Authorization: Bearer ... or X-Client-Secret: cs_... depending on which integration shape you picked.
1
Patch in remaining details
PATCH /embedded-banking/v1/bank-account-applications/{id}. The applicant, business details, and beneficial owners can be added or amended any number of times while the application is in DRAFT. A pure backend integration that already collected this data out of band can pass it on create and skip the PATCH step entirely.2
Verify the applicant
Request a verification code (
POST /{id}/verification-codes), then submit the code along with applicant verification (POST /{id}/verification). Skip these calls if your own KYC/KYB happens outside Tesouro — supply individualValidationSource and organizationValidationSource on create instead so the bank knows which provider you used.3
Submit
POST /{id}/submission moves the application from DRAFT to SUBMITTED. After this call, no further edits are accepted. If a browser made the submission, its client secret continues to work for read-only access until the application reaches COMPLETE.Completion
When the bank’s pipeline finishes successfully, the application transitions fromSUBMITTED to COMPLETE and the underlying bank account is created. At that point:
- Any issued client secret is invalidated. A browser still carrying one will fail authentication on subsequent calls.
- Further reads of the application use a backend bearer token.
- The resulting bank account is delivered through the normal bank account lifecycle — listen for the
bank_account.createdwebhook to learn when it is ready.