Credentials

API for managing worker and applicant credentials.

📄️Get credential

Fetch a single credential by ID.

📄️Replace credential

Replace credential properties wholesale. Body must include all required fields. Owner unchanged — use /link, /unlink, /transfer to change it.

📄️Soft delete credential

Marks the credential as removed.

📄️Partially update credential

Apply a partial update. Owner changes are rejected — use /link, /unlink, /transfer.

📄️List credentials

Search credentials with optional filters. Owner filter accepts EITHER `ownerType+ownerId` (synthetic ID) OR `ownerType+ownerExternalId` (upstream HRIS/ATS ID, optionally narrowed by `ownerSourceSystem`). Other filters: credentialType, category, jurisdiction, status, eligibility, expiringBefore (ISO 8601 date). Soft-deleted credentials are excluded by default; pass `includeDeleted=true` to include them.

📄️Create credential

Create a new credential. Server generates a synthetic `cred_<16chars>` ID. At least one of `owners.worker` or `owners.applicant` must be supplied; both are allowed and means the credential is linked to both. Owner is immutable after create — use /link, /unlink, or /transfer to change it.

📄️Verify a credential

Run an entity-bound verification of this credential against the issuing registry. Updates the credential's verification fields (eligibility, statusDetail, lastVerifiedDate, verificationAuthority) on success. The response carries a correlationId — either echoed from the request body or server-generated — that is also included in the credential.verified webhook payload so callers can match the asynchronous delivery back to this request.

📄️Unlink an owner

Remove an owner reference from this credential. Refuses if it would leave the credential with zero owners (DELETE the credential instead).

📄️Transfer an owner reference on a single credential

Move the owner reference of one credential addressed by ID in the path. Clears the {@code from} slot and sets the {@code to} slot — when {@code from.type} and {@code to.type} differ this is the canonical applicant→worker re-anchoring; when they're the same type it's a swap (correcting a wrong id). The body's {@code credentialIds} field is ignored on this single-credential variant; use {@code POST /credentials/transfer} for the bulk shape.

📄️Manually reject a credential

Mark this credential as rejected by a human reviewer. Sets status=REVOKED, eligibility=MAY_NOT_ENGAGE.

📄️Link an additional owner to a single credential

Add an owner reference to one credential addressed by ID in the path. The credential entity is unchanged — we just register a new relationship. Idempotent: linking to the same owner twice is a no-op. Linking when that owner-type slot already holds a different ID returns 409 — use {@code POST /credentials/{id}/transfer} to replace. The body's {@code from} and {@code credentialIds} fields are ignored on this single-credential variant; use {@code POST /credentials/link} for the bulk shape.

📄️List credential attachments

Returns metadata for every file attached to the credential. Response excludes the actual file content — fetch each attachment's `/content` URL to download bytes.

📄️Upload an attachment (JSON+base64)

Convenience endpoint for clients that already serialise as JSON. Provide the file bytes as a base64-encoded `data` field plus `fileName` and `mimeType`.

📄️Manually approve a credential

Mark this credential as approved by a human reviewer. Sets status=ACTIVE, eligibility=MAY_ENGAGE, statusDetail=VALID. Prefer /verify for automated registry-backed checks.

📄️Transfer credentials between owners

Move owner references on one or more credentials from `from` to `to`. The credential entities are unchanged — we update the relationship pointers. If `credentialIds` is omitted, transfers ALL credentials currently owned by `from` (the canonical applicant→worker hire-correction flow). If provided, restricted to those IDs. Each item is atomic at the credential level. Best-effort batch — items that don't currently belong to `from` are reported as `skipped` with code OWNER_MISMATCH. Capped at 500 credentials per request.

📄️Link credentials to an additional owner

Add a new owner reference to one or more credentials. The credential entities themselves are unchanged — we just register a new relationship. If `credentialIds` is omitted, links every credential currently associated with `from` (the canonical applicant→worker hire flow). If provided, restricted to those IDs (which must currently be linked to `from`). Idempotent: items already linked to the target are reported as `noop`. A different ID in the target slot is reported as `skipped` with code ALREADY_LINKED — use /transfer to replace. Best-effort batch (failures don't block successes). Capped at 500 credentials per request.

📄️Get a single attachment's metadata

Get a single attachment's metadata

📄️Hard-delete an attachment

Removes the attachment from the credential permanently. Cannot be undone.

📄️Download attachment content

Returns the raw file bytes with the original `Content-Type` and a `Content-Disposition` set to the original filename. Auth-gated — the endpoint URL is not a signed link.

📄️List supported credential types

Read-only catalogue of credential type codes the platform understands. Used by admin tooling and ATS integrators when authoring screening packages. Filter by `category` (SCREENING / GOVERNMENT_ID / LICENSE / CERTIFICATION) to scope the list. Codes are stable — drop a code only via a deprecation cycle.

📄️Compliance roll-ups

Aggregated counts by status, category, jurisdiction, and eligibility. Soft-deleted credentials excluded.