Skip to main content
Waycore is built around a small set of structural primitives.
If you understand these, you understand the system.

Delegated User

A delegated user is a bank-native login created by your customer inside their commercial bank. It is not:
  • A shared credential
  • A scraped session
  • A consumer OAuth token
It is a real user identity inside the bank’s permission model. Permissions are explicitly scoped:
  • Read-only access
  • Transfer initiation
  • Approval authority
Waycore operates exclusively through this delegated identity. Implication:
The bank controls the permission surface. Waycore does not bypass it.

Institution

An institution is a supported commercial bank connection. An institution object represents:
  • The bank (e.g., Chase, Wells Fargo, regional banks)
  • A verified delegated user
  • A live connection status
  • Capability flags (read, transfer, approvals)
Institution states include:
  • ACTIVE
  • DEGRADED
  • REAUTH_REQUIRED
  • UNSUPPORTED

Policy

A policy defines constraints that must be satisfied before execution. Examples:
  • Transfer amount limits
  • Time-of-day restrictions
  • Dual-approval requirements
  • Beneficiary allowlists
Policies are evaluated before any action is attempted at the bank. If a policy fails, execution does not begin.

Execution

An execution is an attempted money movement action. It has:
  • A unique execution ID
  • A defined state lifecycle
  • Associated policy evaluations
  • An audit record
Executions are deterministic at the API layer, but subject to bank behavior.

State Machine

Every execution moves through explicit states:
  • CREATED
  • POLICY_VALIDATED
  • QUEUED
  • EXECUTING
  • MFA_REQUIRED
  • COMPLETED
  • FAILED
State transitions are atomic and observable.

Webhook Event

A webhook event is emitted on every meaningful state change. Events include:
  • Execution updates
  • Connection degradation
  • MFA requirements
  • Policy violations
Your platform should treat webhooks as the source of truth for reconciliation.

Audit Trail

Every action is written to an immutable audit log. The audit trail includes:
  • Timestamp
  • Institution
  • Delegated user identity
  • Action performed
  • Result
  • Metadata
This enables:
  • Compliance reporting
  • Operational debugging
  • Post-facto review

Human-in-the-Loop (HITL)

When automation cannot proceed (e.g., hardware MFA, unexpected bank UI), the execution enters a controlled human intervention path. HITL actions:
  • Are permission-bound
  • Are logged
  • Emit state updates
  • Do not bypass policy

Design Philosophy

Waycore is opinionated:
  • Bank permissions are the root authority.
  • Policy precedes execution.
  • Every action is observable.
  • State is explicit.
  • Failure modes are surfaced, not hidden.