Skip to main content
The Disclosure API manages the full lifecycle of disclosure requests and approved cases. An auditor creates a disclosure request, an administrator reviews it and either approves or closes it, and — once approved — the resulting case gives assigned auditors scoped access to the transaction data covered by the request. Every action in this flow is permission-gated and recorded in the activity log.

Endpoints

GET /api/applications/:foreignId/disclosure-registry

Lists all disclosure requests for the application. This is the administrator’s view of pending and historical requests — use it to see what auditors have submitted before taking an approve or close action. Required permission: cases:approve_creation (administrator bucket)
foreignId
string
required
The application route segment returned by GET /auth/me under applications[foreignId]. Identifies which application’s disclosure registry to read.
Returns an array of disclosure request objects, each including the request ID, status, requester details, reason, and the case parameters proposed by the auditor.

GET /api/applications/:foreignId/cases

Lists approved cases and the auditor’s worklist for the application. Administrators see all cases; auditors see only the cases to which they are assigned and that are within their access window. Required permission: reports:view_transactions (auditor bucket) or administrator/case-specific checks
foreignId
string
required
The application route segment from GET /auth/me.
Returns an array of case objects. Each case includes its ID, status, the period it covers, the disclosure flags that were granted, the list of assigned auditors, and expiry information derived from access_days.

POST /api/applications/:foreignId/cases

Creates a new disclosure case request. The request enters a pending state and must be reviewed by an application administrator before it becomes an active case. You can propose the auditors who should be assigned to the case at creation time. Required permission: cases:create (auditor bucket)
foreignId
string
required
The application route segment from GET /auth/me.
reason
string
required
A plain-text explanation of why this disclosure is being requested. Shown to the administrator during review.
period_from
string
required
Start of the transaction period to disclose. ISO 8601 date string (e.g. "2024-01-01").
period_to
string
required
End of the transaction period to disclose. ISO 8601 date string (e.g. "2024-03-31").
access_days
integer
required
Number of days from case approval during which assigned auditors may access the transaction data.
disclosure_flags
object
required
Controls which fields are disclosed if the request is approved. All flags default to false if omitted.
  • full_tx_ids — Include full transaction identifiers.
  • sender_information — Include sender address and identity data.
  • withdrawal_details — Include withdrawal amounts and destination details.
auditor_ids
array
required
Array of user IDs to assign as auditors if the request is approved. These assignments are proposed at request time and carried over to the live case on approval.
Returns the newly created disclosure request object, including its assigned id and an initial status of "pending".

POST /api/applications/:foreignId/cases/requests/:id/withdraw

Withdraws your own pending disclosure request before an administrator has acted on it. You can only withdraw requests that you created, and only while they are in pending status. Required permission: cases:withdraw_pending_request (auditor bucket)
foreignId
string
required
The application route segment from GET /auth/me.
id
string
required
The ID of the pending disclosure request to withdraw.
Returns the updated disclosure request object reflecting the withdrawn state.

POST /api/applications/:foreignId/case-requests/:id/approve

Approves a pending disclosure request and creates an active case from it. Approval copies the proposed auditor assignments from the request to the live case and starts the access_days access window. Required permission: cases:approve_creation (administrator bucket)
foreignId
string
required
The application route segment from GET /auth/me.
id
string
required
The ID of the pending disclosure request to approve.
Returns the newly created case object. The corresponding disclosure request moves to "approved" status.

POST /api/applications/:foreignId/case-requests/:id/close

Closes a pending disclosure request without granting data access. Use this to formally reject a request. The request moves to "closed" status and no case is created. Required permission: cases:approve_creation (administrator bucket)
foreignId
string
required
The application route segment from GET /auth/me.
id
string
required
The ID of the pending disclosure request to close.
Returns the updated disclosure request object with status set to "closed".

Case Statuses

StatusMeaning
pendingThe request has been submitted and is awaiting administrator review. Assigned auditors do not yet have data access.
approvedAn administrator has approved the request. An active case exists and assigned auditors can access transaction data within the approved scope and access window.
closedAn administrator closed the request without granting access, or the request was withdrawn by the requester. No case was created.
Once a request is approved or closed, it cannot be re-opened. If you need to modify the scope of an approved case, create a new disclosure request.