M2P Fintech API documentation

Tenant Header

Every API request must include the TENANT header — a unique identifier assigned during onboarding.

TENANT: BANK_TENANT_ID

The tenant header determines:

Required on Every Request

Requests without a valid TENANT header will return 400 Bad Request with error code tenant.header.missing.

DCMS uses JWT (JSON Web Token) based authentication.

Request

POST /api/authenticate
Content-Type: application/json

Request Body

{
  "username": "api_user",
  "password": "encrypted_password"
}

Response

{
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Include the token in the Authorization header along with the TENANT header:

Authenticated Request

POST /card/activate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
TENANT: BANK_TENANT_ID
Content-Type: application/json

Property	Detail
Type	JWT (JSON Web Token)
Expiry	Configurable — typically 1 hour
Refresh	Re-authenticate to obtain a new token
Scope	Token scoped to the authenticated user's role and permissions

For sensitive operations (PIN, card data), the gateway supports encrypted request bodies:

Property	Detail
Algorithm	ECDH key exchange + AES-256
Key Exchange	Encryption keys exchanged during onboarding
Decryption	Handled automatically at the gateway
Sensitive Responses	Fields like card number and CVV encrypted in response

Security Requirement

PIN values must never be sent in clear text. Always use the encrypted PIN block format (HSM-compatible) provided during onboarding.

Role	Access Level
Admin	Full access — all APIs including configuration and user management
Operations	Card lifecycle, customer management, reporting
Read-Only	View-only — card details, transaction history, reports
API Integration	Programmatic access for system-to-system integration