Workflow Reference

Select the appropriate workflow based on your business requirements and operational context.

Business Goal	Recommended Workflow	Key Endpoints	Prerequisites
Standard user enrollment with email activation	User Registration Workflow	/user/registration → /user/activate-token → /user/site/{siteId}/login	Email delivery system, password management
Frictionless consumer opt-in through issuer channels	Guest Enrollment Workflow	/user/v2/enrollments → /user/change-password-from-passcode	CLIENT_ID header, OFAC compliance, consent management
Secure external partner enrollment	External Guest Enrollment	/user/external/guest/enrollments	Message-level encryption, external partner agreements
Email-based authentication without passwords	Passwordless Login	/user/pwless-login-send-otp → /user/site/{siteId}/login/pwless-otp	Email OTP delivery, domain validation
Enhanced security with two-factor authentication	MFA Setup Workflow	/user/mfa/totp/setup → /user/mfa/totp/enroll	TOTP application support, NOT_ENROLLED status
Bulk user data migration	Migration Workflow	/migrate → /migrate/status → /migrate/{migrationBatchId}	MIGRATE_USERS scope, batch processing capability
Customer service and support operations	Concierge Workflow	/concierge/cardholder-details → /concierge/send-code	SYSTEM_USER_R scope, issuer site association

User Account Workflows

New User Onboarding Sequence

POST /user/registration → Create account with email validation
Email activation link sent automatically by system
POST /user/activate-token/{userId} → Complete activation
POST /user/site/{siteId}/login → First authenticated login

Critical Dependencies: Account creation must complete before activation. Account activation must complete before login attempts.

Password Reset Workflow

POST /user/send-passcode → Request reset code
POST /user/find-code → Verify code validity
POST /user/change-password-from-passcode → Set new password

Security Note: Old password is not required for passcode-based password changes.

Site Registration Workflow

Verify user has existing GMAP account with active status
POST /user/register/{siteId} → Register user to specific site with attributes
User gains access to site-specific features and data

Business Rule: Site attributes are customizable per site configuration and isolated per site ID.

Passwordless Login Workflow

POST /user/pwless-login-send-otp → Send passwordless login OTP to user's email
POST /user/site/{siteId}/login/pwless-otp → Authenticate using OTP (no password required)

Requirements: Domain validation and lockout protection. Users may be locked out from passwordless login due to failed attempts.

Alias Management Workflow

POST /user/alias → Create or update user login alias
User can login with alias instead of primary identifier
POST /user/alias/delete → Remove alias when no longer needed

Validation Rule: User aliases must be unique within tenant scope and require proper user authentication for all operations.

Administrative Workflows

User Revalidation Workflow

POST /user/re-validate or POST /user/internal/batch/re-validate to trigger revalidation
System calls OFAC screening, MOE sync, or program enrollment based on callType parameter
Background processing updates user status and attributes

CallType Options: OFAC (sanctions screening), MOE (system sync), ENROLL_PROGRAM_AND_MOE (combined program enrollment and sync).

Migration Workflow

POST /migrate to submit bulk user migration request with batch ID
System processes users and saves migration records with detailed status tracking
GET /migrate/status to check migration progress and error reporting
POST /migrate/{migrationBatchId} to retry failed migrations if needed

Business Logic: Failed migrations can be retried by batch ID without reprocessing successful records.

Duplicate Account Cleanup

Identify duplicate user accounts using POST /user/queries
POST /user/internal/clean-duplicate-accounts to merge duplicate accounts
System retains active or updated user and transfers unique data from deleted account

Caution: Duplicate cleanup operations may take extended time for complex merges and data transfers.

Concierge Customer Service Workflow

GET /concierge/cardholder-details → Look up customer information
GET /concierge/cardholder-history → Review customer interaction history
POST /concierge/send-code → Trigger password reset email for customer
Concierge can assist with account issues using administrative privileges

Access Control: Concierge access is restricted by issuer site associations and requires proper permissions for cardholder information access.

DTS Integration Workflow

POST /dts/save → Save DTS user details into user-mgmt database
GET /dts/find → Fetch DTS user details by userDetailsId
GET /dts/find-for-update → Retrieve DTS details for update operations
DELETE /dts/delete → Delete DTS user details when no longer needed

Integration Note: DTS tokens are managed separately from main user authentication and require USER-ATTRIBUTES_RW scope.

Workflow Dependencies

Technical Prerequisites

OAuth2 client credentials must be established before any API calls
Site ID must be configured and known for authentication endpoints
User account must exist and be activated before authentication attempts
Valid session/token required for most user-specific operations

Sequential Dependencies

Account Creation: /user/registration must complete before activation
Account Activation: /user/activate-token/{userId} must complete before login
Authentication: Login must complete before accessing protected resources
MFA Setup: TOTP setup must complete before enrollment
Password Reset: Passcode must be sent before verification/reset

Parallel Operations

Multiple users can be registered simultaneously
Profile updates and password changes are independent
Administrative queries can run concurrently
Migration batches can process in parallel

Visa Platforms Login