beneficiaryId}, /core/beneficiaries/{beneficiaryId}/archive |
| 7. Quote/disclosure | /core/quotes, /core/quotes/{quoteId}, /core/quotes/{quoteId}/disclosure, /core/quotes/{quoteId}/accept |
| 8. Transfers | /core/transfers/{transferId}/submit, /core/transfers/{transferId}/confirm, /core/transfers/{transferId}, /core/transfers, /core/transfers/{transferId}/cancel |