DocsNfpOnboarding Guide

Changelog

Document Version	Date	Description
v 1.0	20 Oct 2025	Initial release
v 1.1	13 Nov 2025	Updated the formatting
v 1.2	14 Nov 2025	Improved document formatting and structure for clarity. Added official versioning to the nationality codes list. Updated all support contact references to use nfp-support@paynet.my. Enhanced API request/response examples with explicit JSON formatting. Clarified required user roles (now specifying "Team Manager"). Expanded troubleshooting section with detailed error codes and solutions. Added and addressed inline comments for collaborative feedback and documentation tracking. Corrected grammar and improved English throughout the document.
v 1.3	14 Nov 2025	- Improved document formatting and structure for clarity. - Added official versioning to the nationality codes list. - Updated all support contact references to use nfp-support@paynet.my. - Enhanced API request/response examples with explicit JSON formatting. - Clarified required user roles (now specifying "Team Manager"). - Expanded troubleshooting section with detailed error codes and solutions. - Added and addressed inline comments for collaborative feedback and documentation tracking. - Corrected grammar and improved English throughout the document.
v 1.4	27 Nov 2025	Updated API Base URL from openapigw.nfp.uat.inet.paynet.my to openapi.nfp.uat.inet.paynet.my

Introduction

This document provides a comprehensive guide for onboarding to the Open API platform. It details the process for generating API credentials, authenticating with the platform, and validating access through test endpoints. The guide is intended for technical teams responsible for integrating with the NFP Open API and assumes a basic familiarity with RESTful APIs and authentication mechanisms. The Sequence Diagram below is illustrating the service journey from request submission to getting response.

‌

Prerequisites

Before proceeding, ensure the following prerequisites are met:

• You have access to the NFP Portal (UAT).
• Your user account is assigned the Team Manager permission.
• You have a secure method for storing sensitive credentials.

Onboarding Workflow

Step 1: User Login

1. Navigate to the NFP Portal (UAT).
2. Log in using your assigned credentials.
3. Confirm that your account is assigned with the Team Manager permission.

If not, contact the system administrator to request the appropriate access level.

---

Step 2: Generate API Credentials

Important
API credentials are sensitive and will be displayed only once.
Please copy and store them immediately in a secure password manager or any other secure storage solution.

1. After logging in, click your profile icon and navigate to the Settings section

2. Select the Client Credentials tab.

3. Click Generate button to create a new set of API credentials.

4. The system will display the following credentials one time only:

   • APIKEYID
   • APIKEYSECRET
   • CLIENTID
   • CLIENTSECRET

Make sure to store all values securely before leaving the page.

---

Step 3: Authentication

Before calling any Open API endpoint, you must first obtain an Access Token using your API credentials. This token authorises your requests and must be included with every API call.

Obtain Access Token

Use your CLIENTID and CLIENTSECRET to request a new access token.

Endpoint

POST https://openapi.nfp.uat.inet.paynet.my/oauth2/token

Headers

x-api-key: <APIKEYSECRET>

Request Body

{
  "username": "<CLIENTID>",
  "password": "<CLIENTSECRET>"
}

Sample Response

{
  "AuthenticationResult": {
    "AccessToken": "eyJraWQiOiJmRzZ6Z25YOGcz...m8Jd6Jg",
    "ExpiresIn": 3600,
    "IdToken": "eyJraWQiOiJ2b2NYUThOcFdqWDJXVDMzdE...AiHBlre2yZzQ",
    "RefreshToken": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBM...ma_RvA",
    "TokenType": "Bearer"
  },
  "ChallengeParameters": {}
}

Refresh Token

When your access token expires, you can request a new one using the Refresh Token provided in the initial response.

Endpoint

POST https://openapi.nfp.uat.inet.paynet.my/oauth2/token/refresh

Headers

x-api-key: <APIKEYSECRET>

Request Body

{
  "refreshToken": "<RefreshToken>"
}

Sample Response

{
  "AuthenticationResult": {
    "AccessToken": "eyJraWQiOiI4RHZLU2JLSHdlQXh...u5O7zNw",
    "ExpiresIn": 3600,
    "IdToken": "yJraWQiOiJEbzJPM1ZnREpYdTUrQ3...SfnkQNT1ukLEg",
    "TokenType": "Bearer"
  },
  "ChallengeParameters": {}
}

---

Step 4: API Validation

After obtaining your access token, validate your connectivity and credentials by calling the testing and functional endpoints.

Ping Endpoint (Connectivity Check)

Verify your credentials and token by calling the Ping endpoint.

Use the Ping endpoint to confirm that your authentication token is valid and that you can successfully connect to the Open API.

Endpoint

GET https://openapi.nfp.uat.inet.paynet.my/nfp-api/v2/server/ping

Headers

authorization: Bearer <AccessToken>

Sample Response:

{
  "message": "pong"
}

Mule Check Endpoint

Use this endpoint to validate an individual's identification information.

Endpoint

GET https://openapi.nfp.uat.inet.paynet.my/nfp-api/v2/server/mule-check

Headers

authorization: Bearer <AccessToken>

Request Body Parameters

Key	Required	Description
idSignature (string)	Mandatory	SHA256 signature of idNo and idType
idType (string)	Mandatory	mykad - Malaysian Identity Card. passport - Passport. bric - BRIC. police_id - Police ID. army_id - Army ID.
idNo (string)	Mandatory	The id number of the person
nationality (string)	Conditional	ONLY required for passport and bric. Use the two-letter ISO 3166-1 alpha-2 nationality code (e.g., MY for Malaysian, SG for Singaporean).
purpose (string)	Mandatory	01 - Account Opening 02 - CDD 03 - Database Update

For example,

ID Type	Sample Request
Passport	{ "idSignature": "e5345875986f1160c9bde7c7ec2de0a0c37319d3edeefb8290a68878f817e2b0", "idType": "passport", "idNo": "K1234567", "nationality": "KR", "purpose": "01" }
MyKad	{ "idSignature": "e5345875986f1160c9bde7c7ec2de0a0c37319d3edeefb8290a68878f817e2b0", "idType": "mykad", "idNo": "700131011234", "purpose": "01" }

Sample Responses

Response Code	Sample Response
200 Success	For `passport` and `bric` ID types, the `nationality` field is required. In the response, the `nationality` returned corresponds to the value used in the search query to validate the individual. It does not represent all nationalities associated with the person. { "httpStatusCode": "OK", "status": 200, "message": "success", "muleCheck": { "idSignature": "...", "idType": "passport", "idNo": "A1234567", "nationality": "MY", "muleTier": "2", "muleTierDescription": "Suspected" } } For other ID types that do not support nationality-based searches (e.g., `mykad`, `police_id`, `army_id`), the response will **NOT** include a `nationality` field. { "httpStatusCode": "OK", "status": 200, "message": "success", "muleCheck": { "idSignature": "...", "idType": "mykad", "idNo": "700131011234", "muleTier": "3", "muleTierDescription": "Watchlist" } }
403 Forbidden	{ "status": 403, "httpStatusCode": "FORBIDDEN", "message": "The authenticated user does not have the required permissions to perform this operation. Please contact the administrator to access this resource." }
404 Not Found	{ "httpStatusCode": "NOT_FOUND", "status": 404, "message": "Record not found", "muleCheck": null }
400 Bad Request	{ "httpStatusCode": "BAD_REQUEST", "status": 400, "message": "Invalid ID signature", "muleCheck": null }
400 Bad Request	{ "httpStatusCode": "BAD_REQUEST", "status": 400, "message": "Missing nationality code", "muleCheck": null }
400 Bad Request	{ "httpStatusCode": "BAD_REQUEST", "status": 400, "message": "Unsupported nationality code", "muleCheck": null }

---

Appendix

Mule Tier

Tier	Description
1	Confirmed
2	Suspected
3	Watchlist
4	Reference

Nationality Codes

Note: The nationality field is mandatory for passport and bric ID types. Use the two-letter ISO 3166-1 alpha-2 country code.

Below is the list of supported nationality codes (Version: 1.0):

Nationality	Code
Afghan	AF
Albanian	AL
Algerian	DZ
American	US
Andorran	AD
Angolan	AO
Antiguans or Barbudans	AG
Argentinean	AR
Armenian	AM
Australian	AU
Austrian	AT
Azerbaijani	AZ
Bahamian	BS
Bahraini	BH
Bangladeshi	BD
Barbadian	BB
Belarusian	BY
Belgian	BE
Belizean	BZ
Beninese	BJ
Bhutanese	BT
Bolivian	BO
Bosnian or Herzegovinian	BA
Brazilian	BR
British	GB
Bruneian	BN
Bulgarian	BG
Burkinabe	BF
Burmese	MM
Burundian	BI
Cambodian	KH
Cameroonian	CM
Canadian	CA
Cape Verdean	CV
Central African	CF
Chadian	TD
Chilean	CL
Chinese	CN
Colombian	CO
Comoran	KM
Congolese	CG
Costa Rican	CR
Croatian	HR
Cuban	CU
Cypriot	CY
Czech	CZ
Danish	DK
Djibouti	DJ
Dominican	DO
Dutch	NL
East Timorese	TL
Ecuadorean	EC
Egyptian	EG
Emirian	AE
Equatorial Guinean	GQ
Eritrean	ER
Estonian	EE
Ethiopian	ET
Fijian	FJ
Filipino	PH
Finnish	FI
French	FR
Gabonese	GA
Gambian	GM
Georgian	GE
German	DE
Ghanaian	GH
Greek	GR
Grenadian	GD
Guatemalan	GT
Guinea-Bissauan	GW
Guinean	GN
Guyanese	GY
Haitian	HT
Honduran	HN
Hungarian	HU
I-Kiribati	KI
Icelander	IS
Indian	IN
Indonesian	ID
Iranian	IR
Iraqi	IQ
Irish	IE
Israeli	IL
Italian	IT
Ivorian	CI
Jamaican	JM
Japanese	JP
Jordanian	JO
Kazakhstani	KZ
Kenyan	KE
Kittian and Nevisian	KN
Kuwaiti	KW
Kyrgyz	KG
Laotian	LA
Latvian	LV
Lebanese	LB
Liberian	LR
Libyan	LY
Liechtensteiner	LI
Lithuanian	LT
Luxembourger	LU
Macedonian	MK
Malagasy	MG
Malawian	MW
Malaysian	MY
Maldivan	MV
Malian	ML
Maltese	MT
Marshallese	MH
Mauritanian	MR
Mauritian	MU
Mexican	MX
Micronesian	FM
Moldovan	MD
Monacan	MC
Mongolian	MN
Moroccan	MA
Mosotho (Losotho)	LS
Motswana (Batswana)	BW
Mozambican	MZ
Namibian	NA
Nauruan	NR
Nepalese	NP
New Zealander	NZ
Nicaraguan	NI
Nigerian	NG
Nigerien	NE
North Korean	KP
Norwegian	NO
Omani	OM
Pakistani	PK
Palauan	PW
Panamanian	PA
Papua New Guinean	PG
Paraguayan	PY
Peruvian	PE
Polish	PL
Portuguese	PT
Qatari	QA
Romanian	RO
Russian	RU
Rwandan	RW
Saint Lucian	LC
Salvadoran	SV
Samoan	WS
San Marinese	SM
Sao Tomean	ST
Saudi	SA
Senegalese	SN
Serbian	RS
Seychellois	SC
Sierra Leonean	SL
Singaporean	SG
Slovakian	SK
Slovenian	SI
Solomon Islander	SB
Somali	SO
South African	ZA
South Korean	KR
Spanish	ES
Sri Lankan	LK
Sudanese	SD
Surinamer	SR
Swazi	SZ
Swedish	SE
Swiss	CH
Syrian	SY
Taiwanese	TW
Tajik	TJ
Tanzanian	TZ
Thai	TH
Togolese	TG
Tongan	TO
Trinidadian or Tobagonian	TT
Tunisian	TN
Turkmen	TM
Turkish	TR
Tuvaluan	TV
Ugandan	UG
Ukrainian	UA
Uruguayan	UY
Uzbekistani	UZ
Venezuelan	VE
Vietnamese	VN
Yemenite	YE
Zambian	ZM
Zimbabwean	ZW

---

Troubleshooting

Error Code	Recommended Action
403 Forbidden	Your account may not have the necessary permissions to access the API. Verify your access level, and contact the system administrator if the issue persists.
400 Bad Request	One or more required fields may be missing or incorrectly formatted. Check that all parameters are included and follow the expected data types and formats.
Token Issues	If you receive authentication-related errors: -Ensure your access token has not expired. -Confirm that you are using the correct CLIENTID, CLIENTSECRET, and API key. -Refresh the token if needed.
Credential Loss	API credentials cannot be recovered once generated. If they are lost or not recorded, generate a new set from the Client Credentials section in the National Fraud Portal.

info

For further assistance, please contact the system administrator or the NFP Support Team at nfp-support@paynet.my.