Credit Builder Card API-First Documentation
Please note: If your company is integrating our Card product using only our APIs, you’re in the right spot!
Overview
Upwardli provides a seamless and secure way for businesses to enable a credit building card to their end users. End users can incorporate credit building into their daily activities by loading money to their FDIC insured DDA account and then swiping their card at any location where Mastercard is accepted. Upwardli’s platform customers are able to monetize the card through interchange, deposit interest, and expedited external payments.
Introduction
Welcome to the Credit Builder Card! Our documentation will walk you through the basics (authentication, request structure) to using and creating the financial products associated with the Credit Builder Card (accounts, cards, payments, etc.).
The introduction covers basic concepts you should be familiar with in order to make the most out of the Upwardli card issuance and management platform.
How the Credit Builder Card Works
- The card’s available credit is equal to:
- the available funds that the user maintains in a linked deposit account, plus
- any verified incoming payments to the user, such as payments due for wages or gig work
- The user may obtain a physical, digital card or both. The user makes purchases anywhere Mastercard is accepted.
- As the user makes purchases on the card, an equal amount of funds in the linked deposit account are put on hold, and the card’s available credit decreases in an equal amount.
- The cardholder may opt in to automatic payments to pay off balances as they incur charges, but must pay the card’s balance in full on the payment due date.
- If the balance is not paid on time and the DDA balance is at zero the card will freeze until the user has made a payment.
- By default, there are no fees to use the card and the user is charged 0% APR.
Implementation Options
Upwardli offers three ways to integrate the credit builder card into your website or mobile app for your credit program.
- Use Credit Builder Card APIs. When integrating credit builder cards into your own website or app, this option offers flexibility in designing a unique user experience including the credit services and financial products you wish to offer. This option provides a secure, PCI-compliant, customizable experience for purchasing and providing basic banking services (i.g statements, transaction, history, card management, etc).
- Use our Embedded Integration. The embedded flow is a drop-in module that enables you to seamlessly offer a credit builder card within your app or web page. It allows individuals to easily access their credit and credit builder card details securely without redirecting away from your app or website.
- Leverage an Upwardli Hosted App. If you do not want to build and host a credit account and banking experience, Upwardli can handle the product build and push to your app store instance. This approach offers less flexibility and, while easier to implement, it requires higher platform fees.
Environments
There are two types of environments for the Upwardli Credit Suite:
- Sandbox
You can test out your integration and explore common usage patterns in our sandbox environment. This environment is fully isolated and will not perform any “live” financial transactions.
You can request sandbox access once you have a signed contract.
Important: The Sandbox environment is fully secure, but you should not store any real consumer data here.
- Production
Once you have completed sandbox testing and submitted your test plans, you will be provisioned production access keys. These details will be shared with you via a secure sharing mechanism. All transactions in our production environment are live financial activity.
Getting Started
Regardless of which method you choose for integration you will always need to follow our authentication methods.
Authentication
Upwardli’s API uses OAuth 2.0 to authenticate requests. All API calls must include a token. These authentication tokens are used for machine to machine communication.
Note: An invalid, missing or expired token will result in an {invalid_token} response
URLs
Environment URL Sandbox Authentication https://auth-sandbox.upwardli.com/auth/token
Production Authentication https://auth.upwardli.com/auth/token
Tokens
Upwardli has the concept of three different tokens:
- Customer Onboarding Tokens: are system level and assigned to a specific organization that allows you to onboard new users. Once a user is onboarded you would use the customer token to access their specific information.
- Customer Access Tokens: are specific to an end user also known as consumers in our product and only provide data specific to that consumer. These tokens are used to secure our embedded components.
- Partner API Tokens: are highly secure tokens that are used to integrate your backend platform with Upwardli’s APIs. These tokens SHOULD NOT BE USED OUTSIDE OF DIRECT API CALLS BETWEEN YOUR SYSTEM AND UPWARDLI.
When a token is created, it is assigned a set of Scopes. The scopes define the resources that can be accessed using the token, and the access level (read/write) that will be allowed using that token.
NOTE ON TOKEN EXPIRATION: Partner API Tokens expire after 10 hours have elapsed since creation, and Customer Access Tokens expire after 1 hour
If a new token is not requested then it will result in a 403 screen.
Scopes
Scopes define the access level of a token.
A list of all scopes within Upwardli:
Requesting Tokens Using The API
The Upwardli API uses OAuth 2.0 for authentication and authorization. Before you can use the API, you must obtain an access token using the client_id and client_secret provided to you. Once a token has been obtained, it must be passed in the Authorization header of each request to the API.
Customer Onboarding Token Request
To request a token send a POST to our auth server containing your client ID and client secret values.
POST https://auth-sandbox.upwardli.com/auth/token/
Here’s a cURL example for the token request:
Here’s what a successful response looks like:
Exchanging Partner API Token for a Customer Token
Once a valid token has been obtained using the Authentication API, a limited scope token can be obtained using the token exchange API. This token can be used to make requests for a specific consumer, and is safe to send to the client application/web browser as needed.
To request a token exchange send a POST to our auth server containing the access_token and requested scope.
This token expires after 1 hour and will need to be exchanged for a new token for the customer to continue to have access.
Notes:
- The audience must be for the correct Environment.
- Sandbox:
https://auth-sandbox.upwardli.com - Production:
https://auth.upwardli.com
- Sandbox:
- The upwardli_consumer_id is the Upwardli id that you get from the Consumer API or the
consumer.createdwebhook. - The new access token is a significantly longer string than the original access token.
POST https://auth-sandbox.upwardli.com/auth/token/exchange/
Here’s what a successful response looks like:
Onboarding a New User
A consumer is the individual end user that you are creating a credit product. Consumers are limited to individuals using a valid SSN or ITIN, or single-member LLCs (coming soon).
A Consumer record is automatically created once an application is started and Upwardli will manage the ongoing regulatory requirements tied to application notice, approval and denial notifications to the end user.
Consumer onboarding is a fully asynchronous process due to the KYC and Banking integrations, which are themselves asynchronous. Our design goal for customers interacting with the Onboarding component is to capture data in realtime, and then process asynchronously. This will reduce elapsed consumer interaction time and improve the customer experience.
NOTE: we recommend listening to webhooks. to be notified of the status of each consumer as they make their way through the application and approval process. You will have access to the consumers financial products once they have been fully onboarded and approved.
All consumers are created as part of our onboarding. Regardless of the integration method you’ll need to use our embedded iframe to offer our application flow. We do allow you to customize the UI of the application but to ensure consistent and fair lending practices we own the specific language and disclosures surrounding the application process.
Authentication & Loading the Onboarding Embedded Flow
AuthenticationTip: Your API Key and Secret will be shared with you by your Upwardli client team.
The first step in integrating your product is to configure authentication. All Upwardli components and APIs require Oauth tokens for access.
Creating the Consumer Record
POST https://api-sandbox.upwardli.com/v2/consumers/
Body
Response
Upwardli sends out a consumer.created webhook message to your server. The Upwardli Servers will send a webhook message to you with the following general schema, indicating that the consumer record was created on our side.
You Link the Upwardli ID to your Local Object. Upon receiving the webhook message, you will parse it for the eventName property and determine that this message means that a new consumer was created. You can then call the url in the resources property to get information about that consumer.
Example of output via API - assuming the consumer stopped before complete KYC and that you did not pre-fill any data for that user.
NOTE: At the time of creation, the user has not completed KYC, so their personal data has not been captured and will be null in the response body.
Onboarding Flow UI Specifics
Our onboarding endpoints expose hooks into the custom onboarding workflows created for your consumers. Each step/section can be completed individually and in any order. API-based Consumer onboarding can begin once the consumer object has been created.
The details below outline the standard flow of onboarding a consumer:
- Get Started
- Verify the Consumer’s Identity (KYC)
- [optional] Provide Underwriting decisioning
- [optional] Provide product decision details
- Accept Terms
Additionally, we support adding per-consumer metadata to each onboarding object.
Step 1: Get Started
To start the onboarding workflow for a user, you post a message containing the pcid of the consumer and an onboarding_template_id value of card_onboarding. The API will return a partially hydrated onboarding object containing the consumer’s current onboarding state.
POST https://api-sandbox.upwardli.com/v2/onboarding/
Body
Response
Step 2: Verify the Consumer’s Identity (KYC)
Each consumer will see an entry screen that will highlight the value props and also include the appropriate disclaimers for the product.
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/verify_identity
Body
Response
Step 3: Provide product decision details
The is optional step allows you to provide external data for decisioning for consumer underwriting.
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/select-product
Body
Response
Step 4: [optional] Provide Underwriting decisioning
The is optional step allows you to provide external data for decisioning for consumer underwriting.
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/perform-underwriting
Body
Response
Step 5: Accept Terms
Once a user has accepted the terms of their loan + card agreements, you can update their onboarding workflow to reflect the date/time that the agreements were accepted.
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/accept-terms/
Body
Response
Step 6: Submit Loan
Once a user has accepted the terms of their loan + card agreements, you are ready to submit their loan data. This step will also begin to provision their cards and any associated loans and bank accounts
After onboarding completion
- The consumer bank account and card may not be open at this point while we are completing the onboarding with the bank. Once the accounts and card are provisioned you will receive a webhook message called PaymentCard.Created
- If a user doesn’t order a physical to start they can order under card management. A partner can order on behalf of a user by calling the card.order API
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/submit-loan/
Body
Response
Managing Metadata on the Onboarding Object
You can add/update metadata on the onboarding object as a set of key/value pairs.
Example: Adding Metadata
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/metadata/
Body
Response
Example: Updating Metadata
PUT https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}/metadata/
Body
Response
Getting Information on an In-Progress Onboarding
Once a user has accepted the terms of their loan + card agreements, you are ready to submit their loan data. This step will also begin to provision their cards and any associated loans and bank accounts
After onboarding completion
- The consumer bank account and card may not be open at this point while we are completing the onboarding with the bank. Once the accounts and card are provisioned you will receive a webhook message called PaymentCard.Created
- If a user doesn’t order a physical to start they can order under card management. A partner can order on behalf of a user by calling the card.order API
POST https://api-sandbox.upwardli.com/v2/onboarding/{onboarding_id}
Body
Response
Managing Metadata on the Onboarding Object
Working with the Persona Control
The next section describes best practices for integrating the Persona embedded controls within your existing onboarding flow.
You can pre-fill data for your consumer to reduce onboarding friction. If you want to pre-fill data for your consumer see the section entitled: “KYC Data Pre-Fill” below.
Consumer Completes the KYC step(s)
Once the user has successfully completed KYC, then we will send a further webhook with an event_name of consumer.updated
When you retrieve the updated consumer record related to this webhook, you will see that the kyc_status value has changed to "kyc_status": "Complete", indicating that this consumer has successfully completed the KYC step. In some cases, we will need to complete a manual review of the information provided by the consumer.
This webhook will also allow you to see the KYC information that was provided by the consumer when completing this step. We do not provided the full tax_identifier.
NOTE: KYC completed does not mean the consumer has completed onboarding or that a card product has been provisioned.
TIP: If you do not receive the webhook you can call the Consumer endpoint to retrieve the consumer details.
Optional: KYC Data Pre-Fill
Before loading the embedded component, you can pre populate data for a consumer by calling the api: POST: https://api-sandbox.upwardli.com/v2/consumer/ and providing the following fields:
Edge Cases / Unhappy path:
- If a user does not complete KYC, then you will only receive the consumer.created message
- If a user fails KYC, then we will send a consumer.updated webhook, with a kyc_status value of Failed. We will not open a credit line for any users who do not pass KYC.
Example of a Complete Onboarding Object
Post Onboarding API Interactions
Once a consumer is onboarded you have two option to display consumer account and card details.
- Embedded widget - we display the UI for you in our hosted components, you have control over the look and feel but not the layout.
- API - you query our platform for the raw data and have full control of how you display it in your own UI (beyond what is listed in the box below)
For PCI reasons you will also need to use our embedded widget for Card Display and Card Management such as PIN reset, Freeze / Unfreeze, and Lost / Stolen options.
Card Management
The card management widget is intended to give consumers the ability to view their card, update actions tied to their card (transaction history, PIN set, ATM locator, freeze a card). A consumer will also be able to view their credit score, see statements, make payments and initiate transfers.
Card Management via API
When using our API method post onboarding you will be able to pull specific information regarding card details, transfers, credit insights and other actions directly into your app or website. The only two areas where you will need to use our standalone embedded widgets are (1) card image and (2) card details (i.e PIN set, freeze card, etc).
Authentication
You will need to authenticate to get access to the APIs you will use the URL below and the a Partner API Token with the applicable API url.
Important Parameters
Card Image
This entry spot will provide a PCI compliant way to display the card image and transaction details for the user. A user will be able to add their card details to their Apple or Google mobile wallet manually. In-app push provisioning will be available in 2H 2025.
Related API Table
Below is a list of the API calls used to populate the Card Management embedded component.
Example: Payment Card
GET https://api-sandbox.upwardli.com/v2/consumers/{consumer_id}/payment-cards/
Response
Partner + Product Endpoint
Get Partner Details
GET https://api-sandbox.upwardli.com/v2/partners/
Response
Get Partner Product Details
GET https://api-sandbox.upwardli.com/v2/partners/{partner_id}/products
Response
Example: Accounts
GET https://api-sandbox.upwardli.com/v2/consumers/{consumer_id}/accounts/
Response
Example: Credit Insights
GET https://api-sandbox.upwardli.com/v2/credit-insights/{consumer_id}/summary/
Response
POST https://api-sandbox.upwardli.com/v2/accounts/
Response
Transactions
Real-Time Transaction Handling
If you sign up to participate in the real-time authorization, we will sent purchase request data to a pre-defined endpoint on your system via HTTP POST. You will have 600ms to respond to this request, otherwise we will automatically decline the transaction.
Sample HTTP Headers:
Sample Message Body:
In order to approve the purchase, you must reply with the following response:
Here are the most common Response codes
00— Success10— Approved for partial amount51— Insufficient funds59— Suspected fraud63— Suspected fraud (Mastercard only)
For a list of all possible response codes, you can view this page.
Example: Get Transaction History
GET https://api-sandbox.upwardli.com/v2/payment-cards/{payment_card_id}/transactions/
Response
Example: Create ACH
POSThttps://api-sandbox.upwardli.com/v2/payments/ach/
Example: Fund Card
Note: payment_card_id is not bank account id
Sandbox Activity Simulation Endpoints
Example: Simulate Card Auth
Example: Simulate Card Settlement
Card Actions
Freeze
Note: payment_card_id is not bank account id
POST https://api-sandbox.upwardli.com/v2/payment-cards/{payment_card_id}/freeze
Unfreeze
Note: payment_card_id is not bank account id
POST https://api-sandbox.upwardli.com/v2/payment-cards/{payment_card_id}/unfreeze
Lost or Stolen
Note: payment_card_id is not bank account id
POST https://api-sandbox.upwardli.com/v2/payment-cards/{payment_card_id}/replace-lost-stolen/
Replace Card
POST https://api-sandbox.upwardli.com/v2/payment-cards/{payment_card_id}/reissue/
Credit Goals
Credit Goals via API
Example: Credit Insights
GET https://api-sandbox.upwardli.com/v2/credit-insights/{consumer_id}/summary/
Response
Profile
Important Parameters
Profile via API
Example: Statements
GET https://api-sandbox.upwardli.com/v2/consumers/{consumer_id}/statements
https://api-sandbox.upwardli.com/v2/consumers/{consumer_id}/statements/{pdf_filename}/download
General API information
If you are utilizing the API approach you will also want to access other APIs for requesting specific information about Upwardli resources
Embedded Component Endpoints
The Credit Builder Card API provides access to several different types of detail.
You decide which of the experiences you want to include:
Using the Upwardli Webhooks
By design we do not include extensive information about the webhook data sources. To learn more about the object referenced by the webhook, you can use the url[s] in the webhook body to make api requests.
Available Webhooks
Webhook Message Description
All Upwardli webhook messages use the same format. To learn more about the resource(s) that are referenced by a specific webhook message, you can make an API request to the url(s) inside of the resources property.
Webhook Authentication
Upwardli’s webhooks are secured using a Hashed Message Authentication Code (HMAC) in the webhook message header. The name of this header value is Upwardli-Signature. The Upwardli-Signature header contains two comma-separated key-value pairs encoding information about the request.
The first key-value pair will be in the form t=<unix_timestamp> and represents the unix time that the request was sent. The second key-value pair will be in the form v1=WeNeedSomethingHere, where the signature is a sha256 hash computed from the consumers webhook secret and a dot-separated string composed of the unix timestamp joined with the request body.
Note: computing the signature is sensitive to the exact characters input into the algortihm. The request data should be a json string with no whitespace formatting.
Sample Data
Example decode in Python
Registering for Webhook Messages
POST https://api-sandbox.upwardli.com/v2/webhooks/registrations/
Header
Example Request Body
Get All Webhook Registrations
GET https://api-sandbox.upwardli.com/v2/webhooks/registrations/
Header
Example Response
Sandbox Testing and Activity Simulation
Example: Fund Card
Note: payment_card_id is not back account id
Example: Simulate Card Auth
Note: payment_card_id is not back account id
Example: Simulate Card Settlement
Note: payment_card_id is not bank account id
Change Log