Onboard via API (Direct Integration)
This guide introduces the direct API onboarding integration. Collect your customers' profiles and documents directly in your application and submit them to Harbor in a single payload.
Based on the customer's type (business or individual), select the appropriate guide below:
Business Onboarding: Learn how to submit company profiles, associated persons (directors, UBOs, representatives), and corporate registration documents in one single API request.
Individual Onboarding: Learn how to submit personal details, residence address, and identity documents. Also covers mandatory biometric/live face scanning.
1. Shared Infrastructure & Common Parts
Regardless of whether you are onboarding a business or an individual, the core infrastructure, endpoints, lifecycle, headers, and error handling remain identical.
1.1 Environments & Base URLs
| Environment | Base URL |
|---|---|
| Sandbox | https://harbor-sandbox.owlpay.com |
| Production | https://harbor.owlpay.com |
The endpoints use standard authentication with your application's API key.
1.2 Authentication & Headers
| Header | Required | Notes |
|---|---|---|
X-API-KEY | Yes | Your application API key. |
Content-Type | Yes | Must be application/json. |
Accept | Yes | Must be application/json. |
Idempotency-Key | Yes for POST/PATCH | A unique value per logical request. Replays with the same key within 24h are de-duplicated and return 409 idempotency_conflict, making retries safe. |
1.3 Core Endpoints
| Method | Path | Purpose |
|---|---|---|
POST | /api/v1/customers/{{customer_uuid}}/onboarding | Submit onboarding data. Returns 202 Accepted. |
GET | /api/v1/customers/{{customer_uuid}}/onboarding | Fetch latest onboarding status. |
PATCH | /api/v1/customers/{{customer_uuid}}/onboarding | Modify/correct submitted sections during action_required. |
2. Meta APIs (Reference-Data Lookups)
Dynamic lookup endpoints must be called in real-time to display correct dropdown values in your user interface. Some are shared, while others are specific to the onboarding type:
2.1 Shared Meta APIs
- Address Subdivisions (
state):
GET /api/v1/countries/{country}/subdivisions
Used to obtain ISO 3166-2 state/subdivision codes (e.g.VAfor Virginia,ENGfor England). Submit the subdivisioncodein address payloads. Omitstatefor countries with no subdivisions.
2.2 Business-Specific (KYB) Meta APIs
- Job Titles / Positions:
GET /api/v1/job-titles
Returns allowed roles for directors, UBOs, and representatives (associated_persons[].position). - Industry Classifications:
GET /api/v1/countries/{country}/industries
Returns allowed industry slugs for the company's country of incorporation (company.industry).
2.3 Individual-Specific (KYC) Meta APIs
- Occupations:
GET /api/v1/occupations
Returns allowed occupation values for individuals (individual.occupation).
3. Onboarding Status & Lifecycle
Every onboarding process proceeds through the same state machine:
graph TD
POST --> processing
processing --> submitted
processing --> action_required
processing --> failed["failed (systemic error)"]
action_required -->|you PATCH| processing
submitted --> verified
submitted --> rejected
classDef terminal fill:#f9f,stroke:#333,stroke-width:2px;
class verified,rejected,failed terminal;
| Status | Meaning | Developer Action |
|---|---|---|
processing | Harbor is validating and forwarding the submission. | Wait. |
action_required | The submission has errors or outstanding requirements. | Read pending_requirements and update via PATCH. |
submitted | Sent to the compliance provider; awaiting checks. | Wait. |
verified | Verification passed successfully. | Done. Customer is cleared to transact. |
rejected | Verification did not pass (terminal). | Handled per your business policy. |
failed | Systemic error on Harbor or compliance provider (terminal). | You may submit a new onboarding. |
4. Tracking Progress
Option A — Status Polling (GET)
Call GET /api/v1/customers/{{customer_uuid}}/onboarding periodically. When the status is action_required, inspect the pending_requirements array.
Option B — Webhooks (Recommended)
Subscribe to the following webhook events to receive real-time updates:
customer_onboarding.submitted— accepted for verificationcustomer_onboarding.action_required— requires data correctioncustomer_onboarding.verified— verification passedcustomer_onboarding.rejected— verification failedcustomer_onboarding.failed— systemic failure
5. Size Limits
To prevent upload timeouts, adhere strictly to the following size limits across all files (passports, corporate certificates, proof of address, etc.):
- Per File: ≤ 10 MB (after base64 decoding).
- Whole Request: ≤ 50 MB (total decoded size of all files in the request body).
6. Global Error Code Reference
When validation or business rules are violated, Harbor returns standard validation error arrays (422) or explicit error codes:
| HTTP | Code | Meaning |
|---|---|---|
422 | — | Field-level validation failed (returns specific invalid fields). |
422 | 2306 | Customer is already KYC/KYB verified. |
409 | 2302 | An onboarding is already in progress for this customer. Only one active onboarding is allowed. |
409 | 2305 | PATCH attempted while status is still processing. Wait and try again shortly. |
409 | 2303 | PATCH attempted on a finalized onboarding (status is not action_required). |
404 | — | Customer not found in your application. |