With CRS's Consumer Credit API, you can offer Consumer Credit Scores and Credit Monitoring directly as part of your web or mobile experience.
Overview
To quickly grasp the token flow and sequence of API calls, download and import the "Getting Started" Postman Collections from the Google Drive and the Postman environment we provided to you.
The Google Drive and this documentation contain Postman Collections for each API.
- Direct API calls must originate from your server
- User API calls must originate from the end-client
- Equifax API calls must originate from the end-client
It is not acceptable to pass any of the data to these calls or responses from these calls to your server. Do not save any data. Short term caching is fine, but long-term storage is not.
Access Credentials
Access Credentials will be sent to you in a Postman Environment upon registration via email. If you have not received the Access Credentials, please contact CRS to obtain these Credentials so that you can setup your API development environment.
Token Validity Times
Direct Tokens
Preauth Tokens
User Tokens
Refresh Tokens
Mobile Verification Tokens
Customer Tokens
Action Tokens
1 hour
30 seconds
15 minutes
Valid after 15 minutes, and expire after 30 minutes
15 minutes
Valid for 1 day (not used in Direct API)
Valid for 10 minutes (not used in Direct API)
Keep in mind, the preauth token is only valid for 30 seconds.
Direct API
Direct API calls must originate from your server
A token from /direct/login is required for all other Direct API end-points. It is a bearer authorization token.
Once you have a preauth token, returned from /direct/user-reg or /direct/preauth-token, pass it to the Web UI entry point in the embedded iFrame.
Be sure to save the ID returned from /direct/user-reg or you won’t be able to reauthorize the user when they return.
**The preauth token is only valid for 30 seconds
Endpoints
New User Token
Change Email
Change Phone
Close Account
Update Refresh
/direct/preauth-token
/direct/change-email
/direct/change-phone
/direct/close-account
/direct/update-refresh [PREMIUM FEATURE]
Collection of end-points that should be called from your server.
- Customer Login (POST)
/direct/login
Using your credentials in the request body ("apikey" and "secret"), the response will contain the token and refresh token.
These tokens are required for completing the other requests to Direct API endpoints.This token will be valid for approximately one hour. After the one hour, the refresh token will become valid.
If the token expires, use /direct/refresh-token?token={refresh} to get a new token
- CUSTOMER REFRESH TOKEN (GET)
/direct/refresh-token
Token and refresh tokes are required for completing the other requests to Direct API endpoints.
The token will be valid for approximately one hour. After the one hour, the refresh token will become valid.
When the token expires, use /direct/refresh-token?token={refresh} to get a new token
- REGISTER NEW USER (POST)
/direct/user-reg
Creates a new user with unique userId and preauth token.
When a user logs back in, use /direct/preauth-token/{userId} to generate that user a new preauth token and a new userId (refer to Returning User)
Don't store the token across sessions. Use the userId from the previous session to generate a new userId and a new preauth token.
- NEW USER TOKEN (GET)
/direct/preauth-token/{userId}
- CLOSE USER ACCOUNT (POST)
/direct/close-account/{userId}
- CHANGE USER EMAIL (POST)
/direct/change-email/{userId}
- CHANGE USER PHONE (POST)
/direct/change-mobile/{userId}
- CHANGE USER HOST (POST)
/direct/change-host/{userId}
- UPDATE USER REFRESH DATA (POST)
/direct/update-refresh/{userId}
*Premium Feature - May Require Additional Access
- GET ALERT DETAIL (GET)
/direct/efx-alert/{alertId}
*Premium Feature - May Require Additional Access
User API
User API calls must originate from the end-client
Equifax end-points are accessible by first using the User API /users/efx-config response data, and then the Equifax /oauth/token call.
User API and Equifax API calls are intended to be called from the end-client/user's device.
Endpoints
User Identity
Phone Verify
Send Mobile Code
Renew Mobile Code
Verify Mobile Code
Get Identity Quiz
Verify Identity Quiz
Get EFX Config
/users/identity
/users/get-mobile
/users/send-code
/users/renew-code
/users/verify-code
/users/get-quiz
/users/verify-quiz
/users/efx-config
Endpoints above are all available to the customer and require a preauth token, returned from /direct/user-reg or /direct/preauth-token
Initialize
Customer Login
Register New User
Password Recovery
Recovery Token Verify
Password Reset
Action Token
Change Email
Change Phone
Change Password
Change Recovery
Close Account
/users/initialize
/users/login
/users/register
/users/password-recovery
/users/recovery-token
/users/password-reset
/users/action-token
/users/change-email
/users/change-phone
/users/change-password
/users/change-recovery
/users/close-account
Endpoints above are not available for use when Direct API calls are used.
- Preauth Token (get)
/users/preauth-token/{paToken}
-
This request uses userId (from the response of /direct/user-reg) to generate a User Token.
The Preauth Token needed for this request is also generated by /direct/user-reg or /direct/preauth-token
-
- User Identity (post)
/users/identity
This endpoint is most useful for checking whether the user's identity needs to be verified.
If the response has idpass set to true, then the user's identity is already verified.
If idpass is false, then the user's identity needs to be verified.
The user's identity can be verified with either:
- /users/get-mobile (phone sms verification)
- /users/get-quiz (an identity quiz)
The user's identity must be verified in order to enable the user's device to request the Equifax config data.
The data in the Equifax config provides the necessary credentials for making requests to the Equifax API from the consumer's device.
- Phone Verify (get)
/users/get-mobile
- Send Mobile Code (post)
/users/send-code/{mtoken}
- Renew Mobile Code (post)
/users/renew-code
- Verify Mobile Code (post)
/users/verify-code
- Get Identity Quiz (get)
/users/get-quiz
- Verify Identity Quiz (post)
/users/verify-quiz
- Get EFX Config (get)
/users/efx-config
Use this endpoint to get the Equifax credentials and url
These will be needed for the consumer app to send requests to the Equifax API.
Equifax API
Equifax API calls must originate from the end-client
Equifax end-points are accessible by first using the User API /users/efx-config response data, and then the Equifax /oauth/token call. As mentioned above, User API and Equifax API calls are intended to be called from the end-client/user's device.
Equifax Documentation in Swagger
Endpoints
Credit Alerts
Credit Score
Credit Score History
Credit Report List
Credit Report
Credit Report Summary
Credit Report PDF
/v1/creditMonitoring
/v1/creditScore
/v1/creditScore/history
/v1/creditReport
/v1/creditReport/{reportId}
/v1/creditReport/{reportId}/summary
/v1/creditReport/{reportId}/print
- OAUTH Token (post)
/{efx_url}/oauth/token
For this path parameter, {efx_url}, use the url found in the response of a call to /users/efx-config.
A successful request to {efx_url}/oauth/token will return credentials required for other Equifax API calls.
- Health Check (get)
/{efx_url}/v1/creditMonitoring/healthcheck
- Credit Monitoring (get)
/{efx_url}/v1/creditMonitoring
- CreditReportList (get)
/{efx_url}/v1/creditReport
- Credit Report Summary (First in list) (get)
/{efx_url}/v1/creditReport/{reportId}/summary
- Full Credit Report (First in list) (get)
/{efx_url}/v1/creditReport/{reportId}
- Credit Report (First in list) - PRINT (get)
/{efx_url}/v1/creditReport/{reportId}/print
- Credit Score Latest (get)
/{efx_url}/v1/creditScore/latest
- Credit Score History (get)
/{efx_url}/v1/creditScore/history
Test API
Collection of end-points for testing webhooks
Endpoints
- New Pre-auth Token
/test/preauth-token/{userId}
- Webhook Test
/test/webhook/send/{userId}
- Webhook Sink
/test/webhook/sink
OpenAPI Definition File
The OpenAPI definition file can be downloaded or viewed in Swagger.