POST /applications/{applicationId}/reveal-sensitive-data
Reveal sensitive application data
Reveals specific sensitive data fields for an application. This endpoint requires the readApplicationSensitiveData permission and all requests are audit logged.
For owner-specific fields (socialSecurityNumber, dateOfBirth, driversLicenseNumber, driversLicenseExpiration, passportNumber, passportExpiration), either ownerId, ownerUniqueId, or ownerEmail must be provided.
For business-level fields (dbaTaxID, bankAccount), no owner specification is needed.
All sensitive data revealed through this endpoint is tracked in audit logs with the event ApplicationSensitiveDataRevealed.
Authentication Required
Authorization: Bearer {token}
header string This header is required to access this endpoint
Required Parameters
applicationId
path string The unique ID of the application
Optional Parameters
Click here to view an exhaustive list of all available parameters
x-account-id
header string The account ID for the request
x-user-to-log-for-request
header string Required when using API keys for authentication. This header must contain a descriptive identifier (minimum 5 characters) that will be logged for audit purposes to track who is accessing sensitive data through your API key. For example: "support_agent_john_doe" or "underwriting_system_v2". This can be overridden per field using the userToLogForRequest property in the request body.
Request Body
[ { "field": "string", "ownerId": 0, "ownerUniqueId": 0, "ownerEmail": "string", "userToLogForRequest": "string" }][ { "field": "dbaTaxID" }, { "field": "bankAccount" }][ { "field": "socialSecurityNumber", "ownerUniqueId": "owner123" }, { "field": "dateOfBirth", "ownerEmail": "john.doe@example.com" }][ { "field": "dbaTaxID" }, { "field": "socialSecurityNumber", "ownerUniqueId": "owner123" }, { "field": "driversLicenseNumber", "ownerEmail": "jane.smith@example.com" }][ { "field": "dbaTaxID", "userToLogForRequest": "support_ticket_12345" }, { "field": "socialSecurityNumber", "ownerId": 123, "userToLogForRequest": "agent_jane_doe_verification" }, { "field": "bankAccount", "userToLogForRequest": "automated_underwriting_system" }][ { "field": "string", "ownerId": 0, "ownerUniqueId": 0, "ownerEmail": "string", "userToLogForRequest": "string" }]Try it out
Output:
Responses
Description
Sensitive data revealed successfully
{ "success": true, "applicationId": "string", "data": [ { "field": "string", "value": "string", "ownerId": 0, "ownerUniqueId": "string", "ownerEmail": "string", "ownerName": "string" } ]}Description
Bad Request - Invalid request body or field specification
{ "error": "string", "status": 0}Description
Unauthorized - User not authenticated or lacks permission
{ "error": "string", "status": 0}Description
Not Found - Application or owner not found
{ "error": "string", "status": 0}Description
Internal server error
{ "error": "string", "status": 0}References
#/components/parameters/xAccountIdHeader
in: headername: x-account-idschema: type: stringdescription: The account ID for the requestrequired: false|export type xAccountIdHeader = any; // Schema type not fully supported#/components/schemas/RevealRequestBody
type: arrayitems: type: object properties: field: type: string enum: - socialSecurityNumber - dateOfBirth - driversLicenseNumber - driversLicenseExpiration - passportNumber - passportExpiration - dbaTaxID - bankAccount description: The sensitive field to reveal ownerId: type: integer description: Auto-Inc ID of the business owner (required for owner-specific fields) ownerUniqueId: type: integer description: Unique ID of the business owner (required for owner-specific fields) ownerEmail: type: string format: email description: Email of the business owner (alternative to ownerId for owner-specific fields) userToLogForRequest: type: string minLength: 5 description: > When using API keys, this field can override the x-user-to-log-for-request header
for this specific field request. Must be at least 5 characters and should identify
who is accessing this data through your API key. required: - fieldminItems: 1|export type RevealRequestBody = { [key: string]: any }[];#/components/schemas/RevealResponseBody
type: objectproperties: success: type: boolean example: true applicationId: type: string description: The application ID data: type: array items: type: object properties: field: type: string description: The field that was revealed value: type: string description: The decrypted value (or null if empty) ownerId: type: integer description: The auto inc owner ID (for owner-specific fields) ownerUniqueId: type: string description: The unique owner ID (for owner-specific fields) ownerEmail: type: string description: The owner email (for owner-specific fields) ownerName: type: string description: The owner's full name (for owner-specific fields)|export interface RevealResponseBody { success?: boolean; /** The application ID */ applicationId?: string; data?: { field?: string; value?: string; ownerId?: number; ownerUniqueId?: string; ownerEmail?: string; ownerName?: string; }[];}#/components/schemas/Error
type: objectproperties: error: type: string description: Error message status: type: integer description: HTTP status codedescription: Error response object|export interface Error { /** Error message */ error?: string; /** HTTP status code */ status?: number;}Route Source Code
Check out the source code for this route entrypoint here: /applications/[applicationId]/reveal-sensitive-data/route.ts
Or the swagger.yaml spec this documentation was generated from:
/applications/[applicationId]/reveal-sensitive-data/swagger.yaml