API Guidelines

API Access Guidelines

The following are some API usage guidelines.  This page is not intended to replace or supersede the guidelines and restrictions of your Schedule A Agreement when you applied for access to API keys.

API Access Keys
Developers may not reuse API Keys between applications or credit unions.  Developers will be assigned separate API Access Keys per application created by developer.   Developer may not share API Access Keys with any other party.
General
Developers may not store any part of the authentication process, to include, but not limited to Username, Password, Security Questions or Answers in application or backend databases or servers. Developers may not store any Personal or Financial Information in any application or backend databases or servers.
Credentials API (Username/Password)
Developer may not store any part of the authentication process, to include, but not limited to Username, Password, Security Questions or Answers in any application or backend databases or servers.
Accept User Agreement
Developers must display the User Agreement provided by the API. Developers must allow the member to accept or not-accept the user agreement.  If the member does not accept the user agreement, they will be denied access to further API calls and be unable to use CU*ANSWERS’ APIs and related Materials.
Create Security Questions
Developers must display the Security Questions provided by the API for selection by the member. Developers must allow for a member to enter in a third question as a question provided by the API, or their own security question.  A member must select 3 Security Questions, the third being custom or provided, and have an answer to each one.
Change Password
If the API provides the flag to have complex passwords turned on, the rules of such complex passwords must be displayed as provided by the API Documentation.  Logic for complex passwords must be adhered to in the UI design.  Password Length is determined by the Credit Union and can be no longer than 10 characters long.  Passwords are case sensitive.
Change Username
All usernames will be filtered by a bad word filter, as decided by the Credit Union.  CU*ANSWERS will not provide those words via an API.

  • Usernames are from 1 to 20 characters.
  • Usernames may contain only letters and numbers. No special characters are allowed.
  • Usernames may not start or end with a space.
  • Usernames are NOT case sensitive.
  • Usernames may NOT be all numbers.
  • Usernames may NOT contain member’s account number.
  • Usernames may NOT contain member’s first or last name.

Accept Default PIB ProfileIf the Default PIB profile is required by the Credit Union, the UI must provide the PIB explanation along with the option to accept or back out of authentication.  If the member does not accept the default PIB Profile (if required), they will be denied access to further API Calls and be unable to use our services.

Access Control.

API Access is granted on multiple levels.

  • By Credit Union. Each Credit Union will have a Vendor list.  We have the ability to turn off an entire Credit Union from API access at any time.  This would remove access to all Vendors and all Applications for the Credit Union.
  • By Vendor. We have the ability to turn on/off a Vendor at any time.  This would remove access to each application the vendor has associated with it, but leave the other Vendors for the CU as is.
  • By Application. Each vendor will have any applications it publishes assigned an access key to our API’s.  Turning off an Application would remove access to all API’s enabled for the Application.
  • By API. Each Application will have API’s enabled or disabled based on assignment from CU*Answers.  Access to each of these API’s on the Application level can be turned on and off at any time.