Skip to main content

Introduction

The Onboarding API offers Device Management functionality, allowing partners to register specific devices to users linked to an account. With this functionality, it is possible to reinforce transaction security, ensuring that only authorized devices can perform transactions, which will be validated through the device token.

Device Registration

The registration of a new device for transaction validation is performed through a flow divided into three steps:

I. Registration Request (POST)
In this step, a POST request is sent containing:

  • Device data obtained via device_scan
  • Information required for two-factor authentication (2FA)

Upon completing the request, a 2FA token is generated and sent to the user (by email or SMS). This token ensures that the registration is being performed by the person effectively authorized to link the device.

Note

If authentication is performed through facial recognition, the image_key acquired through liveness must be sent in the 2FA field. In this case, it will not be necessary to go through the next validation steps.

II. 2FA Token Validation (PUT/PATCH)
After receiving the 2FA token, the user must validate it using a PUT request. If the code needs to be resent (due to loss, non-receipt, or expiration), a PATCH request is used to request a new token.
Once the token is successfully validated, the device will be effectively registered in the system.

III. Authentication with Device Token in Future Transactions
With the device properly registered, it can be used for validation of future transactions. Transactions will be authenticated using the device token, making the process more secure and reliable.

Query a Device

It is possible to query information about a specific device through a GET request, providing the account_key and device_key. This operation returns device details, including its current status, creation date, and last update.

Deactivate a Device

When necessary, a device can be deactivated through a DELETE request. Once deactivated, the device can no longer be used for transaction validation, ensuring greater control over operation security.