Skip to main content
Waycore is built around a small set of structural primitives.
If you understand these, you understand the system.

Delegated User

A delegated user is a bank-native login created by your customer inside their commercial bank. This is functionally identical to hiring an outsourced treasury clerk. Waycore operates strictly within the permissions granted by the account owner.
The nomenclature can vary across banks, but you will normally see this feature appears as user, sub-user, authorized user, portal user, operator, delegate.
It is not:
  • A shared credential
  • A consumer OAuth token
It is a real user identity inside the bank’s permission model. Permissions are explicitly scoped:
  • Read-only access
  • Transfer initiation (optional)
  • Approval authority (optional)
Waycore operates exclusively through this delegated identity. Implication:
The bank controls the permission surface. Waycore does not (and cannot) bypass it.

Entity

An entity is the business that owns data and connections in the public API. It gives you a stable ownership boundary for:
  • Connections
  • Accounts
  • Transactions
  • Your own internal customer or fund mappings
In practice, entities let you model customer businesses, subsidiaries, SPVs, or your own operating company in a way that stays consistent across institutions.

Institution

An institution is a supported bank or fintech record in Waycore’s public catalog. An institution object represents:
  • The bank, banking platform, or fintech
  • A stable institutionId
  • A searchable discovery record you can use before onboarding
It does not represent a live connection by itself. Unsupported institutions can still be onboarded through a raw portalUrl on the connection create call.

Connection

A connection is the live, entity-owned integration with a supported institution or bank portal. Connections are created in stages:
  • kind="setup" while delegated-user onboarding is still in progress
  • kind="ready" once the connection is activated and able to sync
The public API integrates first around this connection lifecycle, then around the accounts and transactions discovered through it.

Connection Lifecycle

Public connection states include:
  • draft: The connection is created, but onboarding inputs are still incomplete.
  • pendingActivation: Bank-side setup is complete and Waycore is validating and activating the connection.
  • active: Syncing normally.
  • reauthRequired: Bank authentication requires re-authentication before sync can continue.
  • errored: A recoverable issue is preventing sync. Waycore will address and retry automatically.
  • paused: Syncing has been intentionally temporarily suspended. This is typically used for maintenance.
  • revoked: Access has been removed. No further syncs will occur.
These states make delegated-user onboarding and ongoing bank health explicit, rather than hiding them behind a single “connected” flag.

Transfer

A transfer is a payment object in the broader Waycore platform. The public Transfer API is not yet released. Once it is available, it will expose the platform’s transfer model for supported rails such as internal transfers, ACH, wire, SWIFT, FedNow, RTP, and more, subject to institution capabilities.
Note: Waycore can initiate but not approve external transfers. External transfers have to be approved at the bank’s portal, not Waycore.

Webhook Event

A webhook event is an operational signal emitted by the public API when subscribed events occur. Current public producers include:
  • Connection status changes
  • Transaction sync availability
  • Explicit test deliveries
Additional event types are reserved for future public producers. Use webhooks to trigger follow-up work and monitor connection health. For transaction reconciliation, use transactions.sync_available as a prompt to call GET /v1/transactions/sync.

Audit Trail

Every action is written to an immutable audit log. The audit trail includes:
  • Timestamp
  • Institution
  • Delegated user identity
  • Action performed
  • Result
  • Metadata
This enables:
  • Compliance reporting
  • Operational debugging
  • Post-facto review

Human-in-the-Loop (HITL)

When automation cannot proceed (e.g., hardware MFA, unexpected bank UI), the execution enters a controlled human intervention path. HITL actions:
  • Are permission-bound
  • Are logged
  • Emit state updates
  • Do not bypass policy

Design Philosophy

Waycore is opinionated:
  • Bank permissions are the root authority.
  • Every action is observable.
  • State is explicit.
  • Failure modes are surfaced, not hidden.
  • Human-in-the-loop as a fallback for banks that require it.