Skip to main content

Wych events provide a consistent way to record, publish, and consume platform activity across Wych services.

Events are used for operational monitoring, audit trails, reporting, troubleshooting, support workflows, compliance evidence, and downstream integrations such as event hubs, logging platforms, customer notification systems, and reporting services.

The Wych Events schema represents an array of event objects. Each item in the array is a flat event structure that describes a single activity or system occurrence.

Event payload structure

The root payload is an array. Each item in the array represents one Wych event.

{[
  {
    "id": "2f2a9e3c-2c5d-4b76-b62f-58c6a4a93f20",
    "timestamp": "2026-05-21T01:12:45Z",
    "eventType": "OB_CONSENT_GRANTED"
  }
]}

Required fields

Each event must include the following fields.

FieldTypeDescription
idstringUnique identifier for the event instance. This must be a UUID v4 value.
timestampstringISO 8601 UTC timestamp showing when the event was generated.
eventTypestringDiscriminator field used for routing, filtering, reporting, and downstream processing.

Optional fields

Events may also include additional context fields.

FieldTypeDescription
tenantstringThe tenant associated with the event. Maximum length is 64 characters.
clientstringThe client used in the request. Maximum length is 64 characters.
sessionstringThe user or platform session associated with the request. Maximum length is 64 characters.
messagestringHuman-readable context or serialised details. Must be truncated to 2048 characters.
initiatorstringThe actor that triggered the event, such as a client ID or user ID. Maximum length is 36 characters.
traceIdstringW3C Trace Context ID used for distributed tracing correlation. Maximum length is 64 characters.
apiIdstringIdentifies the specific microservice or API product involved.
httpMethodstringHTTP method associated with the event. Supported values are GET, POST, PUT, DELETE, and PATCH.
urlstringThe invoked URL, scrubbed of sensitive query parameters.
responseCodeintegerHTTP response status code, where relevant.
idempotencyKeystringThe request x-idempotency-key header value, where provided.

The schema allows additional properties so that services can include extra event-specific metadata where required. Consumers should not depend on undocumented fields unless agreed as part of an integration contract.

Event type groups

Event types are grouped by the platform area or workflow they relate to.

Third-party provider events

These events relate to third-party provider onboarding, access requests, documentation, and key management.

Event typeDescription
TPP_SIGNUPA third-party provider has started or completed signup.
TPP_SANDBOXA third-party provider has accessed, requested, or been provisioned for sandbox use.
TPP_DOC_UPLOADA third-party provider has uploaded documentation, evidence, certificates, or supporting material.
TPP_ACCESS_REQUESTA third-party provider has requested access to a tenant, environment, data holder, API product, or service.
TPP_KEY_STATUS_UPDATEThe status of a third-party provider key, certificate, or credential has changed.

Open banking events

These events relate to open banking consent, data access, and payment initiation journeys.

Event typeDescription
OB_CONSENT_REQUESTEDA consent request has been initiated. This may occur when a customer starts an authorisation journey.
OB_CONSENT_GRANTEDA customer has successfully granted consent.
OB_CONSENT_DENIEDA customer has declined, cancelled, or denied a consent request.
OB_CONSENT_EXPIREDA consent has expired and can no longer be used.
OB_DATA_REQUESTEDData has been requested under an active consent or authorised open banking interaction.
OB_PAYMENT_INITIATEDA payment initiation request has been created or submitted through an open banking payment flow.

Partner portal events

These events relate to activity performed through the Wych partner portal.

Event typeDescription
PTL_LOGINA user has logged in to the partner portal.
PTL_CONSENT_MANAGEDA user has viewed, updated, revoked, or otherwise managed consent through the portal.
PTL_ACCESS_CHANGEDA user, client, partner, tenant, or access setting has changed.
PTL_SEARCH_EXECUTEDA user has performed a search in the portal.
PTL_REPORT_GENERATEDA report has been generated through the portal.

These events relate to consent portal activity, support interactions, data extracts, token refreshes, and consent failures.

Event typeDescription
CNSNT_PORTAL_LOGINA user has logged in to the consent portal.
CNSNT_SUPPORT_REQUEST_STATUSThe status of a consent-related support request has changed.
CNSNT_DATA_EXTRACTA data extract has been generated or requested for consent-related data.
CNSNT_CUSTOMER_EXTRACTA customer-level extract has been generated or requested.
CNSNT_UPDATEA consent record has been updated.
CNSNT_FAILUREA consent-related process has failed. The message, traceId, and responseCode fields may provide additional context.
CNSNT_TOKEN_REFRESHA consent-related token has been refreshed.

Gateway API events

Gateway API events relate to requests handled by Wych gateway services. These are typically useful for request tracing, operational auditing, and integration troubleshooting.

Event typeDescription
GW_API_REQUEST_RECEIVEDThe gateway has received an API request.
GW_API_RESPONSE_SENTThe gateway has sent an API response.
GW_API_DELEGATIONThe gateway has delegated a request to another service, connector, data holder, or downstream system.
GW_API_FAILUREThe gateway has encountered a failure while processing a request.

API events

API events relate to service-level API processing.

Event typeDescription
API_REQUEST_RECEIVEDAn API service has received a request.
API_RESPONSE_SENTAn API service has sent a response.
API_FAILUREAn API service has encountered a processing failure.
API_VALIDATIONA validation event has occurred, such as request validation, schema validation, or business rule validation.
API_DELEGATIONdeprecated
An API service has delegated processing to another service or downstream system.
API_DELEGATION_REQUESTA request has been sent from one service to another service or downstream system.
API_DELEGATION_RESPONSEA response has been received from a delegated service or downstream system.

Authentication events

Authentication events relate to login, registration, token exchange, and identity platform activity.

Event typeDescription
AUTH_LOGIN_ATTEMPTA login attempt has occurred. This may include successful and unsuccessful attempts, depending on the producing service.
AUTH_LOGIN_SUCCESSA user has successfully authenticated.
AUTH_REGISTRATIONA user, client, or account registration event has occurred.
AUTH_TOKEN_EXCHANGEA token exchange has occurred, such as an authorisation code exchange, client credentials exchange, or refresh flow.
AUTH_SYSTEMA system-level authentication or identity event has occurred.
AUTH_MISCA miscellaneous authentication event that does not fit one of the more specific authentication event types.

Compliance testing events

Compliance testing events relate to the lifecycle of a compliance test, certification test, conformance run, or validation workflow.

Event typeDescription
CT_INITIATEDA compliance test or validation workflow has been initiated.
CT_FAILEDA compliance test or validation workflow has failed.
CT_SUCCEEDEDA compliance test or validation workflow has succeeded.
CT_ACTION_REQUIREDA compliance test requires manual review, configuration, evidence, or another action before it can continue or complete.
CT_COMPLETEA compliance test or validation workflow has completed. This may be used when a process has ended regardless of pass or fail status.

Example event payload

The following example shows a batch of Wych events.

{[
  {
    "id": "2f2a9e3c-2c5d-4b76-b62f-58c6a4a93f20",
    "timestamp": "2026-05-21T01:12:45Z",
    "eventType": "OB_CONSENT_GRANTED",
    "tenant": "example-bank",
    "client": "example-client",
    "session": "session-123",
    "message": "Customer granted consent for account and transaction data.",
    "initiator": "user-456",
    "traceId": "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-00",
    "apiId": "consent-service",
    "httpMethod": "POST",
    "url": "/consents",
    "responseCode": 201,
    "idempotencyKey": "consent-request-789"
  },
  {
    "id": "a79b94c9-6a18-4c0d-9d5c-8d30ef87f1f4",
    "timestamp": "2026-05-21T01:13:02Z",
    "eventType": "API_RESPONSE_SENT",
    "tenant": "example-bank",
    "client": "example-client",
    "message": "Account detail response returned successfully.",
    "traceId": "00-4bf92f3577b34da6a3ce929d0e0e4736-9f3c8a27b5e42d61-00",
    "apiId": "accounts-api",
    "httpMethod": "GET",
    "url": "/banking/accounts/account-123",
    "responseCode": 200
  }
]}

Handling sensitive information

Event payloads must not contain sensitive customer data, access tokens, refresh tokens, authorisation codes, secrets, private keys, or unredacted credentials.

URLs must be scrubbed of sensitive query parameters before they are included in an event.

The message field should provide enough context to support operational investigation, but it should not be used as a general-purpose data container.

Using events

Consumers should use eventType as the primary discriminator for routing and filtering.

Where more detailed correlation is required, consumers should use supporting fields such as traceId, tenant, client, session, apiId, and idempotencyKey.

Events can be used to:

  • monitor platform activity;
  • support operational troubleshooting;
  • correlate requests across distributed services;
  • support customer and partner reporting;
  • provide audit evidence;
  • trigger downstream notifications or workflows;
  • support security and compliance investigations.

Consumer guidance

Consumers should treat each item in the event array as an independent event.

A payload may contain one event or multiple events. Consumers should process each event separately and should not assume that all events in a batch relate to the same tenant, client, session, API, or trace.

Consumers should also allow for additional fields, as the schema permits additional properties for service-specific metadata.