Once the application exists, whichever caller holds write access — your backend with a bearer token, or a browser with the client secret — drives the rest of the DRAFT-side flow. Both credentials accept the same set of per-application endpoints. The steps below describe the calls; substituteDocumentation Index
Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer ... or X-Client-Secret: cs_... depending on which integration shape you picked.
Patch in remaining details
PATCH /embedded-banking/v1/bank-account-applications/{id}. The applicant, business details, and beneficial owners can be added or amended any number of times while the application is in DRAFT. A pure backend integration that already collected this data out of band can pass it on create and skip the PATCH step entirely.Verify the applicant and the business
Request a verification code (
POST /{id}/verification-codes), then submit the code along with applicant verification (POST /{id}/verification) and business verification (POST /{id}/business-verification). Skip these calls if your own KYC/KYB happens outside Tesouro — supply individualValidationSource and organizationValidationSource on create instead so the bank knows which provider you used.Completion
When the bank’s pipeline finishes successfully, the application transitions fromSUBMITTED to COMPLETE and the underlying bank account is created. At that point:
- Any issued client secret is invalidated. A browser still carrying one will fail authentication on subsequent calls.
- Further reads of the application use a backend bearer token.
- The resulting bank account is delivered through the normal bank account lifecycle — listen for the
bank_account.createdwebhook to learn when it is ready.