> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Editing and submitting

> Patch in remaining details, verify the applicant, submit the application to the bank, and react to completion.

Once the application exists, whichever caller holds write access — your backend with a bearer token, or a browser with the [client secret](/embedded-banking/guides/authentication/application-client-secret) — drives the rest of the DRAFT-side flow. Both credentials accept the same set of per-application endpoints. The steps below describe the calls; substitute `Authorization: Bearer ...` or `X-Client-Secret: cs_...` depending on which integration shape you picked.

<Steps>
  <Step title="Patch in remaining details">
    `PATCH /embedded-banking/v1/bank-account-applications/{id}`. The applicant, business details, and beneficial owners can be added or amended any number of times while the application is in `DRAFT`. A pure backend integration that already collected this data out of band can pass it on create and skip the PATCH step entirely.
  </Step>

  <Step title="Verify the applicant">
    Request a verification code (`POST /{id}/verification-codes`), then submit the code along with applicant verification (`POST /{id}/verification`). Skip these calls if your own KYC/KYB happens outside Tesouro — supply `individualValidationSource` and `organizationValidationSource` on create instead so the bank knows which provider you used.
  </Step>

  <Step title="Submit">
    `POST /{id}/submission` moves the application from `DRAFT` to `SUBMITTED`. After this call, no further edits are accepted. If a browser made the submission, its client secret continues to work for read-only access until the application reaches `COMPLETE`.
  </Step>
</Steps>

## Completion

When the bank's pipeline finishes successfully, the application transitions from `SUBMITTED` to `COMPLETE` and the underlying bank account is created. At that point:

* Any issued client secret is invalidated. A browser still carrying one will fail authentication on subsequent calls.
* Further reads of the application use a backend bearer token.
* The resulting bank account is delivered through the normal bank account lifecycle — listen for the [`bank_account.created`](/embedded-banking/guides/webhooks/event-types) webhook to learn when it is ready.

If a browser is doing the editing and the applicant walks away mid-flow, the client secret may expire before submission. See [Resuming](/embedded-banking/guides/bank-account-applications/resuming) for how to re-issue one. Backend-only integrations never hit this case — bearer tokens are refreshed through the normal OAuth flow.
