Utilising the sandbox environment for API development requires the First AML team to configure a number of details.  When you are ready to begin testing your integration, reach out to First AML support with the following details:

  • Emails of users to be provisioned as users within the sandbox environment and roles for those users (these will be used for manual testing).
  • Webhook destination URLs and Event Types.
  • API clients you need provisioned, and what scopes are required for each client.


Steps to Go-live

Once you have completed the development of your integration and tested it against the sandbox environment, you can deploy it to the production environment.

To do this the First AML support team will need the following information for your production environment:

  • Production Webhook destination URLs and Event Types.
  • API clients you need provisioned, and what scopes are required for each client.

API client details for production environments will be shared via a secure method, and the API client secret must be stored securely.

Prior to go-live your API integration in Sandbox will undergo review by the First AML Team.

Sandbox Review

Prior to issuing production credentials First AML will review the behaviour of your integration against the Public API to ensure it is behaving in line with expectations - we specifically will be looking to ensure:

  • The integration is respecting throttling limits, and applying concepts like exponential back-off before re-attempting requests.
  • Caching access tokens appropriately and not continuing to request new access tokens when the last one has yet to expire.
  • Is not attempting to access resources it's not authorised to do so (based on scopes selected).
  • Is not over-selecting data for your specific use case.

We may also ask questions to ensure the Client Key and Secret is being adequately protected e.g.

  • API Credentials are not stored in plain-text configuration files.
  • API Credentials are not checked into source code.
  • API Credentials are stored encrypted at rest.
  • Access tokens are stored encrypted at rest (unless cached in-memory only).
  • API credentials and access token are only stored and utilised server-side and are not exposed to any client-side technology which would allow an end-user of the integration to gain the access token for the purposes of making their own requests.

The data held within First AML is incredibly sensitive and we take the security of our customers and end users data very seriously, so we apologise in advance for any inconvenience this review process may cause, but we do it to ensure we can fiercely guard this sensitive data.

Sandbox Testing Process

  • Cases within the First AML platform pass through a number of statuses as the case progresses towards completion as shown in the diagram below:

  • When a case is submitted it moves into the in-progress state and is handed over to the AML team to work on the case. This includes building out entity details and their relationships, verifying individuals, attaching documents etc.

  • Once the work on the case is completed, the First AML team will update the status of the case to be “ready for review”, at which point the customer can review and update the case’s status to “complete”.

  • When coordinating sandbox testing, you may request the assistance of the First AML support team to progress an AML case to the “ready to review” status, or to reproduce a particular test scenario. The First AML team is happy to assist integrators in reproducing various scenarios to support the thorough testing of your integration, prior to it being deployed into the production environment. Please contact your primary First AML support contact for more details.