AltScore — API Specification

01 —

API Overview

The AltScore API is a REST API served over HTTPS/TLS 1.3. All request and response bodies are JSON. All endpoints require authentication. No endpoint is publicly accessible without a valid credential.

API-ALTSCORE-001 · Base URL: https://api.altscore.in/v1

Score API

NBFC Partners

Retrieve AltScore credit scores, risk bands, PD estimates, and SHAP reason codes for individual retailers.

Consent API

Internal + WhatsApp

Manage retailer consent lifecycle. Grant, revoke, check, and export consent records. Called internally by all services.

Ingestion API

Distributor Connectors

ERP connector SDK posts invoice and payment batches. Authenticated via mTLS + API key. HMAC-signed payloads.

Grievance API

Retailers + Lenders

File score grievances, check status, request explanation. Human review within 24h acknowledgement SLA.

Admin API

Internal Only

Distributor onboarding, model promotion, compliance reports, RBAC management. FIDO2 authenticated.

Common Headers

Header	Required	Description
`Authorization`	required	`Bearer <jwt_token>` for external APIs. See Section 02.
`X-Client-ID`	required	Lender or distributor identifier. Must match JWT subject claim.
`X-Request-ID`	optional	Client-supplied idempotency key (UUID). Returned in response for tracing.
`Content-Type`	required (POST/PUT)	Must be `application/json`.
`Accept-Language`	optional	`en` or `hi`. Reason codes returned in specified language. Default: `en`.

02 —

Authentication & Authorization

NBFC Partner Authentication (Score API)

Property	Value
Token type	JWT (JSON Web Token)
Signing algorithm	RS256 (RSA 2048-bit + SHA-256)
Token TTL	1 hour. Refresh before expiry.
Required claims	`sub` (lender_id), `iss` (altscore.in), `exp`, `iat`, `jti` (unique per token)
Additional header	`X-Client-ID: <lender_id>` must match `sub` claim
Token endpoint	`POST /v1/auth/token` — body: `{"client_id":"…","client_secret":"…"}`
Key rotation	Signing keys rotated every 6 months. 2-week overlap period. JWKS endpoint: `GET /.well-known/jwks.json`

ERP Connector Authentication (Ingestion API)

ERP connectors use mTLS + API key. The client certificate (per distributor, 90-day rotation) handles transport-level identity. The X-API-Key header provides application-level identity. Payload HMAC-SHA256 signature must be included in X-Payload-Signature header.

Admin API Authentication

Admin API requires FIDO2/WebAuthn hardware key + SAML 2.0 SSO token. No username/password authentication. Session tokens are short-lived (15 minutes) and non-renewable; re-authentication required per session.

Authorization Model

All APIs enforce consent-scoped authorization on top of authentication. An authenticated NBFC partner may only retrieve scores for retailers who have explicitly named that lender in their active consent record. The 403 Forbidden response does not distinguish between "retailer not found" and "retailer exists but consent not granted" — both return 403 to prevent information leakage.

03 —

Score API

The Score API is the primary interface for NBFC lending partners. All endpoints require JWT RS256 authentication. Rate limit: 100 requests/minute per lender.

POST

/v1/score

Score API · NBFC Auth

Retrieve the AltScore credit assessment for a single retailer. Returns score, risk band, probability of default, recommended credit limit, SHAP-derived reason codes, and data freshness. Consent is verified on every call.

Request Body

{

  "retailer_id": "ret_7f3a92c1d4e8b051",  // required — AltScore UUID (not GST)

  "purpose": "working_capital_loan",  // required — must match consent purpose

  "requested_limit_inr": 150000  // optional — lender's proposed limit for override check

}

Response 200 — Score Available

{

  "retailer_id": "ret_7f3a92c1d4e8b051",

  "altscore": 724,  // 300–900

  "risk_band": "B",  // "A" | "B" | "C" | "D"

  "probability_of_default": 0.082,  // 0.0–1.0

  "recommended_limit_inr": 175000,  // hard-capped at 30% of 6-month GMV

  "reason_codes": [

    {"code":"LOW_PAYMENT_DELAY","direction":"positive","rank":1,"label_en":"Timely payments","label_hi":"समय पर भुगतान"},

    {"code":"CONSISTENT_ORDER_FREQ","direction":"positive","rank":2, "label_en":"Regular order pattern","label_hi":"नियमित ऑर्डर"},

    {"code":"GROWING_BASKET_SIZE","direction":"positive","rank":3,"label_en":"Growing business","label_hi":"बढ़ता कारोबार"},

    {"code":"HIGH_RETURN_RATE","direction":"negative","rank":4,"label_en":"High return rate","label_hi":"उच्च वापसी दर"},

    {"code":"ORDER_GAP_DETECTED","direction":"negative","rank":5,"label_en":"Order gap detected","label_hi":"ऑर्डर में अंतराल"}

  ],  // always ≥5 codes (≥3 positive, ≥2 negative)

  "data_freshness_days": 3,  // days since last ERP sync

  "low_confidence": false,  // true if completeness 50–69% or freshness >14 days

  "score_version": "altscore-xgb-v1-prod",

  "scored_at": "2026-05-19T22:14:07Z",

  "request_id": "req_a3f8c2d1"  // echoes X-Request-ID

}

Error Responses

Status	Error Code	Meaning
400	`INVALID_REQUEST`	Missing or invalid retailer_id / purpose field
401	`TOKEN_EXPIRED` / `TOKEN_INVALID`	JWT expired or signature invalid
403	`CONSENT_NOT_GRANTED`	Retailer has not consented to this lender (or retailer not found — intentionally ambiguous)
404	`RETAILER_NOT_SCORED`	Retailer exists and consented but no score computed yet (e.g., data too fresh)
422	`DATA_INSUFFICIENT`	Completeness <50% — scoring blocked
429	`RATE_LIMIT_EXCEEDED`	100 req/min exceeded. Headers: `Retry-After`, `X-RateLimit-Reset`
503	`SERVICE_UNAVAILABLE`	Consent Service unreachable (fail-safe block)

GET

/v1/score/{retailer_id}/history

Score API · NBFC Auth

Retrieve the last 12 AltScore values for a retailer (monthly snapshots). Useful for trend analysis. Subject to same consent check as POST /v1/score.

Query Parameters

Parameter	Type	Default	Description
`months`	integer	6	Number of monthly snapshots to return (max 12)

Response 200

{"retailer_id":"ret_7f3a92c1d4e8b051","history":[

  {"month":"2026-05","altscore":724,"risk_band":"B","score_version":"altscore-xgb-v1-prod"},

  {"month":"2026-04","altscore":708,"risk_band":"B","score_version":"altscore-xgb-v1-prod"}

]}

GET

/v1/retailers/lookup

Score API · NBFC Auth

Resolve a retailer's AltScore UUID from their GST number (if consented to this lender). Returns the opaque retailer_id required for POST /v1/score. GST is not stored post-lookup — only the UUID is returned.

Query Parameters

Parameter	Required	Description
`gst`	required	15-character GSTIN of the retailer

Response 200

{"retailer_id":"ret_7f3a92c1d4e8b051","consent_active":true}

04 —

Consent API

Internal-use API for consent lifecycle management. Called by other services (Scoring Engine, Score API) and by the WhatsApp Webhook Handler. NBFC partners do not call this API directly.

POST

/v1/consent/grant

Consent · Webhook Handler Auth

Record an affirmative consent grant from a retailer. Creates a cryptographically signed (ECDSA P-256) consent record. Emits consent.granted Kafka event.

Request Body

{

  "retailer_phone_hash":"sha256_of_phone",  // hashed phone — never raw

  "distributor_id":"dist_c4f9",

  "lender_scope":["lender_shriram","lender_ugro"],  // specific NBFCs named

  "purpose":"working_capital_loan",

  "consent_channel":"whatsapp",

  "wa_message_id":"wamid.xxx"  // WhatsApp message ID for audit

}

Response 201

{"consent_id":"cns_8a2f","retailer_id":"ret_7f3a","signed_at":"2026-05-20T08:00:00Z","signature":"ECDSA_P256_hex"}

POST

/v1/consent/revoke

Consent · Retailer or Admin Auth

Revoke a retailer's consent. Processing halt within 1 hour. Emits consent.revoked event which stops scoring and invalidates Score API cache. Consent record is NOT deleted (7-year audit retention).

Request Body

{"consent_id":"cns_8a2f","reason":"retailer_request","wa_message_id":"wamid.yyy"}

Response 200

{"consent_id":"cns_8a2f","status":"revoked","processing_halt_by":"2026-05-20T09:00:00Z"}

GET

/v1/consent/check

Consent · Internal Service Auth

Check whether a specific retailer has active consent for a specific lender. Used by Score API Service on every request. Returns boolean only — no PII exposed.

Query Parameters

Parameter	Required
`retailer_id`	required
`lender_id`	required

Response 200

{"consented":true,"consent_id":"cns_8a2f","expires_at":"2027-05-20T00:00:00Z"}

05 —

ERP Ingestion API

Used exclusively by the ERP Connector SDK deployed at distributor sites. Requires mTLS client certificate + API key + HMAC payload signature. Rate limit: 10 batches/hour per distributor.

POST

/v1/ingest/batch

Ingestion · mTLS + API Key

Submit a batch of ERP invoice and payment records. Records are validated, deduplicated, and written to Bronze layer. Malformed records are quarantined but do not fail the entire batch.

Request Headers (additional)

Header	Description
`X-API-Key`	Distributor API key (32-byte hex, rotated annually)
`X-Payload-Signature`	HMAC-SHA256 of request body using distributor's signing secret
`X-ERP-Type`	`tally_prime` \| `sap_b1` \| `csv`
`X-Batch-ID`	Client-generated UUID for idempotency (same batch_id = no-op if already processed)

Request Body (abbreviated)

{

  "distributor_id":"dist_c4f9",

  "sync_from":"2026-05-01T00:00:00Z",

  "sync_to":"2026-05-19T23:59:59Z",

  "invoices": [

    {"invoice_id":"INV-2026-001","retailer_gst":"29AABCT...","invoice_date":"2026-05-03","amount_inr":42000,"due_date":"2026-05-17"}

  ],

  "payments": [

    {"payment_id":"PAY-2026-001","invoice_id":"INV-2026-001","paid_date":"2026-05-15","amount_paid_inr":42000}

  ]

}

Response 202 — Accepted

{"batch_id":"bat_3c9a","accepted":247,"quarantined":3,"status":"processing"}

GET

/v1/ingest/batch/{batch_id}/status

Ingestion · mTLS + API Key

Poll the processing status of a submitted batch. Returns per-record status including quarantined record reasons for Ops review.

Response 200

{"batch_id":"bat_3c9a","status":"complete","written_to_bronze":247,"quarantined":3,"completeness_score":84.2,"pipeline_triggered":true}

06 —

Grievance API

POST

/v1/grievances

Grievance · NBFC or Retailer Auth

File a grievance against a score. Triggers 24h acknowledgement SLA and 7-day resolution SLA. Emits grievance.filed event.

Request Body

{"retailer_id":"ret_7f3a","score_id":"scr_9b2c","grievance_type":"incorrect_score","description":"Payment records missing for March","contact_phone_hash":"sha256_hash"}

Response 201

{"grievance_id":"grv_5d1e","status":"open","ack_by":"2026-05-21T08:00:00Z","resolution_sla":"2026-05-27T08:00:00Z"}

GET

/v1/grievances/{grievance_id}

Grievance · Auth

Check the status of a grievance. Returns current status, resolution notes (if resolved), and SLA clock.

Response 200

{"grievance_id":"grv_5d1e","status":"resolved","resolution":"Score updated after data correction","resolved_at":"2026-05-24T14:00:00Z"}

07 —

Admin API (Internal)

Internal-only. Requires FIDO2 hardware key + SSO. All operations are audit-logged. Not accessible from outside the VPN.

Method	Endpoint	Description
POST	`/v1/admin/distributors`	Onboard a new distributor; issues mTLS cert + API key
POST	`/v1/admin/distributors/{id}/rotate-key`	Rotate a distributor's API key and mTLS cert
POST	`/v1/admin/models/promote`	Promote a challenger model to champion (two-person sign-off enforced)
POST	`/v1/admin/models/rollback`	Rollback to previous champion model (<10 min)
GET	`/v1/admin/grievances`	List open grievances with SLA status
GET	`/v1/admin/compliance/report`	Generate DPDP/RBI compliance report for specified date range
GET	`/v1/admin/audit/events`	Query audit log (DPO/Legal access; read-only)
PUT	`/v1/admin/retailers/{id}/erasure`	Process Right-to-Erasure request (30-day SLA timer started)
GET	`/v1/admin/retailers/{id}/export`	Data portability export for retailer (15-day SLA, JSON)

08 —

Error Code Reference

HTTP Status	Error Code	Description	Action
400	`INVALID_REQUEST`	Malformed JSON or missing required field	Fix request body per schema
400	`INVALID_RETAILER_ID`	retailer_id format invalid (must be ret_ prefix + 16 hex chars)	Use /v1/retailers/lookup first
401	`TOKEN_EXPIRED`	JWT exp claim in the past	Refresh token via POST /v1/auth/token
401	`TOKEN_INVALID`	JWT signature verification failed	Re-authenticate; check signing key rotation
401	`TOKEN_MISSING`	Authorization header absent	Add Bearer token header
403	`CONSENT_NOT_GRANTED`	Retailer not consented to this lender or retailer unknown	Initiate consent flow via distributor dashboard
403	`SCOPE_MISMATCH`	Requested purpose not in consent scope	Verify purpose matches consent record
404	`RETAILER_NOT_SCORED`	No score available yet (consented but data too new)	Retry after next pipeline run (up to 24h)
409	`BATCH_ALREADY_PROCESSED`	X-Batch-ID already received and processed	Idempotent — original result stands
422	`DATA_INSUFFICIENT`	Completeness <50% — scoring blocked	Distributor must supply more ERP data
429	`RATE_LIMIT_EXCEEDED`	100 req/min exceeded	Back off per Retry-After header
500	`INTERNAL_ERROR`	Unexpected server error	Retry with exponential backoff; contact support if persists
503	`SERVICE_UNAVAILABLE`	Consent Service or Scoring Engine temporarily unavailable	Retry after 30s; fail-safe block active

09 —

Rate Limits & Quotas

API Group	Limit	Window	Scope	Response on Breach
Score API	100 requests	1 minute	Per lender (JWT sub)	429 + `Retry-After` + `X-RateLimit-Reset`
Score API	5,000 requests	24 hours	Per lender	429 with daily quota context
Ingestion API	10 batches	1 hour	Per distributor	429
Ingestion API	1,000 records/batch	Per request	Per batch payload	400 BATCH_TOO_LARGE
Grievance API	5 filings	24 hours	Per retailer	429
Auth token endpoint	10 requests	1 minute	Per client_id	429 (brute-force protection)

Rate Limit Response Headers

# Returned on every Score API response

X-RateLimit-Limit: 100

X-RateLimit-Remaining: 87

X-RateLimit-Reset: 1716220800  # Unix timestamp when window resets

Retry-After: 23  # Seconds — only present on 429 response

10 —

API Versioning & Lifecycle

APIs are versioned by URL path prefix (/v1/). A new major version is only created when a breaking change is unavoidable. Minor and patch changes are non-breaking and applied in-place.

Breaking Change Policy

Requires New Major Version

Removing a field from response schema
Changing a field type (e.g., int → string)
Changing HTTP method for an endpoint
Removing an endpoint
Changing authentication mechanism
Reducing rate limits below published minimums

Non-Breaking Changes

Applied In-Place (v1)

Adding new optional response fields
Adding new optional request parameters
Adding new endpoints
Adding new error codes
Adding new reason codes to the taxonomy
Performance improvements, latency reductions

Version Lifecycle

Version	Status	Support Until	Notes
v1	CURRENT	Minimum 24 months from GA	This document
v2	PLANNED	TBD	RBI Account Aggregator integration; breaking changes TBD

NBFC partners receive 90 days advance notice before any breaking change deployment, via email + dashboard notification. Version sunset is announced at least 6 months before the old version is decommissioned.