API Changes


1.38 (2019-10-01)

  • Added detailed examples of how to use direct authentication.
  • In the Direct Authentication API, WingCash Secret Authentication has been renamed to OPN Secret Authentication and the preferred header format has changed. The old format will continue to be accepted.
  • Added POST /aa/signup-closed and documented the authentication requirements for POST /aa/signin-closed.
  • Added an alternative to the Authentication Decision Tree for skipping the password when signing up for closed loop access only.

1.37 (2019-09-20)

1.36 (2019-08-08)

  • Added address_data to Profile objects.

1.35 (2019-06-10)

  • Added API calls to accept, refuse, or resend transfer invitations. See POST /t/(string:transfer_id)/accept. Also, the platform now adds the recipient to invited transfers when the recipient confirms the UID, so apps can use existing transfer integration to notify recipients about invitations.

1.34 (2019-05-30)

  • The message set feature now supports template variants. API calls that start a transfer can now specify a list of message_rules to choose the locale and variant for each participant who will receive messages. See MessageRule.
  • Bugfix: some appdata field inputs had no effect; now they work as documented. Also added appdata documentation to the Transfer reference.

1.33 (2019-05-16)

  • Expanded the Cash Design API Calls to allow apps to create, edit, and delete cash designs.
  • Added an optional icon to cash designs and made the description_html attribute available for brand cash designs.
  • Applied an updated theme to the API documentation. The new theme is based on the MIT-licensed Guzzle theme.
  • Using Profile Access API Calls, apps can now enable and disable Features for profiles.
  • Apps can now set profile images using PUT /wallet/image.

1.32 (2019-04-18)

1.31 (2019-04-12)

1.30 (2019-03-08)

1.29 (2019-01-08)

  • Added the concurrent field to POST /p/token. Apps that don’t cache access tokens can use this new feature to avoid accidentally invalidating access tokens used concurrently.
  • Added the device_uuid and device_name fields to POST /p/token so apps using the profile access API can expose devices correctly in user profiles.
  • Added the POST /aa/signin-closed API call. The new call lets apps use direct authentication with a single factor to generate a limited access token that accesses only closed loop cash.
  • Added the optional permissions field to the Direct Authentication API Calls, allowing apps to use more (or more specific) permissions per profile.
  • Added the first of the Report API Calls, the Received and Receivable report: POST /wallet/report/receivable.
  • Added the personal_profile response attribute to GET /wallet/info. It is provided only when authenticated as a non-individual.


1.28 (2018-10-04)

1.27 (2018-08-31)

1.26 (2018-07-02)

  • Added the POST /p/token API call. It requires the control_profile app permission, which can only be granted to apps one site at a time.
  • Added the required manager_uid field to the POST /p/add-business API call and created a compatibility flag that allows existing apps to not provide manager_uid. In the future, all apps that use the /p/add-business API call should provide manager_uid.

1.25 (2018-05-23)

  • Added movements to Transfer objects, allowing clients to display the cash sent or received in detail.
  • Added max_sendable to SendableAmount. Also, the amount attribute of SendableAmount now reports the amount in the wallet rather than the amount that can be sent at once.
  • The Payment Processor API Calls now allow sending brand cash to individuals. To support this, the /proc/redeem[able] calls have been renamed to /proc/send[able], with deprecated aliases.
  • Added the POST /p/add-individual API call.

1.24 (2018-05-03)

  • Added dedup_id to API calls for starting a transfer.
  • The POST /token/refresh API call now accepts a password, subject to the Authentication API Rules.
  • The direct authentication API calls now generate a 410 (“Gone”) HTTP response when a caller attempts to access an expired authentication attempt or invitation.

1.23 (2018-02-07)


1.22 (2017-12-30)

1.21 (2017-10-25)

1.20 (2017-09-04)

1.19 (2017-06-30)

  • Added the __error_ok__ option, allowing InvalidRequest responses to use a status of 200 OK rather than 400 Bad Request.
  • Added first_name and last_name to Profile objects.
  • Added original to UIDInfo objects.
  • Increased the size limit of message and message_body in the POST /wallet/send API call to 10000 characters.
  • Renamed account_links to accounts, account_type to ach_type, and AccountLink to DFIAccount.


1.18 (2015-11-11)

  • Added the return CampaignEvent type. A return event is triggered when users return cash to the provider.

1.17 (2015-09-21)

  • Updated profile image sizes: added image24, image48, and image73 to match common practice. image25 is now a deprecated alias of image24 and image50 is now a deprecated alias of image48.
  • The default image size is now 73 x 73 rather than 50 x 50.

1.16 (2015-07-21)

1.15 (2015-07-10)

1.14 (2015-01-12)

  • Added the preferred_currency and accepted_national_currencies attributes to Profile.


1.13 (2014-10-24)

  • Added API calls for finding and accepting published offers. See Offer API Calls.
  • Added the chain_id attribute to Profile.

1.12 (2014-09-18)

  • Added the loyalty attribute to TransferDetail. (The platform recently added the loyalty cash feature. Qualifying transfers now send loyalty cash back to the sender.)

1.11 (2014-09-02)

  • As planned and documented, seller has been renamed to distributor.
  • POST /wallet/receive now accepts optional total_due and total_tax parameters to improve reports.

1.10 (2014-07-26)

  • The platform now supports promotional cash that expires; the API now exposes cash expiration information through the LoopDescription objects provided by GET /wallet/info and GET /wallet/presend.
  • Renamed the retract campaign event to expire. No retract events have been generated yet, so this change should not cause any backward compatibility issues.

1.9 (2014-06-04)

  • The POST /wallet/send call now accepts abstract amounts, allowing some apps to skip the presend step.

1.8 (2014-05-05)

  • Improved support for public business addresses, geocoordinates, and public phone numbers. Details:

  • The implementation of POST /token/refresh was returning a status code of 404 when the PIN was incorrect. It now returns status code 401, as documented.

  • When a user fails token refresh through POST /token/refresh five times, the platform no longer invalidates access tokens. Instead, the platform will only lock out further attempts to use POST /token/refresh with the same access token.

  • Added an API call for receiving cash at a point of sale: POST /wallet/receive.

  • Added Bidirectional API Calls and PostDetail.

1.7 (2014-04-02)

  • Relaxed device UUID requirements. UUID length is now variable (up to 36 characters) and UUIDs may contain 0-9, a-z, A-Z, _, and -.
  • Renamed the pos_wait attribute of GET /wallet/presend response objects to support_paycode; pos_wait is now a deprecated alias.
  • Added support_paycode to Profile objects.
  • The related attribute of GET /wallet/info response objects now provides ProfileDetail rather than Profile objects for all profiles that the authenticated personal profile manages.
  • Added GET /token/selectable, which lists the selectable managed profiles for the authenticated profile.

1.6.1 (2014-03-31)

  • sender_info was missing from the implementation of Transfer. Fixed.

1.6 (2014-03-06)

  • Added the banner, metadata_image, and metadata_description attributes to OfferDetail.

1.5 (2014-02-25)

1.4 (2014-01-29)


1.3 (2013-12-18)

1.2 (2013-12-06)

  • Added POST /token/logout.
  • When users create a test token through the app management UI and request the mobile_device permission, the platform will now add a test device to the user’s profile and return a device token.

1.1 (2013-12-05)

  • The scope parameter changed for mobile devices. The mobile_device scope value is now a permission. The mobile_device permission allows an app to have a different token for each device. Also, all apps (including mobile apps) must now request specific permissions in the scope parameter.
  • The implementations of the POST /token and POST /token/refresh calls now accept only the POST request method (not GET or HEAD), to avoid the security issues of a query string.
  • The implementation of GET /wallet/history was generating an error when listing transfers to bank accounts. Fixed.

1.0 (2013-12-03)

  • Documented that LoopDescription.thumbnail can be null.

  • Apps can now pass the client_id and client_secret to the token endpoint using HTTP basic authentication.

  • GET /wallet/presend now works. Changes from the former documentation:

    • Changed the /wallet/presend call from POST to GET and changed its parameter type from JSON to a query string.
    • Removed the default message fields from the /wallet/presend response.
    • Added recipient_info, sender_can_send_direct, and recipient_can_send_direct to the /wallet/presend response.
  • POST /wallet/send now works. Changes from the former documentation:

    • Changed /wallet/send to accept form parameters rather than JSON parameters.
    • Replaced the loops parameter of /wallet/send with amounts, a formatted string.
    • Added the notify_via parameter to /wallet/send.
    • Removed the related attribute of the /wallet/send response. It was confusing.
  • GET /wallet/history now works.

  • POST /t/(string:transfer_id)/change_paycode_expiration now works.

    • Also added payment_codes to TransferDetail and reorganized the documentation a little to reflect the fact that changing a payment code is really changing a transfer.

0.1 (2013-11-25)

  • Initial release of API documentation.