Introduction

The following document describes the usage of YourPass REST API. You will find useful references and examples for all the available endpoints.

Console

Yourpass provides a web based tool for interacting with the API.

For the Sandbox environment, which is intended for integration testing, you can access the Console at https://console.yourpass.space.

For production environments, please contact Yourpass support to receive the URL.

Environment URLs

URL	Production	Sandbox (integration testing only)
API_URL	See below	https://api.yourpass.space
DISTRIBUTION_URL	See below	https://get.yourpass.space
ISSUE_URL	See below	https://issue.yourpass.space

The documentation uses placeholders to substitute these URLs. Whenever you see <…> you should replace it with one of the above URLs based on the selected environment. For example <API_URL>/v1/pass translates to https://api.yourpass.space/v1/pass for sandbox environment.

Headers

All endpoints expect the following headers unless otherwise noted

Name	Value
Accept	application/json
Content-Type	application/json

Optionally an Authorization header can be specified. See Authentication for more information.

Authentication

Yourpass web services are secured via token based authentication. All requests which require authorization must contain token in an Authorization header.

OAuth2 - Resource Owner Password Credentials

This service allows obtaining an access token for reliable applications, which stores user’s credentials. For more details see RFC6749.

Client id: c36b6721-04d5-4dce-b1f2-4796d8fcc849
Client secret: (there is no secret, use empty string)

Debugging authentication errors

This authentication flow is implemented on the Console login page, first try your credentials at <CONSOLE_URL>.

If you cannot login using Console, try resetting your password first or contact support.

If you successfully authenticate using the Console, then try debugging your issues using the curl commands provided in the right panel of this documentation.

Please note that on Windows, you have to use ^ instead of \ at the end of each line.

If you are using the curl command or creating the authentication URL by hand in your application, make sure you have URL-encoded all URL parameters including the password.

Request

Request:

curl --request POST <API_URL>/oauth2/token \
  --header "Authorization: Basic YzM2YjY3MjEtMDRkNS00ZGNlLWIxZjItNDc5NmQ4ZmNjODQ5Og==" \
  --header "Cache-Control: no-cache" \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data "grant_type=password&username=your@email.com&password=yourPassword"

var qs = require("querystring");
var http = require("https");

var options = {
  method: "POST",
  hostname: ["api", "yourpass", "eu"],
  path: ["oauth2", "token"],
  headers: {
    "Content-Type": "application/x-www-form-urlencoded",
    Authorization: "Basic YzM2YjY3MjEtMDRkNS00ZGNlLWIxZjItNDc5NmQ4ZmNjODQ5Og==",
    "Cache-Control": "no-cache",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(
  qs.stringify({
    grant_type: "password",
    username: "your@email.com",
    password: "yourPassword",
  })
);
req.end();

POST <API_URL>/oauth2/token

Header parameters

Name	Note	Required
Authorization	`Basic xxx`, where xxx is base64 encoded clientID:clientSecret.	Yes
Content-type	`application/x-www-form-urlencoded`	Yes

Body

Name	Note	Required
grant_type	Contains constant `password` for this oauth2 grant type	Yes
username	The user’s email	Yes
password	The user’s pasword	Yes

Response

Response:

{
  "access_token": "supersecret2token.....",
  "expires_in": 21600,
  "token_type": "Bearer"
}

Name	Note
access_token
expires_in	seconds to expire
token_type

OAuth2 - Authorization Code Grant

This service allows delegatation of access rights to a third-party application. For more detail see RFC6749.

Process description

Get authorization code

GET /oauth2/auth?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&scope={scope}&state={state} HTTP/1.1
Host: <API_URL>

Get access token with authorization code

POST /oauth2/token HTTP/1.1
Host:  <API_URL>
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded

code={your_received_code}&
redirect_uri={redirect_uri}&
grant_type=authorization_code

Renew the access token with the refresh token

POST /oauth2/token HTTP/1.1
Host:  <API_URL>
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded

refresh_token={refresh_token}&
grant_type=refresh_token

The client (a third-party application) directs the user to the auth server and includes the client_id, scope (required permissions), state(opaque information sent to the third-party after authorization) and redirect_uri (URL address, where the user will be redirected to finish the process)
The Auth server verifies and validates or rejects the required permissions.
If everything is ok and the user agrees, they are redirected back to the client’s interface (to the URL specified in redirect_uri). code query parameter will be appended to the redirect_uri.
Using code, client_id and the client_secret, the client will receive access_token and refresh_token.
The client can access the user’s data by including the Authorization: Bearer <access_token> in headers when calling the Yourpass API.
By using the stored refresh_token, the client can (at any time) get a new access_token until the user reject the access to the client (not yet implemented)

Scopes:

Scope	Description
pass.c	pass create
pass.r	pass read
pass.u	pass update / pass patch
pass.d	template delete
template.c	template create
template.r	template read
template.u	template update / template patch
template.d	template delete
image.c	image create
image.r	image read
image.u	image update / image patch
image.d	image delete

Authorize your API request

curl -X GET '<API_URL>/v1/pass' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

All following endpoints accept the token in the Authorization header.

Example:

Authorization: Bearer <ACCESS_TOKEN>

Permissions

Given authorization token is always issued on behalf of an existing Yourpass user. User’s permissions to perform API calls are managed on a per-project basis.

If you believe you lack a permission, please contact admin from your organization or yourpass support directly.

Project

Projects are used to organize templates, passes, images and other assets into groups. These entities can be filtered based on the project they belong to. User may be granted access to multiple projects or its subprojects.

{
  "id": "id-of-project",
  "name": "project name",
  "description": "project description",
  "active": true,
  "parentId": null,
  "createdAt": "2017-02-09T10:23:55.787232Z",
  "updatedAt": "2017-02-17T08:52:01.971545Z",
  "deletedAt": null
}

Properties

Name	filter&sort	Type
id	✓	string
name	✓	string
description	✓	string
active	✓	boolean
parentId	✓	string
createdAt	✓	datetime
updatedAt	✓	datetime
deletedAt	✓	datetime

Image

{
  "id": "image-id",
  "name": "image-name",
  "type": "strip",
  "width": 640,
  "height": 246,
  "fileSize": 164414,
  "url": "data:image/png;base64,iVBOR...gg==",
  "projectId": "b7654e80-0b87-4c4c-a351-2fc55c86e9b9",
  "createdAt": "2017-11-03T10:32:37.756841Z",
  "updatedAt": "2017-11-03T10:32:37.756841Z",
  "deletedAt": null
}

Properties

Name	Note	filter&sort	Type
id		✓	string
name		✓	string
type	type of image [`logo`/`icon`/`strip`/`footer`/`background`/`thumbnail`]		string
width	computed width	✓	number
height	computed height	✓	number
fileSize	computed file size	✓	number
url			string
projectId	Project ID	✓	string
createdAt		✓	datetime
updatedAt		✓	datetime
deletedAt		✓	datetime

Sizes

The background image background.png is displayed behind the entire front side of the pass. The expected dimensions are 360 x 440 points. The image is slightly cropped on all sides and also blurred. You can often provide an image at a smaller size. It will be scaled up, but the blurring effect will hide the details of the image. This lets you reduce the file size without users noticing the difference.
The footer image footer.png is displayed near the barcode. The allotted space is 572 x 30 points.
The icon icon.png is displayed when a pass is shown on the lock screen and by apps such as Mail when the pass is attached to an email. The icon should have dimensions of 58 x 58 points.
The logo image logo.png is displayed in the top left corner of the pass beside the logo text. The allotted space is 320 x 100 points; in most cases it should be more narrow.
The strip image strip.png is displayed behind the primary fields. The expected dimensions are 640 x 168-246 points. The allotted space is 640 x 168 points for event tickets; 640 x 220 points for other pass styles with a square barcode on devices with 3.5 inch screens; 640 x 246 for all other uses.
The thumbnail image thumbnail.png is displayed next to the fields on the front side of the pass. The allotted space is 120-180 x 120-180 points. The aspect ratio should be in the range of 2:3 to 3:2 or the image will be cropped.

Pass styles and relevant image types:

Pass style	Supported images	Note
Boarding pass	logo, icon, footer
Coupon	logo, icon, strip
Event ticket	logo, icon, strip, background, thumbnail	If you specify a strip image, do not specify a background image or a thumbnail.
Generic	logo, icon, thumbnail
Store card	logo, icon, strip

Create image

Create an image. This service requires an image URL.

There are two ways to provide an image URL:

public url of a png image (local copy is created)
data URL of a png image

The image dimensions must conform to the sizes specified above. The size of the resulting image can differ from the original because of the file encoding normalization.

Request

curl -X POST <API_URL>/v1/image \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '{"url": "public URL or data url","type":"logo","name":"image name","projectId":"id-of-project"}'

var http = require("https");

var options = {
  method: "POST",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/image",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(
  '{"url": "public URL or data url","type":"logo","name":"image name","projectId":"id-of-project"}'
);

req.end();

POST <API_URL>/v1/image

Body

Name	Note	Required	Type
url	public url or data URL	Yes	string
name	image name	Yes	string
type	image type	Yes	string
projectId	ID of project	Yes	string

Response

Returns Image.

Read image

Read an image.

Request

curl -X GET <API_URL>/v1/image/:id \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/image/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/image/:id

Path parameters

Name	Note	Required	Type
id		Yes	string

Response

Returns Image.

Delete image

Mark image as deleted.

Request

curl -X DELETE '<API_URL>/v1/image/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "DELETE",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/image/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

DELETE <API_URL>/v1/image/:id

Path parameter

Name	Note
id	ID of image

Response

Returns Image.

List image

Return a list of images. List does not contain all properties of an image (to retrieve all the image data use read image service). The list can be filtered and ordered using HTTP request query parameters.

Request

curl -X GET '<API_URL>/v1/image?page=1&limit=100' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/image?page=1&limit=100",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/image

Query parameters

Name	Note	Default	Required
limit	paging limit (max 1000)	100	No
page	page number	1	No
where	url encoded JSON query (see Querying)		No
order	(see Ordering)		No
orderBy	(see Ordering)		No

Response

Response

{
  "data": [
    {
      "id": "id-of-image",
      "name": "name",
      "type": "logo",
      "width": 640,
      "height": 246,
      "fileSize": 164414,
      "url": "http://.....",
      "projectId": "b7654e80-0b87-4c4c-a351-2fc55c86e9b9",
      "createdAt": "2017-11-03T10:32:37.756841Z",
      "updatedAt": "2017-11-03T10:32:37.756841Z",
      "deletedAt": null
    }
  ],
  "totalCount": 1,
  "page": 1,
  "limit": 1000
}

Response body

Name	Note	Type
data	array of Images	array
totalCount	total count of records	number
page	retuned page	number
limit	page size	number

Template

Represents template data model used for generating passes.

{
  "id": "ID OF TEMPLATE",
  "name": "NAME OF TEMPLATE",
  "jsonTemplate": {
    // unstable, do not use
  },
  "dynamicDataJsonSchema": {
    "type": ["object", "null"],
    "title": "DynamicData",
    "description": "Dynamic data are data....",
    "properties": {
      "firstName": {
        "title": "First name",
        "type": "string"
      },
      "lastName": {
        "title": "last name",
        "type": "string"
      }
    },
    "required": ["firstName", "lastName"]
  },
  "projectId": "8e99b56f-6599-42a5-b19b-31f9d0bb39c0",
  "certificateId": "1529a6a1-ddca-497b-aa44-74c19433c440",
  "images": {
    "icon": {
      "cs": "a5021600-9f29-4a05-91e4-5bbce2a4a21a",
      "en": "a5021600-9f29-4a05-91e4-5bbce2a4a21a"
    },
    "logo": "9db7c521-9c23-463e-8ce6-67c5bc11e764",
    "strip": "ff6b8d14-6e08-40c5-a480-1344cd0797c1"
  },
  "languages": ["cs"],
  "distributable": true,
  "createdAt": "2017-10-17T11:27:04.113254Z",
  "updatedAt": "2017-11-03T14:40:25.293086Z",
  "deletedAt": null
}

Properties

Name	Note	filter&sort	Type
id		✓	string
name		✓	string
jsonTemplate	appearance definition, layout, fields, barcodes and other pass properties		object
dynamicDataJsonSchema	JSON Schema definition for validating dynamic data used on the pass		object
projectId	id of projects belongs to template	✓	string
certificateId	id of certificate which is used for signing passes created with this template		string
images	object mapping image type to image id		object
languages	at least one language in ISO 639-1 format		array
distributable	allow distribution via issue link		boolean
createdAt		✓	datetime
updatedAt		✓	datetime
deletedAt		✓	datetime

Template layout

Boarding passes are specified by a boardingPass key.

Appropriate for: passes used with transit systems such as train tickets, airline boarding passes, and other types of transit.

Each pass typically corresponds to a single trip with a specific start and end points.

Coupons are specified by a coupon key.

Appropriate for: coupons, special offers, and other discounts.

Event tickets are specified by an eventTicket key.

Appropriate for: passes used to gain entry to an event such as concerts, movies, plays, or sporting events.

Each pass typically corresponds to a specific event, but you can also use a single pass for several events such as a season ticket.

Store cards are specified by a storeCard key.

Appropriate for: store loyalty cards, discount cards, points cards, and gift cards.

A store typically identifies the user’s account within your company which can then be used to make payments or receive discounts. If the account carries a balance it shows the current balance on the pass.

Generic passes are specified a generic key.

Appropriate for: any pass that does not fit into one of the above (more specific) categories, e.g. gym membership cards, coat-check claim tickets, and metro passes that carry a balance.

PKPass documentation is available in Wallet Developer Guide. Individual fields are described in PassKit Package Format Reference.

Fields

In general a pass can have up to three header fields, a single primary field, up to four secondary fields, and up to four auxiliary fields.
Boarding passes can have up to two primary fields and up to five auxiliary fields.
Coupons, store cards, and generic passes with a square barcode can have a total of up to four secondary and auxiliary fields, combined.
The number of fields displayed on the pass also depends on the length of the text in each field. If the text is too long some fields may not be displayed.

Relevances

Pass style	Relevant date	Relevant locations	Relevance
Boarding pass	Recommended.	Include the relevant date unless the pass is relevant for an extended period of time, such as for a month-long bus pass.	Optional. Interpreted with a large radius.	Relevant if the date and any location matches. Prior to iOS 6.1, relevant if the date or any location matches. Without a relevant date, pass is relevant if the location matches.
Coupon	Not supported.	Required if relevance information is provided.	Interpreted with a small radius.	Relevant if any location matches.
Event ticket	Recommended. Include the relevant date unless the pass is relevant for an extended period of time, such as for a multi-day event. Prior to iOS 7.1, required if relevance information is provided.	Optional. Interpreted with a large radius.	Relevant if the date and any location matches. Without a relevant location, relevant if the date matches.
Generic	Optional.	Required if relevance information is provided. Interpreted with a small radius.	Relevant if the date and any location matches. Without a relevant date, relevant if any location matches.
Store card	Not supported.	Required if relevance information is provided. Interpreted with a small radius.	Relevant if any location matches.

Read template

Request

curl -X GET '<API_URL>/v1/template/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/template/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

GET <API_URL>/v1/template/:id

Path parameter

Name	Note
id	ID of template

Response

Returns Template.

List template

Request

curl -X GET '<API_URL>/v1/template?page=1&limit=100' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/template?page=1&limit=100",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/template

Url parameters

Name	Note	Required
limit	maximum returned records default 100 and maximum 1000	No
page	returned page default 1	No
where	url encoded JSON query (see Querying)	No
order	(see Ordering)	No
orderBy	(see Ordering)	No

Response

Response:

{
  "limit": 10,
  "page": 1,
  "totalCount": 1,
  "data": [
    {
      "id": "0a088428-40ec-4166-8271-05658e87ad8f",
      "name": "TemplateName",
      "certificationId": "b7654e80-0b87-4c4c-a351-2fc55c86e9b9",
      "projectId": "b7654e80-0b87-4c4c-a351-2fc55c86e9b9",
      "createdAt": "2016-11-04T15:07:21.703676+01:00",
      "deletedAt": null,
      "updatedAt": "2016-12-13T11:55:59.813897+01:00",
      "jsonSchema": {}
    }
  ]
}

Name	Note	Type
data	array of templates	array
totalCount	total count of records	Number
page	retuned page	Number
limit	page size	Number

Push template

Send a push notification to all devices that have pass issued with this template. Device that receives push notification then checks for changes and fetches updated pass(es) if available.

Request

curl -X GET '<API_URL>/v1/template/:id/push' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/template/:id/push",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

GET <API_URL>/v1/template/:id/push

Path parameter

Name	Note
id	ID of template

Response

Returns empty json object or error.

Pass

Represents an individual pass that is composed of a template and dynamic data.

{
  "id": "id-of-pass",
  "url": "https://...",
  "templateId": "id-of-template",
  "projectId": "id-of-project",
  "dynamicData": {
    "lastName": "Jedno",
    "fistName": "Tomáš"
  },
  "dynamicImages": {
    "logo": "id-of-logo-image",
    "icon": "id-of-image",
    "strip": {
      "cs": "id-of-czech-image",
      "en": "id-of-english-image"
    },
    "background": "id-of-image",
    "footer": "id-of-image",
    "thumbnail": "id-of-image"
  },
  "expirationDate": null,
  "voided": false,
  "devices": null,
  "lastRegisterAt": null,
  "firstRegisterAt": null,
  "lastUnregisterAt": null,
  "firstUnregisterAt": null,
  "updatedAt": null,
  "createdAt": "2016-10-10T21:48:01.565Z",
  "deletedAt": null
}

Properties

Name	Note	filter&sort	Type
id		✓	string
url	url for pass distribution		string
templateId		✓	string
projectId		✓	string
dynamicData	validated against template’s dynamicDataJsonSchema		object
dynamicImages	object mapping image type to image id		object
expirationDate	end of the pass validity	✓	datetime
voided	enable to deactivate the pass (default false)	✓	boolean
devices	number of active installations on devices (grouped by platform)		object
lastRegisterAt	timestamp of last registration (added) into wallet	✓	datetime
firstRegisterAt	timestamp of first registration (added) into wallet	✓	datetime
lastUnregisterAt	timestamp of last deregistration (removed) from wallet	✓	datetime
firstUnregisterAt	timestamp of irst deregistration (removed) from wallet	✓	datetime
createdAt		✓	datetime
updatedAt		✓	datetime
deletedAt		✓	datetime

Dynamic data

Dynamic data object example:

{
  "fistName": "Tomáš",
  "lastName": "Jedno"
}

Dynamic data are variable values that make up the content of the pass together with the template and images.

Dynamic images

Dynamic images object example:

{
  "images": {
    "logo": "id-of-logo-image",
    "icon": "id-of-image",
    "strip": {
      "cs": "id-of-image-for-czech",
      "sk": "id-of-image-for-slovak",
      "en": "id-of-image-for-english"
    },
    "background": "id-of-image",
    "footer": "id-of-image",
    "thumbnail": "id-of-image"
  }
}

The images object stored within a pass overrides the images object stored within a template.

Do not specify an images object if you want to use the one from the template.

Create pass

Create a single pass.

Request

curl -X POST '<API_URL>/v1/pass' \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '{"dynamicData":{"qrcode":"12345678","fullName":"Mr. Tomáš Dvě","cardNumber":"12345678"},"dynamicImages":{"logo":"id-of-logo-image","icon":"id-of-image","strip":{"cs":"id-of-image-for-czech","sk":"id-of-image-for-slovak","en":"id-of-image-for-english"},"background":"id-of-image","footer":"id-of-image","thumbnail":"id-of-image"},"templateId":"id-of-template"}'

var http = require("https");

var options = {
  method: "POST",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(
  '{"dynamicData":{"qrcode":"12345678","fullName":"Mr. Tomáš Dvě","cardNumber":"12345678"},"dynamicImages":{"logo":"id-of-logo-image","icon":"id-of-image","strip":{"cs":"id-of-image-for-czech","sk":"id-of-image-for-slovak","en":"id-of-image-for-english"},"background":"id-of-image","footer":"id-of-image","thumbnail":"id-of-image"},"templateId":"id-of-template"}'
);

req.end();

POST <API_URL>/v1/pass

Body

Name	Note	Required	Type
dynamicData	validated against template’s dynamicDataJsonSchema (default null)	No	object
dynamicImages	Object with image IDs (default null)	No	object
expirationDate	end of the pass validity	No	datetime
templateId		Yes	string

Response

Returns Pass.

Read pass

Pass detail

Request

curl -X GET '<API_URL>/v1/pass/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/pass/:id

Path parameter

Name	Note
id	pass ID

Response

Returns Pass.

Update pass

Update existing pass. If templateId is changed the dynamic data must validate against the json schema stored with the new template.

Request

curl -X PUT '<API_URL>/v1/pass/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '{"dynamicData":{"qrcode":"12345678","fullName":"Mr. Tomáš Dvě","cardNumber":"12345678"},"dynamicImages":{"logo":"id-of-logo-image","icon":"id-of-image","strip":{"cs":"id-of-image-for-czech","sk":"id-of-image-for-slovak","en":"id-of-image-for-english"},"background":"id-of-image","footer":"id-of-image","thumbnail":"id-of-image"},"templateId":"id-of-template"}'

var http = require("https");

var options = {
  method: "PUT",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(
  '{"dynamicData":{"qrcode":"12345678","fullName":"Mr. Tomáš Dvě","cardNumber":"12345678"},"dynamicImages":{"logo":"id-of-logo-image","icon":"id-of-image","strip":{"cs":"id-of-image-for-czech","sk":"id-of-image-for-slovak","en":"id-of-image-for-english"},"background":"id-of-image","footer":"id-of-image","thumbnail":"id-of-image"},"templateId":"id-of-template"}'
);

req.end();

PUT <API_URL>/v1/pass/:id

Path parameter

Name	Note	Required
id		Yes

Body

Name	Note	Required	Type
dynamicData	validated against template’s dynamicDataJsonSchema (default null)	No	object
dynamicImages	object with image IDs (default null)	No	object
templateId		Yes	string
expirationDate	end of the pass validity	No	datetime
voided		No	boolean

Response

Returns Pass.

Delete pass

Mark pass as deleted and set voided property to true.

Request

curl -X DELETE '<API_URL>/v1/pass/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "DELETE",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

DELETE <API_URL>/v1/pass/:id

Path parameter

Name	Note
id	ID of pass

Response

Returns Pass.

List pass

Request

curl -X GET '<API_URL>/v1/pass?page=1&limit=100' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass?page=1&limit=100",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/pass

Url parameters

Name	Note	Default	Required
limit	paging limit (max 1000)	100	No
page	page number	1	No
where	url encoded JSON query (see Querying)		No
order	(see Ordering)		No
orderBy	(see Ordering)		No

Response

Response:

{
  "limit": 1000,
  "page": 1,
  "totalCount": 1,
  "data": [
    {
      "id": "id-of-pass",
      "url": "https://...",
      "templateId": "id-of-template",
      "dynamicData": {
        "qrcode": "12345678",
        "fullName": "Mr. Tomáš Dvě",
        "cardNumber": "12345678"
      },
      "dynamicImages": {
        "logo": "id-of-logo-image",
        "icon": "id-of-image",
        "strip": {
          "cs": "id-of-image-for-czech",
          "sk": "id-of-image-for-slovak",
          "en": "id-of-image-for-english"
        },
        "background": "id-of-image",
        "footer": "id-of-image",
        "thumbnail": "id-of-image"
      },
      "voided": false,
      "devices": null,
      "lastRegisterAt": null,
      "firstRegisterAt": null,
      "lastUnregisterAt": null,
      "firstUnregisterAt": null,
      "updatedAt": "2017-11-06T13:21:31.815Z",
      "createdAt": "2016-10-10T21:48:01.565Z",
      "deletedAt": null
    }
  ]
}

Response body

Name	Note	Type
limit	page size	number
page	retuned page	number
totalCount	total count of records	number
data	array of passes	array

Batch pass

The batch size is limited to 25 unique passes. Batch is processed asynchronously, each id can be used only once per batch. The service always returns an HTTP STATUS of 200, status for individual operations is provided via status property in the returned data.

Request

curl -X POST '<API_URL>/v1/pass/batch' \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '[{"method":"POST","data":{"templateId":"YourtemplateId","dynamicData":{"property":"..."},"dynamicImages":{"logo":"..."}}},{"method":"GET","id":"id-of-pass"},{"method":"PUT","id":"id-of-pass","data":{"id":"id-of-pass","templateId":"YourtemplateId","dynamicData":{"property":"..."},"dynamicImages":{"logo":"..."}}},{"method":"DELETE","id":"id-of-pass"}]'

var http = require("https");

var options = {
  method: "POST",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/batch",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(
  '[{"method":"POST","data":{"templateId":"YourtemplateId","dynamicData":{"property":"..."},"dynamicImages":{"logo":"..."}}},{"method":"GET","id":"id-of-pass"},{"method":"PUT","id":"id-of-pass","data":{"id":"id-of-pass","templateId":"YourtemplateId","dynamicData":{"property":"..."},"dynamicImages":{"logo":"..."}}},{"method":"DELETE","id":"id-of-pass"}]'
);
req.end();

POST <API_URL>/v1/pass/batch

Body

JSON encoded array of objects with following structure:

Name	Note	Required	Type
method	`GET`/`POST`/`PUT`/`DELETE`	Yes	string
id		only for `GET`, `PUT` and `DELETE`	string
data	request data	only for `POST` and `PUT`	object

Response

Response:

[
  {
    "status": {
      "code": 201,
      "message": "created"
    },
    "data": {
      "id": "id-of-pass",
      "templateId": "YourtemplateId",
      "dynamicData": {
        "property": "..."
      },
      "dynamicImages": {
        "logo": "..."
      }
    }
  },
  {
    "status": {
      "code": 200,
      "message": "ok"
    },
    "data": {
      "templateId": "YourtemplateId",
      "id": "id-of-pass",
      "dynamicData": {
        "property": "..."
      },
      "dynamicImages": {
        "logo": "..."
      }
    }
  },
  {
    "status": {
      "code": 200,
      "message": "ok"
    },
    "data": {
      "id": "id-of-pass",
      "templateId": "YourtemplateId",
      "dynamicData": {
        "property": "..."
      },
      "dynamicImages": {
        "logo": "..."
      }
    }
  },
  {
    "status": {
      "code": 200,
      "message": "ok"
    },
    "data": {
      "id": "id-of-pass",
      "templateId": "YourtemplateId",
      "dynamicData": {
        "property": "..."
      },
      "dynamicImages": {
        "logo": "..."
      }
    }
  }
]

Returns JSON encoded array of responses

Property	Note
status	object with message and code properties
data

Patch pass

Pass before patching

{
  "id": "id-of-pass",
  "templateId": "id-of-template",
  "dynamicData": {
    "qrcode": "12345678",
    "fullName": "Mr. Tomáš Jedno",
    "cardNumber": "12345678"
  },
  "dynamicImages": {
    "logo": "id-of-logo-image",
    "icon": "id-of-icon-image",
    "strip": "id-of-strip-image",
    "background": "id-of-image",
    "footer": "id-of-image",
    "thumbnail": "id-of-image"
  },
  "voided": false
}

Patch an existing pass overriding only specified properties. To delete a property set its value to null.

Request

Patch pass

curl -X PATCH '<API_URL>/v1/pass/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '{"dynamicData":{"fullName":"Mr. Tomáš Tři"},"dynamicImages":{"strip":{"cs":"id-of-image-for-czech","en":"id-of-image-for-english"}},"templateId":"id-of-another-template"}'

var http = require("https");

var options = {
  method: "PATCH",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write(
  '{"dynamicData":{"fullName":"Mr. Tomáš Tři"},"dynamicImages":{"strip":{"cs":"id-of-image-for-czech","en":"id-of-image-for-english"}},"templateId":"id-of-another-template"}'
);

req.end();

PATCH <API_URL>/v1/pass/:id

Body

Name	Note	Required	Type
dynamicData	validated against template’s dynamicDataJsonSchema	No	object
dynamicImages	object with image IDs	No	object
templateId		No	string
expirationDate	end of the pass validity	No	datetime
voided		No	boolean

Response

Patched pass

{
  "id": "id-of-pass",
  "templateId": "id-of-another-template",
  "dynamicData": {
    "qrcode": "12345678",
    "fullName": "Mr. Tomáš Tři",
    "cardNumber": "12345678"
  },
  "dynamicImages": {
    "logo": "id-of-logo-image",
    "icon": "id-of-icon-image",
    "strip": {
      "cs": "id-of-czech-image",
      "en": "id-of-english-english"
    },
    "background": "id-of-image",
    "footer": "id-of-image",
    "thumbnail": "id-of-image"
  },
  "voided": false
}

Returns JSON object described in Pass section

Anonymize pass

Pass before update

{
  "id": "id-of-pass",
  "templateId": "id-of-template",
  "dynamicData": {
    "name": "Batman",
    "realName": "Bruce Wayne"
  },
  "voided": false
}

Pass anonymization can be achieved by updating/patching the pass resource with anonymized data or deleting the data alltogether. In both cases the data is no longer stored in Yourpass. Therefore the process is irreversible.

Patch pass

Patch request

curl -X PATCH '<API_URL>/v1/pass/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '{"dynamicData":{"realName":"unknown"}}'

var http = require("https");

var options = {
  method: "PATCH",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write('{"dynamicData":{"realName":"unknown"}}');

req.end();

You can patch an existing pass overriding only specified properties.

Patch response

{
  "id": "id-of-pass",
  "templateId": "id-of-template",
  "dynamicData": {
    "name": "Batman",
    "realName": "unknown"
  },
  "voided": false
}

Update pass

Update request

curl -X PUT '<API_URL>/v1/pass/:id' \
     -H 'authorization: Bearer <ACCESS_TOKEN>' \
     -H 'content-type: application/json' \
     -d '{"dynamicData":{},"templateId":"id-of-template"}'

var http = require("https");

var options = {
  method: "PUT",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass/:id",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
    "content-type": "application/json",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.write('{"dynamicData":{},"templateId":"id-of-template"}');

req.end();

Or you can update the pass, replacing all data with the provided. Setting dynamicData to empty object deletes all keys within.

Update response

{
  "id": "id-of-pass",
  "templateId": "id-of-template",
  "dynamicData": {},
  "voided": false
}

If there is no dynamicData, fallback will be used when rendering the pass.

General

Paging

curl -X GET '<API_URL>/v1/pass?page=1&limit=100' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass?page=1&limit=100",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/pass?page=1&limit=100

Query parameters

Name	Note	Default	Required
page	page number	1	No
limit	page size (max 1000)	100	No

Response

Paged list response

{
  "data": [],
  "limit": 100,
  "page": 1,
  "totalCount": 0
}

Ordering

Ordering (sorting) of resources

List pass ordered by updatedAt

curl -X GET '<API_URL>/v1/pass?order=asc&orderBy=updatedAt' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass?order=asc&orderBy=updatedAt",
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

GET <API_URL>/v1/pass?order=asc&orderBy=updatedAt

Query parameters

Name	Note	Required
order	`asc`/`desc`	No
orderBy	queried object scalar property	No

Querying

Querying (filtering) of resources

GET <API_URL>/v1/pass?where={"voided":{"$eq":true}}

List of voided passes created in July 2017

curl -X GET '<API_URL>/v1/pass?where={"voided":{"$eq":true},"createdAt":{"$gte":"2017-07-01","$lt":"2017-08-01"}}' \
     -H 'authorization: Bearer <ACCESS_TOKEN>'

var http = require("https");

var where = {
  voided: { $eq: true },
  createdAt: { $gte: "2017-07-01", $lt: "2017-08-01" },
};

var options = {
  method: "GET",
  hostname: "<API_URL>",
  port: null,
  path: "/v1/pass?where=" + encodeURIComponent(JSON.stringify(where)),
  headers: {
    authorization: "Bearer <ACCESS_TOKEN>",
  },
};

var req = http.request(options, function (res) {
  var chunks = [];

  res.on("data", function (chunk) {
    chunks.push(chunk);
  });

  res.on("end", function () {
    var body = Buffer.concat(chunks);
    console.log(body.toString());
  });
});

req.end();

When you request a list you can filter objects by setting the where query parameter
The where parameter accepts an object with attribute:value pairs, where value can be a primitive (for equals matches) or an object specifying an operator and a value
Invalid where parameter is discarded as if it was not sent with the request

The where parameter should be urlencoded. The examples do not use urlencoded where parameter for better readability.

Operator	Description
`{"$gt": 6}`	> 6
`{"$gte": 6}`	>= 6
`{"$lt": 10}`	< 10
`{"$lte": 10}`	<= 10
`{"$ne": null}`	!= null
`{"$eq": null}`	= null
`{"$in": [1, 2]}`	IN [1, 2]
`{"$notIn": [1, 2]}`	NOT IN [1, 2]
`{"$like": "%hat%"}`	LIKE ‘%hat%’
`{"$notLike": "%hat"}`	NOT LIKE ‘%hat’
`{"$all": [5, 3]}`	@> [5, 3]

If $like or $notlike operator is provided without a % symbol, it behaves similar to $eq and $neq respectively.

Operators $like and $notlike are not supported when querying for an id.

Status codes

Code	Message	Description
200	OK	Your request was processed successfully
201	Created	Instance has been created successfully
400	Bad Request	Your request sucks
401	Unauthorized	Your API key is wrong
403	Forbidden	The request is for administrators only
404	Not Found	The specified request or data could not be found
413	Request Entity Too Large	The request is larger than the server is willing or able to process. Previously called “Request Entity Too Large”
500	Internal Server Error	There was a problem with our servers. Try again later
503	Service Unavailable	The service is temporarially offline for maintanance. Please try again later

Type definitions

datetime

Datetime fields are of type string and their format is defined as per RFC3339.

All fields that expect date as an input must adhere to this specification, including dynamic data values that will be used in these fields.

Pass distribution

A pass can be distributed directly (e.g. as an email attachment) in the pkpass format, or via a link to our servers.

Get pass

Request

Link to distribute pass

<a href="<DISTRIBUTION_URL>/:id?tag=someTag">Get pass</a>

GET <DISTRIBUTION_URL>/:id

Path parameters

Name	Note	Required
id	pass id	Yes

Query parameters

Name	Note	Required
tag	tag your distribution channels; can be used multiple times (`<DISTRIBUTION_URL>/:id?tag=rollup&tag=entrance`)	No
format	distribution format [`pkpass`/`pdf`/`barcode`/`qrcode`]	No

Note:

Tags are transformed to lower case.
The valid tag doesn’t contain spaces and has maximal length 16 chars.
The maximal count of valid tags is 10.
Tag console is reserved for yourpass console.

Formats

Name	Note
pkpass	pass in the pkpass format for wallet applications suporting it
pdf	printable alternative of pkpass
barcode	returns svg of the barcode in the pass
qrcode	returns svg encoded qrcode with link to the preview of pass (no format)

Response

Returns a pass to the end-user in the specified format. If no format is supplied and the device supports pkpass, it is returned in this format. Otherwise an HTML preview is shown which includes action buttons to download the pass. This service also collects statistical information about pass downloads and previews.

Issue link

The service can be used only on distributable templates (i.e. the distributable flag is set to true.)

The endpoint can be used in two ways:

To generate a new pass and redirect the end-user to Get pass
To generate a qr code with a link to generate a new pass (redirects back to this endpoint)

Example usage in html as link:

<a href="<ISSUE_URL>/:id"> Get pass </a>

Example usage in html as image:

<img src="<ISSUE_URL>/:id?format=qrcode" />

Request

GET <ISSUE_URL>/:id or GET <ISSUE_URL>/:id?format=qrcode

Path parameters

Name	Note	Required
id	template id	Yes

Query parameters

Name	Note	Required
format	if you set format to `qrcode`, svg encoded qrcode is generated with a link to issue a new pass	No

Response

Without format parameter

New pass is created and the end-user is redirected to Get pass. The redirect url does not contain the format parameter which means that either pkpass will be downloaded or the user will be presented with an HTML preview

With qrcode format

No pass is created, only an SVG qrcode is generated. The qrcode contains an address back to this endpoint without the format parameter; When a user scans the qrcode they will visit the <ISSUE_URL>/:id which will generate a new pass and redirect them to Get pass as stated above.

Webhooks

Two kinds of webhooks are currently supported:

device registration
device unregistration

The webhook service expects a successful answer (HTTP status code 2xx) to be returned in at most 10 seconds. If your service does not answer in a timely manner or with the previously mentioned status code, the event will be marked as “undelivered” and will be retried with an exponential backoff (this backoff can be configured), all successive messages will be postponed until the failed one succeeds. If the number of retries reaches the limit, the event is discarded.

By default the limit is 15 retries with an exponential backoff using the formula 10x1.5^n in seconds where n is the number of the retry.

The only currently supported authentication method is an API key (using X-API-Key header) with the value of your choice.

Webhooks need to be configured manually, please contact Yourpass support and provide the following information:

Project IDs for which you want to receive webhooks
URL for each project ID (can be part of URL path or parameters)

Project ID: 00000000-0000-0000-0000-000000000000
Webhook URL for device registration: https://example.com/webhook/yourpass?event=register
Webhook URL for device unregistration: https://example.com/webhook/yourpass?event=unregister

See the example

Device registration

Whenever the device registers to receive push notifications for the wallet pass.

{
  "passId": "00000000-0000-0000-0000-000000000000",
  "timestamp": "2006-01-02T15:04:05.999Z",
  "wallet": "ios_wallet"
}

Properties

Name	Note	filter&sort	Type
passId		✓	string
timestamp		✓	datetime
wallet	type of wallet [`ios_wallet`/`android_yourwallet`/`android_pass2u`/`android_attido`/`android_walletpasses`/`unknown`]	✓	string

Device unregistration

{
  "passId": "00000000-0000-0000-0000-000000000000",
  "timestamp": "2006-01-02T15:04:05.999Z",
  "wallet": "ios_wallet"
}

Properties

Name	Note	filter&sort	Type
passId		✓	string
timestamp		✓	datetime
wallet	type of wallet [`ios_wallet`/`android_yourwallet`/`android_pass2u`/`android_attido`/`android_walletpasses`/`unknown`]	✓	string