POST /applications/{applicationId}/reveal-sensitive-data
Reveal sensitive application data
Reveals specific sensitive data fields for an application. This endpoint requires the readApplicationSensitiveData permission and all requests are audit logged.
For owner-specific fields (socialSecurityNumber, dateOfBirth, driversLicenseNumber, driversLicenseExpiration, passportNumber, passportExpiration), either ownerId, ownerUniqueId, or ownerEmail must be provided.
For business-level fields (dbaTaxID, bankAccount), no owner specification is needed.
All sensitive data revealed through this endpoint is tracked in audit logs with the event ApplicationSensitiveDataRevealed.
Authentication Required
Authorization: Bearer {token}
header string This header is required to access this endpoint
Required Parameters
x-account-id
header string Account ID for the request
applicationId
path string The unique ID of the application
Optional Parameters
Click here to view an exhaustive list of all available parameters
x-user-to-log-for-request
header string Required when using API keys for authentication. This header must contain a descriptive identifier (minimum 5 characters) that will be logged for audit purposes to track who is accessing sensitive data through your API key. For example: "support_agent_john_doe" or "underwriting_system_v2". This can be overridden per field using the userToLogForRequest property in the request body.
Request Body
[ { "field": "string", "ownerId": 0, "ownerUniqueId": 0, "ownerEmail": "string", "userToLogForRequest": "string" }][ { "field": "dbaTaxID" }, { "field": "bankAccount" }][ { "field": "socialSecurityNumber", "ownerUniqueId": "owner123" }, { "field": "dateOfBirth", "ownerEmail": "john.doe@example.com" }][ { "field": "dbaTaxID" }, { "field": "socialSecurityNumber", "ownerUniqueId": "owner123" }, { "field": "driversLicenseNumber", "ownerEmail": "jane.smith@example.com" }][ { "field": "dbaTaxID", "userToLogForRequest": "support_ticket_12345" }, { "field": "socialSecurityNumber", "ownerId": 123, "userToLogForRequest": "agent_jane_doe_verification" }, { "field": "bankAccount", "userToLogForRequest": "automated_underwriting_system" }][ { "field": "string", "ownerId": 0, "ownerUniqueId": 0, "ownerEmail": "string", "userToLogForRequest": "string" }]Try it out
Output:
Responses
Description
Sensitive data revealed successfully
{ "success": true, "applicationId": "string", "data": [ { "field": "string", "value": "string", "ownerId": 0, "ownerUniqueId": "string", "ownerEmail": "string", "ownerName": "string" } ]}Description
Bad Request - Invalid request body or field specification
{ "error": "string", "status": 0, "message": "string"}Description
Unauthorized - User not authenticated or lacks permission
{ "error": "string", "status": 0, "message": "string"}Description
Not Found - Application or owner not found
{ "error": "string", "status": 0, "message": "string"}Description
Internal server error
{ "error": "string", "status": 0, "message": "string"}References
#/components/parameters/xAccountIdHeader
in: headername: x-account-idschema: type: stringdescription: Account ID for the requestrequired: trueexample: "2311"|export type xAccountIdHeader = any; // Schema type not fully supported#/components/schemas/RevealRequestBody
type: arrayitems: type: object properties: field: type: string enum: - socialSecurityNumber - dateOfBirth - driversLicenseNumber - driversLicenseExpiration - passportNumber - passportExpiration - dbaTaxID - bankAccount description: The sensitive field to reveal ownerId: type: integer description: Auto-Inc ID of the business owner (required for owner-specific fields) ownerUniqueId: type: integer description: Unique ID of the business owner (required for owner-specific fields) ownerEmail: type: string format: email description: Email of the business owner (alternative to ownerId for owner-specific fields) userToLogForRequest: type: string minLength: 5 description: > When using API keys, this field can override the x-user-to-log-for-request header
for this specific field request. Must be at least 5 characters and should identify
who is accessing this data through your API key. required: - fieldminItems: 1|export type RevealRequestBody = { [key: string]: any }[];#/components/schemas/RevealResponseBody
type: objectproperties: success: type: boolean example: true applicationId: type: string description: The application ID data: type: array items: type: object properties: field: type: string description: The field that was revealed value: type: string description: The decrypted value (or null if empty) ownerId: type: integer description: The auto inc owner ID (for owner-specific fields) ownerUniqueId: type: string description: The unique owner ID (for owner-specific fields) ownerEmail: type: string description: The owner email (for owner-specific fields) ownerName: type: string description: The owner's full name (for owner-specific fields)|export interface RevealResponseBody { success?: boolean; /** The application ID */ applicationId?: string; data?: { field?: string; value?: string; ownerId?: number; ownerUniqueId?: string; ownerEmail?: string; ownerName?: string; }[];}#/components/schemas/Error
type: objectproperties: error: type: string description: Error message status: type: integer description: HTTP status code message: type: string description: Detailed error messagedescription: Error response objectrequired: - error|export interface Error { /** Error message */ error: string; /** HTTP status code */ status?: number; /** Detailed error message */ message?: string;}Route Source Code
Check out the source code for this route entrypoint here: /applications/[applicationId]/reveal-sensitive-data/route.ts
Or the swagger.yaml spec this documentation was generated from:
/applications/[applicationId]/reveal-sensitive-data/swagger.yaml