Skip to main content

Delete Data API

Overview

This API deletes the user's data stored on HV's end. This is a sensitive API and should be used with caution.

Purpose & use case

Who is this for?

  • SA/IE teams
  • Support teams

When should this be used? When a client wants to delete the user's data saved in HV storage.

Step-by-step guide

Prerequisites: IP whitelisting

Since this is a sensitive API, an IP corresponding to an App ID must be whitelisted before clients can call this API. Clients should reach out to their HV SPOC to arrange whitelisting.

note

Currently, we do not have APIs to whitelist IPs — it has to be done manually by someone from the engineering team.

cURL

curl --location --request DELETE 'https://review-api.idv.hyperverge.co/api/v2/transaction/id' \
  --header 'appid: <APP_ID>' \
  --header 'appkey: <APP_KEY>' \
  --header 'Content-Type: application/json' \
  --data '{
    "transactionId": "String"
  }'

Sample responses

Invalid / missing credentials — 401
{
  "status": "failure",
  "statusCode": "401",
  "error": "Missing/Invalid credentials"
}
IP not whitelisted — 403
{
  "status": "forbidden",
  "statusCode": "403",
  "message": "No whitelisted IPs match found"
}
Success — 200
{
  "status": "success",
  "statusCode": "200",
  "message": "Data successfully deleted for 55a3a6's transaction: 3993a58a23",
  "deletedAudits": [
    "1716217841193-47567a37-e782-4101-8f1d-9ba5ec720ee5"
  ]
}
Transaction ID not present in request body — 422
{
  "status": "failure",
  "statusCode": "422",
  "error": "\"transactionId\" is required"
}
Invalid key passed in request body — 422
{
  "status": "failure",
  "statusCode": "422",
  "error": "\"someKey\" is not allowed"
}

How this works (internal reference)

When this API is called, it deletes all request data present in the audits table and all data in the transactions table of the Audit Portal DB, then publishes an event to the platform events SNS topic. The published message contains:

{
  "eventType": "delete_data",
  "data": {
    "appId": "String",
    "transactionIdRaw": "String",
    "transactionIdHash": "String",
    "requestIds": ["String"],
    "s3Keys": ["String"],
    "finishTransactionS3Key": "String"
  },
  "signature": "HMAC Signature string"
}

This message is received by a platform delete SQS subscribed to the SNS with a filter set to only receive this event type. Other services (e.g., VKYC) can also subscribe to the same SNS with the same filter to start consuming these messages.

The consumer then:

  1. Verifies the signature — if it does not match, throws an error.
  2. If signatures match, validates all S3 keys (checks that the App ID in the message matches the ones in S3 keys and the finish-transaction S3 key).
  3. Filters out keys for which the App ID does not match; the rest are processed.
  4. Fetches all versions of each object in all S3 keys and issues a delete-batch command (batch size 1000) to delete these files.
Was this helpful?
Ask AI

Ask anything about the internal documentation

AI answers are based on internal documentation. Verify critical information.