circle-exclamation
This documentation is currently under development. Certain sections are not yet complete and will be added shortly.
search
HomeDocumentation

Privilege

hashtag
List privileges for the specified pass id.

get
/api/{tenantId}/passes/{passId}/privileges

Retrieves all privileges for a specific pass using its identifier. Convenience endpoint when the pass ID is already known.

hashtag
Authorization

Requires Pass.Read scope.

hashtag
Sorting

Privileges are returned in priority order (highest to lowest).

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
passIdstringRequired

Pass id.

tenantIdstringRequired
Responses
chevron-right
200

Privileges returned

Represents a persisted privilege with a required unique identifier.

get
/api/{tenantId}/passes/{passId}/privileges

hashtag
Create a privilege for the specified pass id.

post
/api/{tenantId}/passes/{passId}/privileges

Creates a new privilege using the pass identifier directly. Use the PUT variants with a privilegeId in the route for idempotent upsert semantics. This is a convenience endpoint for scenarios where the pass ID is already known.

hashtag
Authorization

Requires Pass.Write scope.

hashtag
Behavior

Same as the identifiers-based variant but uses a path parameter instead of query identifiers.

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
passIdstringRequired

Pass id.

tenantIdstringRequired
Body

Request model to create a new privilege.

Responses
chevron-right
200

Privilege queued

No content
post
/api/{tenantId}/passes/{passId}/privileges
No content

hashtag
Retrieve a privilege for a specific pass.

get
/api/{tenantId}/passes/{passId}/privileges/{privilegeId}

Fetches a single privilege belonging to a specific pass. Ensures both the pass and privilege exist and are correctly associated.

hashtag
Authorization

Requires Pass.Read scope.

hashtag
Validation

Returns 404 if either the pass or the privilege is missing, or if the privilege does not belong to the specified pass.

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
passIdstringRequired

Pass identifier.

privilegeIdstringRequired

Privilege identifier.

tenantIdstringRequired
Responses
chevron-right
200

Privilege returned

Represents a persisted privilege with a required unique identifier.

get
/api/{tenantId}/passes/{passId}/privileges/{privilegeId}

hashtag
Upsert (idempotent) a privilege for the specified pass id.

put
/api/{tenantId}/passes/{passId}/privileges/{privilegeId}

Creates or updates a privilege with the specified privilegeId for the given pass. This endpoint is idempotent: repeated calls with the same payload produce the same result.

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
passIdstringRequired

Pass id.

privilegeIdstringRequired

Unique identifier of the privilege to upsert.

tenantIdstringRequired
Body

Request model to patch an existing privilege.

Responses
chevron-right
200

Privilege upsert queued or applied

No content
put
/api/{tenantId}/passes/{passId}/privileges/{privilegeId}
No content

hashtag
Delete a privilege for a specific pass.

delete
/api/{tenantId}/passes/{passId}/privileges/{privilegeId}

Removes a privilege from a specific pass. Both the pass and privilege must exist.

hashtag
Authorization

Requires Pass.Write scope.

hashtag
Scope

This operation only affects the privilege with the specified pass.

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
passIdstringRequired

Pass identifier.

privilegeIdstringRequired

Privilege identifier.

tenantIdstringRequired
Responses
delete
/api/{tenantId}/passes/{passId}/privileges/{privilegeId}
No content

hashtag
List privileges for the pass resolved from identifiers.

get
/api/{tenantId}/passes/privileges

Retrieves all privileges associated with a pass using query identifiers. Privileges are sorted by priority (highest first) and movements within each privilege are ordered by date (oldest first).

hashtag
Authorization

Requires Pass.Read scope.

hashtag
Use Cases

  • Display available offers and benefits to the pass holder

  • Check current loyalty balance or punch card progress

  • Verify privilege availability before redemption

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
tenantIdstringRequired
Query parameters
Responses
chevron-right
200

Privileges returned

Represents a persisted privilege with a required unique identifier.

get
/api/{tenantId}/passes/privileges

hashtag
Create a privilege for the pass identified by the supplied identifiers.

post
/api/{tenantId}/passes/privileges

Creates a new privilege for the specified pass. Use the PUT variants with a privilegeId in the route for idempotent upsert semantics. Privileges represent benefits, offers, or entitlements tied to a pass.

hashtag
Authorization

Requires Pass.Write scope.

hashtag
Operation

When a privilege is applied, the system queues it for processing. Optional notification can be sent to the pass holder upon application.

hashtag
Use Cases

  • Adding loyalty points or rewards

  • Issuing promotional offers

  • Granting membership benefits

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
tenantIdstringRequired
Query parameters
Body

Request model to create a new privilege.

Responses
chevron-right
200

Privilege queued

No content
post
/api/{tenantId}/passes/privileges
No content

hashtag
Retrieve a privilege by its id.

get
/api/{tenantId}/passes/privileges/{privilegeId}

Fetches detailed information about a specific privilege across all passes in the tenant. Returns complete privilege metadata including content, appearance, and current state.

hashtag
Authorization

Requires Pass.Read scope.

hashtag
Use Cases

  • View privilege details for display or validation

  • Check privilege expiration or availability status

  • Retrieve localized content for multiple languages

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
privilegeIdstringRequired

Privilege identifier.

tenantIdstringRequired
Responses
chevron-right
200

Privilege returned

Represents a persisted privilege with a required unique identifier.

get
/api/{tenantId}/passes/privileges/{privilegeId}

hashtag
Upsert (idempotent) a privilege for the pass identified by the supplied identifiers.

put
/api/{tenantId}/passes/privileges/{privilegeId}

Creates or updates a privilege with the specified privilegeId for the resolved pass. This endpoint is idempotent: repeated calls with the same payload produce the same result.

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
privilegeIdstringRequired

Unique identifier of the privilege to upsert.

tenantIdstringRequired
Query parameters
Body

Request model to patch an existing privilege.

Responses
chevron-right
200

Privilege upsert queued or applied

No content
put
/api/{tenantId}/passes/privileges/{privilegeId}
No content

hashtag
Delete a privilege by its id.

delete
/api/{tenantId}/passes/privileges/{privilegeId}

Removes a privilege from the system entirely. The privilege is deleted across all passes it may be associated with.

hashtag
Authorization

Requires Pass.Write scope.

hashtag
Irreversibility

This operation is permanent. The privilege cannot be recovered after deletion.

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
privilegeIdstringRequired

Privilege identifier.

tenantIdstringRequired
Responses
delete
/api/{tenantId}/passes/privileges/{privilegeId}
No content

hashtag
Apply a movement (transaction) to a privilege's value and return the created movement identifier.

post
/api/{tenantId}/passes/privileges/{privilegeId}/movements

Records a change to a privilege's value (redemption, adjustment, issuance). Movements are tracked in the privilege's history for audit purposes and form the basis for computing current value.

hashtag
Authorization

Requires Pass.Write scope.

hashtag
Concurrency Control

The OldValue parameter enables optimistic locking with server-side validation. The handler compares the expected value (OldValue) to the current sum with epsilon tolerance (±0.0001). This prevents race conditions when multiple clients attempt simultaneous updates. If values differ beyond tolerance, returns 409 Conflict; if privilege is missing, returns 404 Not Found.

hashtag
Use Cases

  • Redeeming points or stamps (negative movement)

  • Issuing or adjusting loyalty balance (positive movement)

  • Applying promotional adjustments

chevron-right
lockRequired scopes
This endpoint requires the following scopes:
Authorizations
OAuth2implicitRequired
Authorization URL:
Path parameters
privilegeIdstringRequired

Privilege identifier.

tenantIdstringRequired
Body

Request model to apply a movement (transaction) to a privilege's value.

oldValuenumber · doubleRequired

The expected sum of all movement values before this update. Used for optimistic concurrency control with server-side validation in the handler. If the current value differs, the request is rejected (409 Conflict).

movementValuenumber · doubleRequired

The movement value to apply. Cannot be zero. Positive for issuance/award, negative for redemption/usage. Fractional values are supported for progress-based privileges (e.g., 0.5 for half a stamp).

remarksstring · min: 1 · max: 500 · nullableOptional

Optional remarks or debug information about this movement.

Responses
chevron-right
200

Movement applied successfully

Response payload after a movement is created.

movementIdstring · nullableOptional
post
/api/{tenantId}/passes/privileges/{privilegeId}/movements

Last updated