Available Endpoints

🌐 Hackathon Available Endpoints

This guide lists all Hackathon 2025 Endpoints for your integrations, grouped by service, with Run in Postman badges so you can try APIs instantly. Replace placeholders with your environment values as needed.

🔐 Auth & Headers

All endpoints require a valid OAuth 2.0 token and appropriate scopes.

Authorization: Bearer <OAuth_Token>
Content-Type: application/json

Common HTTP responses to handle:

401 Unauthorized — Missing/invalid token
403 Forbidden — Not permitted (e.g., full account number)
404 Not Found — Unknown identifiers
400 Bad Request — Malformed request body/params

🔐 Credentials – Let’s Unlock the Secrets!

OAuth 2.0 (What’s That?): Think of OAuth 2.0 as the bouncer at an exclusive club (your API). You can’t just walk in and start using things — you need to show your credentials. OAuth is how you prove you’re allowed in.

When you’re working with APIs that require access to private data (like user profiles, orders, or secret sauce settings), you need to authenticate and authorize your app. That’s where OAuth 2.0 comes in — it’s a security protocol that ensures only approved applications can access protected resources.

🏷️ What’s a Registered Application?

A registered application is just your app’s official identity card in the API world.

When you register an app:

You get a Client ID (like your app’s username)
And a Client Secret (like its password — keep it safe!)

With this combo, your app can request access tokens, which are short-lived keys that let it do cool stuff like access data, make purchases, or see a user’s info — all while keeping things secure.

⚠️ Just like your Netflix password, never share your Client Secret publicly. Rotate or revoke it if you suspect it’s been exposed.

🌍 B2B vs D2C – What’s the Difference?

These acronyms sound fancy, but they just describe who you’re building for.

B2B (Business to Business) You’re building apps that serve individual end-users. Think: shopping apps, fitness trackers, or anything where normal humans log in and do stuff.
D2C (Direct to Consumer) This is a more modern term that often overlaps with B2C, but with a twist — you’re building for brands selling directly to consumers, often bypassing middlemen. Think: a skincare company with its own branded website, app, and fulfillment system.

💡 In this project, we’ve already created two separate apps for you — one for B2C and one for D2C. That means you don’t have to worry about setup — just grab your credentials and go!

🔄 OAuth Flow Comparison

Here’s a quick cheat sheet comparing the two OAuth flows used in D2C and B2B apps:

Feature	Authorization Code Flow (D2C)	Client Credentials Flow (B2B)
Primary Actor	A human user grants permission.	The application acts on its own behalf.
Involvement	Interactive (user must log in and consent).	Non-interactive (completely automated).
Browser Used?	Yes, for redirection and the consent screen.	No, it’s a direct server-to-server call.
Credentials Used	Client ID to start, then Client Secret on the backend to get a token.	Client ID and Client Secret are used directly to get a token.
Token Represents	The user’s delegated authority to the app.	The application’s own authority.

🧠 When to Use the Client Credentials Grant

The Client Credentials flow is your go-to for non-interactive, behind-the-scenes scenarios — no humans required!

Here are a few perfect use cases:

🔄 Backend Services A microservice in your infrastructure needs to fetch data from another internal service that’s protected by OAuth 2.0.
📅 Automated Scripts & Cron Jobs A scheduled task that runs every night to update a product catalog or generate a report by calling a secure API.
🔧 CLI (Command Line Interface) Tools A developer tool that interacts with your company’s APIs on behalf of the organization, not an individual user.
📊 Accessing Application-Owned Data Your app needs to pull its own analytics, configuration, or stored data from a service provider’s API — not tied to any user account.

💡 Remember: This flow is ideal when your app is the only actor — no user logins, no consent screens, just pure machine-to-machine magic.

🗝️ Getting Your Keys (aka Your API Passport)

We’ve done the heavy lifting for you 🎉 — the registered apps are ready!

Who’s got them? Your teammate Alkamist 🎩
What do they have?
The client credentials for both B2C and D2C
A ready-to-use Postman environment with prefilled variables

🔐 Rotate or revoke keys immediately if exposed — don’t let sneaky gremlins into your app.

Now you’re ready to authorize like a pro. Grab your keys, flex those tokens, and let the hacking begin 🚀💥

Authorization Header Example

Authorization: Bearer <OAuth_Token>
Content-Type: application/json

🧩 Services & Example Endpoints

Below are common endpoint groups to help you navigate quickly. Use Swagger for the complete list and schemas.

🏢 B2B Services

These are primarily used for backend, server-to-server scenarios.

Admin – Entities

Swagger UI: https://hackathonfinancial.orb.alkamitech.com/AFX/V2/index.html?urls.primaryName=Admin

GET /admin/v1/entities/{entityIdentifier} — Retrieve business entity info
GET /admin/v1/entities/{entityIdentifier}/features — Retrieve enabled features
GET /admin/v1/entities/{entityIdentifier}/payment-companies — List payment companies
GET /admin/v1/entities/{entityIdentifier}/limits — Retrieve transaction limits

Example:

GET https://hackathonfinancial.orb.alkamitech.com/admin/v1/entities/12345
Authorization: Bearer <OAuth_Token>

200 Response

{
    "entityIdentifier": "12345",
    "businessName": "Alkami Bank",
    "status": "Active"
}

Admin – Users and Accounts

Swagger UI: https://hackathonfinancial.orb.alkamitech.com/AFX/V2/index.html?urls.primaryName=Admin

GET /admin/v1/users/{userIdentifier}/accounts-search — Search user accounts
GET /admin/v1/users/{userIdentifier}/accounts/{accountIdentifier} — Account details
GET /admin/v1/users/{userIdentifier}/accounts/{accountIdentifier}/number — Full account number (may return 403)
POST /admin/v1/user-search — Search for user profiles

Example:

GET https://hackathonfinancial.orb.alkamitech.com/admin/v1/users/98765/accounts-search
Authorization: Bearer <OAuth_Token>

200 Response

{
    "userIdentifier": "98765",
    "accounts": [
{ "accountNumber": "123456789", "type": "Checking", "balance": 5000.00 },
{ "accountNumber": "987654321", "type": "Savings",  "balance": 10000.00 }
    ]
}

Admin – Send Notification (Alpha)

🎉️ The N&E team has created a special alpha endpoint for you to conduct notification activities for this hackathon!

Swagger UI: Coming Soon

⚠️ Templates aren’t currently supported in the alpha

POST /admin/v1/notifications — Sends one or more notifications

Example:

POST https://hackathonfinancial.orb.alkamitech.com/admin/v1/notifications
Authorization: Bearer <OAuth_Token>

202 Response

{
    "statusCode": 202,
    "location": "/admin/v1/notifications/{notificationId}"
}

👤 D2C Services

These services are designed for direct end-user interactions.

AFX v2

Swagger UI: https://hackathonfinancial.orb.alkamitech.com/AFX/v2/index.html

GET /accounts/{accountIdentifier} — Retrieve account details
GET /accounts/{accountIdentifier}/transactions — Get recent transactions for an account
POST /accounts/{accountIdentifier}/transfer — Initiate a funds transfer

Example:

GET https://hackathonfinancial.orb.alkamitech.com/afx/v2/accounts/123456789
Authorization: Bearer <OAuth_Token>

200 Response

{
    "accountIdentifier": "123456789",
    "accountType": "Checking",
    "balance": 3200.50,
    "currency": "USD"
}

AFX v1 (Legacy)

Swagger UI: https://hackathonfinancial.orb.alkamitech.com/AFX/swagger/ui/index

GET /accounts — List all accounts for the logged-in user
GET /accounts/{accountIdentifier}/transactions — List transactions for an account

Example:

GET https://hackathonfinancial.orb.alkamitech.com/afx/accounts
Authorization: Bearer <OAuth_Token>

200 Response

{
    "accounts": [
{ "accountIdentifier": "111222333", "type": "Savings", "balance": 15000.00 },
{ "accountIdentifier": "444555666", "type": "Checking", "balance": 3000.75 }
    ]
}

CUFX (Legacy)

Swagger UI: https://hackathonfinancial.orb.alkamitech.com/CUFX/swagger/ui/index

Bank/credit union integration endpoints (members, accounts, transactions) as defined in CUFX specs.

Use Swagger to filter by tag (e.g., Members, Accounts, Transfers) and copy request bodies directly.

ORBFX (Legacy)

Swagger UI: https://hackathonfinancial.orb.alkamitech.com/ORBFX/swagger/ui/index

ORBFX service operations exposed for hackathon scenarios.

The Try it out button in Swagger is great for quickly validating request/response shapes before you automate them.

🔑 Base URLs

AFX (v1) Swagger UI for AFX v1 exposed APIs.

AFX (v2) Swagger UI for AFX v2 exposed APIs.

CUFX Swagger UI for CUFX APIs.

CUFX BillPay Swagger UI for CUFX BillPay APIs.

Admin Notification (Alpha) Swagger UI (Comming Soon) for Alpha Notification API.

ORBFX Swagger UI for ORBFX APIs.

⚙️ Postman Quick Start

Open the appropriate Swagger UI from the Base URLs above.
Authenticate with the correct OAuth client for the hackathon environment.
Click an endpoint in Swagger (or use the Postman badge) and send a request.
Verify the response schema and error codes.

Heads up: These endpoints are for hackathon/demo purposes only. Do not use production credentials.

✅ You’re Not Alone

Every developer hits snags — especially during a hackathon. Take a breath, review the docs, and ask questions. You’ve got this 🚀