Requests & consent
A request represents one customer sharing their bank data to produce one report. It moves through a short lifecycle from creation, to consent, to a finished report.
Create a request
/v1/requestscurl -X POST https://api.statementiq.com.au/v1/requests \
-H "X-API-Key: siq_test_your_key" \
-H "Content-Type: application/json" \
-d '{
"client_name": "Jordan Wilson",
"report_type": "expense_summary",
"client_ref": "MATTER-1024",
"email": "jordan@example.com",
"phone": "+61400000000"
}'Fields:
client_name(required) — the customer’s name, shown on the report.report_type(required) —expense_summaryoraffordability. See Reports & formats.client_ref— your own reference, echoed back to you.email,phone— optional; pre-fill the invite fields and (in production) let us deliver the consent link.redirect_uri,cancel_uri— optional URLs to return the customer to after they finish or cancel.
Response:
{
"id": "req_1a2b3c…",
"status": "pending_consent",
"report_type": "expense_summary",
"consent_url": "https://statementiq.com.au/connect/req_1a2b3c…"
}Share the consent link
Hand consent_urlto your customer. It opens a page that explains what’s happening, then hands off to the accredited CDR consent flow — the customer picks their bank and authorises sharing with a one-time code. No login is required for them, and no banking password is ever shared with us.
Sending it by email or SMS
/v1/requests/{id}/invitecurl -X POST https://api.statementiq.com.au/v1/requests/req_1a2b3c/invite \
-H "X-API-Key: siq_live_your_key" \
-H "Content-Type: application/json" \
-d '{ "channel": "email", "to": "jordan@example.com" }'403 — you can copy the consent link and share it yourself, but StatementIQ will not dispatch a real email or SMS. Delivery goes to real people and carries a per-message cost, so it is enabled only for companies approved for production. In production, channel is email or sms.Request status
/v1/requests/{id}Poll a request to follow its progress. status is one of:
pending_consent— waiting for the customer to connect their bank.pending_data— consent given; the bank data is still coming through. Poll again shortly.ready— the report is prepared and can be fetched.withdrawn— consent was withdrawn; derived data has been deleted.purged— past the retention window; the report has been deleted, the audit record kept.
List all your requests with GET /v1/requests (scoped to the environment of the key you use). Prefer webhooks over polling for production.
Withdrawal & deletion
/v1/requests/{id}A customer can withdraw at any time from their own consent page, and you can withdraw on their behalf. Withdrawal deletes the derived report and removes the upstream CDR consent. Derived reports are also deleted automatically after the retention window (90 days by default). A minimal audit record — that a request existed and what happened to it — is kept for compliance and contains no banking data.