Admin Console
API Documentation
Full setup guide for admin APIs, AI calling-agent support, and automatic reset-link email flow.
This platform supports phone-based recovery via your own AI or human-assisted agent. The recommended flow is: identity check, OTP verification, then automatic reset-link email delivery.
Use this if your bank wants a call-center style recovery journey while keeping visual-password reset secure and auditable.
Need language-specific examples for Java, Node.js, PHP, Go, and ASP.NET: Open AI Calling Agent Guide
1. Login to Admin Console with admin account.
2. Go to Developers and API and create partner key.
3. Store the key only on backend/agent server, never in browser code.
4. Use Authorization Bearer token for admin routes and x-api-key for partner routes.
5. Rotate API keys and revoke old keys from the same admin panel.
# Admin API call (Bearer token)
curl "http://localhost:3000/api/dashboard/stats" \
-H "Authorization: Bearer <ADMIN_JWT>"
# Partner API call (Admin-created partner key)
curl -X POST "http://localhost:3000/api/visual-password/init-auth" \
-H "Content-Type: application/json" \
-H "x-api-key: <PARTNER_KEY>" \
-d '{
"partnerId": "hdfc_bank",
"userId": "customer-1001",
"state": "txn-001",
"callbackUrl": "https://partner.example.com/callback"
}'1. Caller provides account number to agent.
2. Agent system finds user record using account number/partnerUserId/email.
3. OTP is sent to registered email.
4. Agent verifies OTP with caller.
5. System auto-generates visual re-enrollment link.
6. System auto-sends reset link email to user.
7. User opens link and sets new visual password.
Important: In the standard agent flow, OTP verify endpoint handles link generation and email dispatch in one step.
# Step 1: Find user POST /api/demo-bank/agent/find-user # Step 2: Send OTP to registered email POST /api/demo-bank/agent/send-otp # Step 3: Verify OTP -> auto send reset link email POST /api/demo-bank/agent/verify-otp # Admin shortcut flow (no OTP, admin initiated) POST /api/demo-bank/agent/admin-reset
You can connect your own voice/AI stack (Twilio, SIP bot, custom LLM voice agent, or contact-center platform) by mapping the same backend recovery endpoints.
Required inputs from your agent:
{
"agentName": "Bank Agent 102",
"query": "<accountNumber | partnerUserId | email>",
"partnerUserId": "customer-bank-...",
"requestId": "<otp-request-id>",
"otp": "123456"
}Callback/input link templates to configure in your agent console:
# Local/dev http://localhost:3002/api/demo-bank/agent/find-user http://localhost:3002/api/demo-bank/agent/send-otp http://localhost:3002/api/demo-bank/agent/verify-otp # Public tunnel/custom domain https://<your-agent-domain>/api/demo-bank/agent/find-user https://<your-agent-domain>/api/demo-bank/agent/send-otp https://<your-agent-domain>/api/demo-bank/agent/verify-otp # Admin direct reset endpoint https://<your-agent-domain>/api/demo-bank/agent/admin-reset
Security notes: keep partner key server-side, enforce HTTPS, log agentName in audit metadata, and restrict admin-reset to authenticated admins only.
curl -X POST http://localhost:3002/api/demo-bank/agent/send-otp \
-H "Content-Type: application/json" \
-d '{
"partnerUserId": "customer-bank-9f5cb9dcf002",
"agentName": "Agent-Desk-7"
}'curl -X POST http://localhost:3002/api/demo-bank/agent/verify-otp \
-H "Content-Type: application/json" \
-d '{
"requestId": "<OTP_REQUEST_ID>",
"otp": "123456",
"agentName": "Agent-Desk-7"
}'
# Success response includes auto email status and (dev mode) enrollUrl.1. Keep admin JWT and partner API keys separate.
2. Allow only admin users to run direct reset endpoints.
3. Configure SMTP and test auto-email before go-live.
4. Enforce HTTPS and secure cookie/session policies.
5. Rotate API keys and audit high-risk events weekly.