# User Security These endpoints are deprecated. Please refer to [strong-customer-authentication](/api-reference/strong-customer-authentication) section to integrate with SCA. User security allow users to set up security related protections over API. Operations ## Phone Number A resource used to define phone number stored in Wise. Fields id ID of the phone number phoneNumber A text representation of phone number. type Type of phone number when used in authentication. Only **PRIMARY** is supported at the moment. verified Indicator if phone number is verified. Note that only verified phone number will be used as a form of authentication. clientId Client ID of which this phone number belongs to. Phone Number ```json { "id": 1230944, "phoneNumber": "+6588888888", "type": "PRIMARY", "verified": true, "clientId": "clientId" } ``` ## Create PIN **`POST /v1/user/pin`** [](/guides/developer/auth-and-security/jose-jwe) Create PIN for a user as a form of authentication. Can be used to [verify pin](/api-reference/one-time-token#verify-pin) when accessing a strongly protected endpoint via [One Time Token Framework](/api-reference/one-time-token). ### Request pin A four digits string. ### Response Possible HTTP status codes 204 - No Content PIN is created successfully. 409 - Conflict PIN has already been created. Example Request ```bash curl -X POST \ https://api.sandbox.transferwise.tech/v1/user/pin \ -H 'Authorization: Bearer ' \ -H 'Accept: application/jose+json' \ -H 'Accept-Encoding: identity' \ -H 'Content-Type: application/jose+json' \ -H 'Content-Encoding: identity' \ -H 'X-TW-JOSE-Method: jwe' \ -d 'eyJlbmMiOiJBMjU2R0NNIiwi...' ``` Example Response ```text eyJlbmMiOiJBMjU2R0NNIiwi... ``` ## Delete PIN **`DELETE /v1/users/{{userId}}/pin`** [](/guides/developer/auth-and-security#enhanced-security) Can be used to remove the PIN from the user's account. ### Path Variable userId User ID. ### Response Possible HTTP status codes 204 - No Content PIN is deleted successfully. 404 - PIN Not Setup PIN is not setup for this user. Example Request ```bash curl -X DELETE \ https://api.sandbox.transferwise.tech/v1/users/{{userId}}/pin \ -H 'Authorization: Bearer ' ``` Response - PIN Not Setup (404) ```json { "errors": [{ "code": "pin.not.setup", "message": "PIN has not been setup." }] } ``` ## Enrol FaceMap **`POST /v1/user/facemap/enrol`** Enrol FaceMap: Facial biometric enrolment for Strong Customer Authentication (SCA). Can be used to [verify facemap](/api-reference/one-time-token#verify-facemap) when accessing a strongly protected endpoint via [One Time Token Framework](/api-reference/one-time-token). ### Request faceMap Base64-encoded binary data as a string. For more details how to get this binary, please read FaceTec's [export API](https://dev.facetec.com/api-guide#export-3d-facemap). To retrieve Wise's FaceTec public key, please refer to our FaceTec's [Get Public Key API](/api-reference/facetec#public-key). ### Response Possible HTTP status codes 204 - No Content Enrollment is successful. 409 - Conflict FaceMap has already been enrolled. Example Request ```bash curl -X POST \ https://api.sandbox.transferwise.tech/v1/user/facemap/enrol \ -H 'Authorization: Bearer ' \ -d '{ "faceMap": "" }' ``` ## Delete FaceMap **`DELETE /v1/users/{{userId}}/facemap/enrol`** [](/guides/developer/auth-and-security/jose-jwe) Can be used to remove the FaceMap from the user's account. ### Path Variable userId User ID. ### Response Possible HTTP status codes 204 - No Content FaceMap is deleted successfully. 404 - FaceMap Not Setup FaceMap is not setup for this user. Example Request ```bash curl -X DELETE \ https://api.sandbox.transferwise.tech/v1/users/{{userId}}/facemap/enrol \ -H 'Authorization: Bearer ' ``` Response - FaceMap Not Setup (404) ```json { "errors": [{ "code": "facemap.not.setup", "message": "FaceMap has not been setup." }] } ``` ## Create Device Fingerprint **`POST /v1/user/partner-device-fingerprints`** [](/guides/developer/auth-and-security/jose-jwe) A device fingerprint represents a string that identifies a unique device. This endpoint is used to register the fingerprint of the device as one of the allowed devices used during an One Time Token (OTT) challenge. This can be used to [verify device fingerprint](/api-reference/one-time-token#verify-device-fingerprint) when clearing a [OTT](/api-reference/one-time-token). ### Request deviceFingerprint A string that is used as a device fingerprint ### Response deviceFingerprintId Identifier of the device fingerprint createdAt Timestamp on when the device fingerprint was created Possible HTTP status codes 200 - HTTP OK The device fingerprint has been successfully created. 409 - Conflict The device fingerprint has already been created. 400 - Bad Request Maximum number of device fingerprints reached (defaulted to 3). Example Request ```bash curl -X POST \ 'https://api.sandbox.transferwise.tech/v1/user/partner-device-fingerprints' \ -H 'Authorization: Bearer ' \ -H 'Content-Type: application/jose+json' \ -H 'X-TW-JOSE-Method: jwe' \ -H 'Accept: application/jose+json' \ -H 'Accept-Encoding: *' \ -d '{ "deviceFingerprint": "3207da22-a0d3-4b6b-a591-6297e646fe32" }' ``` Example Response ```json { "deviceFingerprintId": "636a5514-aa86-4719-8700-e9a9a0ae7ea7", "createdAt": "2024-05-24T07:27:58.273205554Z" } ``` ## Get Device Fingerprints **`POST /v1/users/{{userId}}/partner-device-fingerprints`** [](/guides/developer/auth-and-security#enhanced-security) Returns a list of device fingerprints created for this user. Example Request ```bash curl -X POST \ 'https://api.sandbox.transferwise.tech/v1/users/{{userId}}/partner-device-fingerprints' \ -H 'Authorization: Bearer ' ``` ### Response List of device fingerprints deviceFingerprintId Identifier of the device fingerprint createdAt Timestamp on when the device fingerprint was created Possible HTTP status codes 200 - HTTP OK 404 - User Not Found The user is not found Example Response ```json { [ { "deviceFingerprintId": "636a5514-aa86-4719-8700-e9a9a0ae7ea7", "createdAt": "2024-05-24T07:27:58.273205554Z" } ] } ``` ## Delete Device Fingerprint **`DELETE /v1/users/{{userId}}/partner-device-fingerprints/{{deviceFingerprintId}}`** [](/guides/developer/auth-and-security#enhanced-security) Can be used to remove a specific device fingerprint from the allowed devices of a user. ### Path Variable deviceFingerprintId Device fingerprint ID. ### Response Possible HTTP status codes 204 - No Content Device fingerprint has been successfully removed. 404 - Not found User or deviceFingerprintId is not found. Example Request ```bash curl -X DELETE \ https://api.sandbox.transferwise.tech/v1/users/{{userId}}/partner-device-fingerprints/{{deviceFingerprintId}} \ -H 'Authorization: Bearer ' ``` ## List Phone Numbers **`GET /v1/application/users/{{userId}}/phone-numbers`** List verified phone numbers for a user. ### Request Parameters userId User ID. ### Response Returns a list of [phone numbers](/api-reference/user-security#phone-number). Example Request ```bash curl -X GET \ https://api.sandbox.transferwise.tech/v1/application/users/{{user_id}}/phone-numbers \ -H 'Authorization: Bearer ' ``` Example Response ```json [ { "id": 1230944, "phoneNumber": "+6588888888", "type": "PRIMARY", "verified": true, "clientId": "clientId" } ] ``` ## Create Phone Number **`POST /v1/application/users/{{userId}}/phone-numbers`** Create a verified phone number for a user. ### Request phoneNumber A valid phone number in string. ### Response HTTP Status Codes 200 - OK Returns [phone number](/api-reference/user-security#phone-number) 422 - Unprocessable Entity The phone number is already associated with another account. To authenticate users and prevent unauthorized access, we require each user to have a unique phone number that can be verified. Example Request ```bash curl -X POST \ https://api.sandbox.transferwise.tech/v1/application/users/{{user_id}}/phone-numbers \ -H 'Authorization: Bearer ' \ -d '{ "phoneNumber": "+6588888888" }' ``` Example Response - 200 ```json { "id": 1230944, "phoneNumber": "+6588888888", "type": "PRIMARY", "verified": true, "clientId": "clientId" } ``` Example Response - 422 ```json { "errors": [{ "code": "phone.number.repeated", "message": "It's linked to an account with the email ****@wise.com" }] } ``` ## Update Phone Number **`PUT /v1/application/users/{{userId}}/phone-numbers/{{phoneNumberId}}`** Update a verified phone number for a user. ### Request phoneNumber A valid phone number in string. ### Response HTTP Status Codes 200 - OK Returns [phone number](/api-reference/user-security#phone-number) 422 - Unprocessable Entity The phone number is already associated with another account. To authenticate users and prevent unauthorized access, we require each user to have a unique phone number that can be verified. Example Request ```bash curl -X PUT \ https://api.sandbox.transferwise.tech/v1/application/users/{{user_id}}/phone-numbers/{{phoneNumberId}} \ -H 'Authorization: Bearer ' \ -d '{ "phoneNumber": "+6588888888" }' ``` Example Response - 200 ```json { "id": 1230944, "phoneNumber": "+6588888888", "type": "PRIMARY", "verified": true, "clientId": "clientId" } ``` Example Response - 422 ```json { "errors": [{ "code": "phone.number.repeated", "message": "It's linked to an account with the email ****@wise.com" }] } ``` ## Delete Phone Number **`DELETE /v1/application/users/{{userId}}/phone-numbers/{{phoneNumberId}}`** Deletes a verified phone number for a user. ### Request Parameters userId User ID. phoneNumberId ID of a [phone number](/api-reference/user-security#phone-number). ### Response HTTP Status Codes 204 - No Content No Content. Example Request ```bash curl -X DELETE \ https://api.sandbox.transferwise.tech/v1/application/users/{{user_id}}/phone-numbers/{{phoneNumberId}} \ -H 'Authorization: Bearer ' ```