<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-MJZZQGM" height="0" width="0" style="display:none;visibility:hidden">Skip to main content
AML HQ API - Developer Getting Started Guide
API Developer Guide
REST / JSONJWT Auth

Developer Getting Started Guide

Conceptual model, core workflow, and a practical end-to-end walkthrough. For exhaustive parameter documentation use the Swagger reference.

REST / JSONJWT + API Key Authv1
01

Introduction

AML HQ is a compliance platform for Anti-Money Laundering (AML) and Know Your Customer (KYC) workflows. The API lets you programmatically manage every part of that workflow: creating and maintaining client records, running identity verification, screening for politically exposed persons (PEPs) and sanctions, requesting official company registry data, and building risk assessments.

Base URLs

Use the correct base URL for your region. All paths in this guide are relative to that base.

Production - IE and Other
Ireland and all other jurisdictions
Production - UK Clients
Use for all UK-based deployments
Test Environment
Development and integration testing only
Important: All requests require HTTPS. Responses are JSON. Never run test traffic against Production. Use GET /user/environment to confirm which environment you are connected to.

Swagger Reference Documentation

This guide covers the conceptual model and core workflow. For exhaustive endpoint and model reference, use the interactive Swagger documentation:

EnvironmentSwagger URL
Production - IE / Otherhttps://api.amlhq.com/swagger
Production - UKhttps://api.amlhq.co.uk/swagger
Testhttps://apitest.amlhq.com/swagger
Try it out: The Test environment Swagger page at https://apitest.amlhq.com/index.html includes a live "Try it out" button on every endpoint. This lets you make real API calls directly from the browser - ideal for exploring the API and testing requests before writing any code. Use your test credentials to authenticate and experiment safely without affecting production data.
02

Core Concepts and Data Model

Before making any API calls, understand the key entities and how they relate to each other.

ENTITY RELATIONSHIP OVERVIEWAccountyour organisationUsersroles and permissionsClientcompany or personClient Partydirector, UBO, etc.IDV Sessionidentity verifyPEP/SanctionscreeningAddress Verif.UK onlyAssessmentrisk scoringData Requestregistry lookupLEGENDStructural relationshipLinked check / resultAssessment / data

Account

Your organisation's top-level container. Has users, a subscription type, and a credit balance.

User

Authenticates and acts within the account. Roles control access: AccountOwner, ManageClient, ManagePolicies.

Client

The subject of due diligence - a company or individual your firm engages with. Has risk level, due diligence level, and parties.

Client Party

A person or entity associated with a Client - director, UBO, PSC (Person with Significant Control), shareholder. Compliance checks are attached here.

IDV Session

Identity verification of a person. Creates a secure URL shared with the subject who completes it online.

PEP / Sanction Check

Screens a name against PEP lists, sanctions databases, and optionally adverse media. Returns match results and a score.

Assessment

Structured risk questionnaire based on a template. Produces a risk score and level that can propagate to the Client.

Understanding Credits

Some operations consume account credits. Check your balance with GET /user/remainingcredits. Use cost endpoints to estimate before bulk operations:

03

Authentication

The AML HQ API supports two authentication methods. Both grant the same access - choose based on your integration needs.

Method 1 - JWT Bearer Token

Exchange username and password for a time-limited token. Best for user-facing integrations.

Scheme: jwt_auth (http, Bearer)

Header: Authorization: Bearer {token}

Method 2 - API Key  

Two permanent headers for server-to-server integrations. No token exchange required.

Schemes: api_key_auth + username_header

Headers: X-Api-Key + X-Username

Method 1: JWT Bearer Token

Authenticate with username and password to receive a JWT token. Swagger scheme name: jwt_auth (http, Bearer).

HTTP - Authenticate
POST /user/authenticate
Content-Type: application/json

{
  "username": "your.username",
  "password": "YourPassword1"
}
JSON - Response
{
  "token": "eyJhbGci...",
  "tokenExpiryDate": "2025-12-31T23:59:59Z",
  "twoFactorRequired": false,
  "userDetails": { ... }
}
Header - All subsequent requests
Authorization: Bearer eyJhbGci...

Two-Factor Authentication

If 2FA is enabled, the first call returns twoFactorRequired: true and sends a code. Re-call with the code included:

JSON - 2FA Login
{ "username": "your.username", "password": "YourPassword1",
   "twoFactorCode": "123456" }
Token lifetime: Tokens expire at tokenExpiryDate. Detect 401 responses and re-authenticate to get a fresh token.

Method 2: API Key Authentication  Available from 7 June 2025

Designed for server-to-server and programmatic integrations. Send two permanent headers on every request. No POST /user/authenticate call is needed. Swagger schemes: api_key_auth (X-Api-Key) and username_header (X-Username).

Coming 7 June 2025: Contact the AML HQ team now to request an API key for your account so you are ready from day one.
HeaderSwagger SchemeDescription
X-Api-Keyapi_key_auth (apiKey)Your account API key - obtained by contacting AML HQ. Permanent credential - treat like a password.
X-Usernameusername_header (apiKey)The username to act on behalf of. Must be a valid active user in your account.
HTTP - API Key Request
GET /clients/search
X-Api-Key: your-api-key-here
X-Username: api.service@yourfirm.com
Security: Do not expose your API key in client-side code, source control, or logs. A single key works with any active username in your account by changing the X-Username value. Rotate it immediately if it is ever compromised.

Requesting an API Key

There are two ways to obtain an API key:

  • Contact AML HQ directly - reach out to the team and we will provision a key for your account.
  • Via the API - if you already have a valid JWT Bearer token, you can retrieve your account API keys programmatically:
HTTP - Retrieve API Key via API
GET /account/apikeys/{keynumber}
Authorization: Bearer eyJhbGci...

// Returns the API key for the given key number on your account
// Use the returned key as the X-Api-Key header value going forward

See the Swagger documentation for full details on the Account API Keys endpoints.

04

Core API Workflow

The natural progression for a client onboarding scenario. Each step builds on the previous one - IDs returned become inputs to subsequent calls.

1. AuthenticateJWT: POST /user/authenticateAPI Key: X-Api-Key + X-Username2. Create ClientPOST /clients - clientId3. Add Client PartiesPOST /clients/{id}/parties - partyId4a. IDV SessionPOST /idvsessions4b. PEP ScreenPOST /pepsanctionchecks4c. Address Verif.POST /addressverifications5. Risk AssessmentPOST /assessments- risk score and level
Steps 4a, 4b, and 4c are independent and can run in parallel. They all require a Client Party to exist first.

Essential Endpoints at a Glance

MethodEndpointPurposeSwagger
POST/user/authenticateGet a JWT tokenRef
GET/referencedataFetch all valid enum values in one callRef
POST/clientsCreate a client recordRef
GET/clients/{id}Retrieve a clientRef
POST/clients/{id}/partiesAdd a party to a clientRef
POST/pepsanctionchecksRun a PEP / sanctions screenRef
POST/idvsessionsStart an identity verification sessionRef
POST/addressverificationsRequest address verification (UK)Ref
POST/assessmentsCreate a risk assessmentRef
PUT/assessments/{id}/answersSubmit assessment answersRef
POST/assessments/{id}/completeMark assessment completeRef
GET/user/remainingcreditsCheck credit balanceRef
05

Working with Clients

A Client is the foundation - create it first. Identify whether the client is a company (isCorporate: true) or individual (isCorporate: false). Full model: POST /clients in Swagger.

HTTP - Create a Client
POST /clients
Authorization: Bearer {token}  // or X-Api-Key + X-Username

{
  "name": "Acme Consulting Ltd",
  "isCorporate": true,
  "jurisdiction": "IE",
  "companyNumber": "123456",
  "engagementType": "BusinessAdvisory",
  "dueDiligenceLevel": "Standard",
  "skipCompanyLookup": false
}
// Response - id: 2001 - keep this

Key Client Fields

FieldTypeNotes
isCorporatebooleantrue for companies, false for individuals
jurisdictionstringISO country code, e.g. IE, GB, US. See /referencedata/jurisdictions
companyNumberstringCompany registration number if isCorporate is true
engagementTypestringSee /referencedata/clientengagementtypes
dueDiligenceLevelstringSimplified, Standard, or Enhanced. See /referencedata/duediligencelevels
userRefstringYour own internal reference for this client (optional)
nextReviewDatedateWhen next periodic review is due (optional)
skipCompanyLookupbooleanIf true, AML HQ will not automatically retrieve data from the official company register (CRO, Companies House, etc.) and Client Parties such as Directors and PSCs will not be auto-added. Defaults to false.

skipCompanyLookup

When skipCompanyLookup is set to true, AML HQ will not automatically retrieve information from the official company register (CRO for Ireland, Companies House for the UK, or equivalent). This means:

  • The company's registered details will not be auto-populated on the Client record.
  • Client Parties such as Directors and PSCs (Persons with Significant Control) will not be automatically retrieved and added to the file.

Use skipCompanyLookup: false (the default) to let AML HQ pull official register data automatically on creation. Use true when you are supplying your own data, the company is not yet registered, or the jurisdiction is not supported for automatic lookup.

Note: If you skip the automatic lookup at creation time, you can add Client Parties manually - this is suitable for client files that are created pre-incorporation or for client types that are not on the register e.g. individuals, partnerships etc.

Duplicate Check

Check before creating: GET /clients/checkforduplicateclient

HTTP
GET /clients/checkforduplicateclient?name=Acme+Consulting&jurisdiction=IE
06

Client Parties

Client Parties are the individuals and entities associated with a Client - directors, UBOs, shareholders, authorised signatories. Compliance checks are attached at the party level. See Client controller in Swagger.

HTTP - Add a Party
POST /clients/{clientId}/parties

{
  "name": "Jane Smith",
  "clientPartyType": "BeneficialOwner",
  "email": "jane.smith@example.com",
  "dateofBirth": "1980-05-15",
  "nationality": "IE",
  "percentageHolding": "35%",
  "levelOfInterest": "DIRECT"
}
// Response - id: 4001

Valid clientPartyType values from GET /referencedata/clientpartytypes - includes Director, BeneficialOwner, Shareholder, AuthorisedSignatory, UltimateBeneficialOwner.

Linking Checks to Parties

MethodEndpointPurposeSwagger
POST/clients/parties/{id}/idvsessions/{idvId}Link an IDV session to a partyRef
POST/clients/parties/{id}/pepsanctionchecks/{pepId}Link a PEP / sanction checkRef
POST/clients/parties/{id}/addressverifications/{avId}Link an address verificationRef
Note: A party can only have one active check of each type at a time.
07

Compliance Checks

Three types of compliance check: PEP/Sanctions, IDV Sessions, and Address Verification. All follow the same pattern: create - await completion - review and update status.

7.1  PEP / Sanction Checks  Swagger ref

Screen a person or company against PEP lists, sanctions databases, adverse media, and other watchlists. Results are returned synchronously.

HTTP - Create a Check
POST /pepsanctionchecks

{
  "name": "Jane Smith",
  "isCompanyCheck": false,
  "yearOfBirth": 1980,
  "country": "IE",
  "includeOtherChecks": true
}

Key Result Fields

FieldTypeMeaning
isPepbooleanPEP match found
isSanctionedbooleanSanctions list match found
hasOtherFlagbooleanAdverse media or other flag triggered
highestMatchScoredecimalConfidence of best match (0-100)
statusstringpending - review - complete. See statuses
Note: A high match score does not automatically confirm a true match. A compliance user should review and update the status to complete.
7.2  IDV Sessions (Identity Verification)  Swagger ref

Flow: create session - share sessionUrl with the person - person completes online - you review and approve or reject.

HTTP - Create Session
POST /idvsessions

{
  "idvSessionType": "Standard",
  "name": "Jane Smith",
  "email": "jane.smith@example.com",
  "captureAddress": true,
  "sendEmailLink": true
}
// Response - sessionUrl: share this link with the person

Session Lifecycle

InProgressCompletedPassFailedCancelled
HTTP - Set Result
PUT /idvsessions/{id}
{ "status": "Completed", "result": "Pass",
   "resultComment": "Documents verified" }
7.3  Address Verification  Swagger ref

Currently available for UK addresses only. Verifies a person or company is associated with a given address.

HTTP
POST /addressverifications
{ "name": "Jane Smith",
   "address": "10 High Street, London, SW1A 1AA" }

Match types: GET /referencedata/addressverificationmatchtypes

08

Risk Assessments

Structured risk questionnaires based on templates. Produces a risk score and level (Low / Moderate / High) that can propagate to the Client. See Assessment controller in Swagger.

1
Discover templates
HTTP
GET /assessments/templates        // account templates
GET /assessments/templates/system  // system templates
2
Create an assessment
HTTP
POST /assessments
{ "templateId": 42, "clientId": 2001,
   "subject": "Acme Consulting Ltd",
   "propagateToClient": true }
// - assessmentId: 7001
3
Fetch questions and submit answers
HTTP
GET /assessments/{id}/questions
PUT /assessments/{id}/answers
{ "answers": [{ "questionId": 1, "answer": "Yes" }, ...] }
4
Complete the assessment
HTTP
POST /assessments/{id}/complete
// - riskScore: 24, riskLevel: "Low"
// Client updated if propagateToClient was true
External assessments: If importing from a third-party tool, create without a templateId and supply riskScore, riskLevel, and dueDiligenceLevel directly.
09

End-to-End Example

Onboarding Acme Consulting Ltd, screening its beneficial owner, and completing a risk assessment. Follow each step in sequence.

1
Authenticate
HTTP
// Option A - JWT
POST /user/authenticate
{ "username": "api.user@yourfirm.com", "password": "P@ssw0rd1" }
// - token: "eyJhbGci..."

// Option B - API Key (no auth call needed)
X-Api-Key: your-api-key
X-Username: api.user@yourfirm.com
2
Create the Client
HTTP
POST /clients
{ "name": "Acme Consulting Ltd", "isCorporate": true,
   "jurisdiction": "IE", "companyNumber": "654321",
   "engagementType": "BusinessAdvisory",
   "dueDiligenceLevel": "Standard" }
// - id: 2001
3
4
Add Beneficial Owner as Client Party
HTTP
POST /clients/2001/parties
{ "name": "Jane Smith", "clientPartyType": "BeneficialOwner",
   "email": "jane.smith@acme.ie", "dateofBirth": "1980-05-15",
   "percentageHolding": "35%", "levelOfInterest": "DIRECT" }
// - partyId: 4001
4a
PEP / Sanction Screen
HTTP
POST /pepsanctionchecks
{ "name": "Jane Smith", "isCompanyCheck": false,
   "yearOfBirth": 1980, "country": "IE" }
// - id: 5001, isPep: false, isSanctioned: false
POST /clients/parties/4001/pepsanctionchecks/5001
4b
Start IDV Session
HTTP
POST /idvsessions
{ "idvSessionType": "Standard", "name": "Jane Smith",
   "email": "jane.smith@acme.ie", "sendEmailLink": true }
// - idvId: 6001, sessionUrl shared with Jane - awaits completion
PUT  /idvsessions/6001  { "result": "Pass" }
POST /clients/parties/4001/idvsessions/6001
5
Create and Complete Risk Assessment
HTTP
POST /assessments
{ "templateId": 42, "clientId": 2001, "propagateToClient": true }
// - assessmentId: 7001
GET  /assessments/7001/questions
PUT  /assessments/7001/answers  { "answers": [...] }
POST /assessments/7001/complete
// - riskScore: 24, riskLevel: "Low" - client 2001 updated
Result: Client fully onboarded - registry data, verified UBO, clean PEP screen, completed IDV, and Low risk assessment. All accessible via GET /clients/2001.
10

Reference Data

Many fields use controlled vocabulary - string codes that must match an approved list. Fetch once at startup and cache; values change infrequently. Full controller: ReferenceData in Swagger.

HTTP - Single-call fetch
GET /referencedata  // all reference data in one payload
EndpointReturnsSwagger
/referencedata/clientpartytypesDirector, BeneficialOwner, ...Ref
/referencedata/duediligencelevelsSimplified, Standard, EnhancedRef
/referencedata/clientengagementtypesEngagement type valuesRef
/referencedata/idvsessiontypesStandard, AdvancedRef
/referencedata/assessmentrisklevelsLow, Moderate, HighRef
/referencedata/jurisdictionsSupported countries with ISO codesRef
/referencedata/countrycodesFull ISO country code listRef
11

Webhooks and Async Patterns

Data Requests and IDV Sessions are processed asynchronously. AML HQ can POST a notification to your system when processing completes.

Configuring a Webhook URL

Supply a webhookUrl at account level via PUT /account, or per-request. The per-request URL overrides the account default.

JSON - Webhook POST body
{
  "id": 9001,
  "eventDate": "2025-06-01T10:30:00Z",
  "eventType": "DataRequestCompleted",
  "dataRequestId": 300,
  "status": "Sent"
}
Delivery: Your endpoint must return HTTP 200 for the delivery to be marked successful. The system retries on non-200 responses. If webhooks are not suitable, use exponential-backoff polling instead.
12

Next Steps

Recommended Order

  1. Read this guide fully to understand the conceptual model.
  2. Call GET /referencedata to discover valid field values for your account.
  3. Run through the end-to-end example against the test environment at https://apitest.amlhq.com.
  4. Consult the Swagger documentation for full parameter details on any specific endpoint.
  5. If planning to use API Key authentication (available 7 June 2025), contact AML HQ now to request your key.

Swagger Reference

EnvironmentSwagger URL
Production - UKhttps://api.amlhq.co.uk/swagger
Production - IE / Otherhttps://api.amlhq.com/swagger
Testhttps://apitest.amlhq.com/swagger

Error Handling

StatusMeaning
200Success
400Validation error - body contains ResponseMessageModel with a message field
401Token expired or invalid (re-authenticate). API key or username incorrect.
404Resource does not exist in your account
JSON - Error response
{ "message": "Client not found or you do not have access." }

Getting an API Key

API Key authentication is available from 7 June 2025. Contact the AML HQ team to request a key for your account. See also Authentication in the Swagger docs.