BT

Capital One Launches Developer Platform

| by Benjamin Young Follow 1 Followers on Apr 07, 2016. Estimated reading time: 3 minutes |

Capital One launched the DevExchange Beta developer site and initial API offering last month.

The three inaugural APIs (each in beta) go "beyond banking" and focus on various other components of a customer's experience with their Capital One account.

The currently featured product in the lineup is SwiftID: a two-factor authentication product that integrates with Capital One's iOS application (Android support is planned). The API is focused at developers offering a smoother and more secure sign-in path for their users who are also Capital One mobile-application users.

Two-factor systems are typically used for additional verification of user identity during the login process. Capital One has highlighted some additional target use cases such as checkout confirmations at time of purchase, invoice or estimate sign-off, and content-sharing approvals.

The API consists of a two-part request/response pattern:

  1. the developer sends a SwiftID "task" to be presented to the Capital One mobile application user
  2. SwiftID then notifies the developers' Webhook endpoint when the user responds to the request

A SwiftID task is a simple JSON document which is sent via POST to /identity/enhanced-authentication/tasks:

{
  "message": {
    "clientApp": "PixRMine",
    "action":"share your pictures",
    "requestorName":"with Snoopy"
    }
}

A successful response includes a taskReferenceId for matching with the Webhook callback responses sent when the user approves or rejects a request.

The mobile application user is presented with the values from the above JSON document via the following text template:

{clientApp} is requesting approval to {action} {requestorName}. Do you approve?

Upon response, a similarly small JSON document is set to the registered Webhook callback endpoint. It contains the taskReferenceId and taskStatus with a value of either APPROVED or REJECTED. Once received, the developer's application can react accordingly.

SwiftID is the easiest of the three currently available APIs for developers to take into production: "Any third-party developer may apply for production access and approval, and will be subject to meeting our standards for acceptable use cases."

The remaining two APIs have higher requirements due to their ability access private information about Capital One customers. For example, the Rewards API gives developers access to a Capital One card holder's miles, points, or cash rewards available for their accounts. The API does not yet support redeeming reward "currency," though that is planned for future releases.

Test data is provided for a handful of reward-bearing accounts as well as a test account that simulates a fraud scenario. There is an Apache License 2.0 licensed Node reference application which can be used to jump-start development with the Rewards API. However, developers should be advised that the usage guidelines for this API are much higher: "Production access will be granted on a case-by-case basis. Approval will be subject to meeting our standards for acceptable use cases." Similarly the Credit Offers API is limited to affiliate program members only: "You must be enrolled in the Affiliate program by Capital One in conjunction with 3rd party CJ Affiliate."

The higher level of production access requirements is not surprising due to the nature of the content sent and received via the API. For instance: "You identify the customer by passing in, as query parameters, the customer’s name, address, and social security number (either full or the last-four-digits)."

There is also no requirement for the customer in question to currently be a Capital One client as the API is partly intended to make Capital One credit cards available to one's own clients.

The returned information includes a statement of pre-qualification along with (potentially) a list of available product information including purchase APR, balance transfer terms, and annual membership fees.

All three APIs can be used against via the same sandbox (https://api-sandbox.capitalone.com) and production (https://api.capitalone.com) endpoints. They also share the same OAuth 2.0-based authorization flow, and have reference applications available via Capital One's GitHub account.

Developers may also be interested in Capital One's other open-source offerings such as the Hygieia DevOps Dashboard.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss
BT