Apto APIs

Core API

Our Core API provides access to all the users created in your card program. This API is designed to be called your backend. This is in contrast to the Mobile API (below), which is designed to be used by individuals (cardholders) who are using your end-user application.

In Enterprise card programs, the Core API allows you to create and manage cardholders and cards (as defined in your card program), and exposes information regarding cardholders, cards (except PCI-protected data) and transactions under your card programs.

However, production API keys for the Instant Issuance program are set to GET-only access. This means you will have access to read-only data via the API, and you should use the SDKs to provide card management functionality to cardholders.

If your platform is PCI-DSS-Level 1 compliant, the Core API will return PCI data in the card object so you can make use of it on your platform. If your platform is not PCI compliant, PCI data will not be present in that payload.

With the Core API, information will flow from the Apto platform to your backend and on to the cardholder’s mobile application, with private API keys used to secure the communication. These API keys are a pair of values (client_id and client_secret) that you can generate in Dashboard. Every call you make to the Apto Core API must include these values.

CAUTION: Your private API keys provide access to all your cardholders’ data. Do not make these values public or use them outside of your private infrastructure. Never use Core API credentials in user-facing applications.

The Core API uses HTTP basic authentication, using the standard Authorization header field to send the client ID and client secret. Once in place, the Core API will give you access to all of the cardholders who sign up for your card programs.

Please check our API reference documentation to learn more about this API.

Mobile API

The Mobile API is designed to enable user interactions in any final user (cardholder) application across any platform (web, iOS, Android).

The Mobile API gives access to everything a cardholder might need, including: cardholder onboarding, KYC, card issuance, card management, and transaction management. With this API, you can allow cardholders to block or unblock cards, activate physical cards, get a card’s information, view total and available balance, and more.

The Mobile API can return PCI-protected card information, such as the PAN, CVV, or expiration date. The API endpoint for this functionality has additional security checks, which protects you from the burden of PCI compliance by ensuring that PCI-protected data is only delivered to the cardholder. This functionality is also encapsulated in Apto’s PCI SDK.

Strong authentication of the cardholder, based on two-factor authentication (2FA), is required to give access to the card and transaction data. Your users will need to verify their phone number and date of birth as their primary and secondary credentials in order to obtain a secure user session token that will then give access to their data.

In the Instant Issuance program, a session token lasts one year, though it is reset every time a cardholder logs out of their application. In Enterprise card programs, both the session length and the primary are secondary credentials requested from cardholders are configurable. For example, you could change to email verification instead of phone. In sandbox mode, the session length is configured at 15 minutes so that you can test the verification process.

Our Mobile API provides access to the information of a unique cardholder, and is designed to be used by end users. This API uses a public API key that identifies your card program, along with the user’s session token.

The Mobile API expects two header fields:

  • Api-Key - containing the public mobile API key of your custodian
  • Authorization - using HTTP Bearer standard containing your user’s session token

Because the Mobile API is designed to be used from the end user’s application, do not use your private Core API credentials (client_id and client_secret).

For convenience, Apto also offers SDKs that wrap the Mobile API so that you don’t need to deal with the network requests. Use of the SDKs is required in the Instant Issuance program.