Onboard via API (Direct Integration)

This guide introduces the direct API onboarding integration. Collect your customers' profiles and documents directly in your application and submit them to Harbor in a single payload.

Based on the customer's type (business or individual), select the appropriate guide below:


1. Shared Infrastructure & Common Parts

Regardless of whether you are onboarding a business or an individual, the core infrastructure, endpoints, lifecycle, headers, and error handling remain identical.

1.1 Environments & Base URLs

EnvironmentBase URL
Sandboxhttps://harbor-sandbox.owlpay.com
Productionhttps://harbor.owlpay.com

The endpoints use standard authentication with your application's API key.

1.2 Authentication & Headers

HeaderRequiredNotes
X-API-KEYYesYour application API key.
Content-TypeYesMust be application/json.
AcceptYesMust be application/json.
Idempotency-KeyYes for POST/PATCHA unique value per logical request. Replays with the same key within 24h are de-duplicated and return 409 idempotency_conflict, making retries safe.

1.3 Core Endpoints

MethodPathPurpose
POST/api/v1/customers/{{customer_uuid}}/onboardingSubmit onboarding data. Returns 202 Accepted.
GET/api/v1/customers/{{customer_uuid}}/onboardingFetch latest onboarding status.
PATCH/api/v1/customers/{{customer_uuid}}/onboardingModify/correct submitted sections during action_required.

2. Meta APIs (Reference-Data Lookups)

Dynamic lookup endpoints must be called in real-time to display correct dropdown values in your user interface. Some are shared, while others are specific to the onboarding type:

2.1 Shared Meta APIs

  • Address Subdivisions (state):
    GET /api/v1/countries/{country}/subdivisions
    Used to obtain ISO 3166-2 state/subdivision codes (e.g. VA for Virginia, ENG for England). Submit the subdivision code in address payloads. Omit state for countries with no subdivisions.

2.2 Business-Specific (KYB) Meta APIs

  • Job Titles / Positions:
    GET /api/v1/job-titles
    Returns allowed roles for directors, UBOs, and representatives (associated_persons[].position).
  • Industry Classifications:
    GET /api/v1/countries/{country}/industries
    Returns allowed industry slugs for the company's country of incorporation (company.industry).

2.3 Individual-Specific (KYC) Meta APIs

  • Occupations:
    GET /api/v1/occupations
    Returns allowed occupation values for individuals (individual.occupation).

3. Onboarding Status & Lifecycle

Every onboarding process proceeds through the same state machine:

graph TD
    POST --> processing
    processing --> submitted
    processing --> action_required
    processing --> failed["failed (systemic error)"]
    action_required -->|you PATCH| processing
    submitted --> verified
    submitted --> rejected

    classDef terminal fill:#f9f,stroke:#333,stroke-width:2px;
    class verified,rejected,failed terminal;
StatusMeaningDeveloper Action
processingHarbor is validating and forwarding the submission.Wait.
action_requiredThe submission has errors or outstanding requirements.Read pending_requirements and update via PATCH.
submittedSent to the compliance provider; awaiting checks.Wait.
verifiedVerification passed successfully.Done. Customer is cleared to transact.
rejectedVerification did not pass (terminal).Handled per your business policy.
failedSystemic error on Harbor or compliance provider (terminal).You may submit a new onboarding.

4. Tracking Progress

Option A — Status Polling (GET)

Call GET /api/v1/customers/{{customer_uuid}}/onboarding periodically. When the status is action_required, inspect the pending_requirements array.

Option B — Webhooks (Recommended)

Subscribe to the following webhook events to receive real-time updates:

  • customer_onboarding.submitted — accepted for verification
  • customer_onboarding.action_required — requires data correction
  • customer_onboarding.verified — verification passed
  • customer_onboarding.rejected — verification failed
  • customer_onboarding.failed — systemic failure

5. Size Limits

To prevent upload timeouts, adhere strictly to the following size limits across all files (passports, corporate certificates, proof of address, etc.):

  • Per File: ≤ 10 MB (after base64 decoding).
  • Whole Request: ≤ 50 MB (total decoded size of all files in the request body).

6. Global Error Code Reference

When validation or business rules are violated, Harbor returns standard validation error arrays (422) or explicit error codes:

HTTPCodeMeaning
422Field-level validation failed (returns specific invalid fields).
4222306Customer is already KYC/KYB verified.
4092302An onboarding is already in progress for this customer. Only one active onboarding is allowed.
4092305PATCH attempted while status is still processing. Wait and try again shortly.
4092303PATCH attempted on a finalized onboarding (status is not action_required).
404Customer not found in your application.