Yardstik API (1.0)

Download OpenAPI specification:Download

Introduction

Yardstik is a modern platform offering a mix of screening, fraud, and compliance products designed to help you vet candidates ASAP. Our REST API utilizes predictable, resource-oriented URLs which are authenticated via a single API key and leverage JSON in all responses.

For more about Yardstik, visit yardstik.com. If you're ready to start your integration, reach out to support@yardstik.com to speak with our Enterprise Solutions team.

Get Your Accounts

Our Enterprise Solutions team will work with you to create your accounts (one on our staging environment and one on production). For platforms, we'll also guide you through your subaccount setup. In order to credential your accounts, we'll need a few key pieces of information from you:

Legal Business Information
The full legal name of your business and EIN as they appear on your government registration documents

Account Owner Contact Info
The first/last name and email address for the person who'll be managing your Yardstik account

Permissible Purpose
As a consumer reporting agency in the United States, Yardstik is regulated by federal, state, and local levels of government, primarily by the Fair Credit Reporting Act (FCRA). When requesting a consumer report on an individual, the FCRA requires that we collect from you a "permissible purpose", which is just a fancy way of saying: you need to have a specific, legally-protected reason for ordering consumer reports.

Here are some examples

  • Employment: Includes the hiring, retention, reassignment, and/or promotion of employees (can apply to volunteers and interns as well)
  • Written Instructions of the Consumer: For contracting engagements or access to your platform

Desired Screenings
Based on the types of screenings you'd like to run on your candidates, our team will create the appropriate Packages for your account.

Once you're up and running, you'll have access to the Yardstik API as well as the admin features at app.yardstik.com where you can use developer tools, manage reports, view metrics, etc.

Get Your API Keys

Once your staging and production accounts have been created, you'll have access to the Developer Tools section in Yardstik. You'll need to create an API key in each of your accounts, which you'll use to authenticate your requests in each environment. Make sure to store your full API key somewhere secure (like a password manager). For security reasons, the only time you'll see the full key displayed in Yardstik is right after you create it.

Remember, anyone with access to your API keys can make API calls on your behalf. Therefore, we recommend these best practices to keep your API keys safe

  • Never embed API keys directly in code
  • Never store API keys in files inside your source code
  • Delete unused API keys
  • Periodically regenerate your API keys
  • Always encrypt your API keys
  • Restrict API key access to only those that need it
  • Never share your API keys, not even with us

If you believe your API key has been compromised, create a new API key and switch over to using that one, then delete your compromised API key.

Authenticate With Yardstik

Yardstik uses HTTP API key authentication. To authenticate, include your API key in the header of all your API requests using the format "Account {API_KEY}" (with the word "Account" preceding your API key).

Example Authenticated Request

curl -X GET https://api.yardstik.com/accounts \
    -H 'Authorization: Account [YOUR_API_KEY]' \
    -H 'Accept: application/json'

Example Authenticated Response

[
    {
        "id": "cc0df11d-a502-47ec-8aa1-ba0738030ca7",
        "account_name": "Global Dynamics",
        "first_name": "Nathan",
        "last_name": "Stark",
        "email_address": "nathan.stark@globaldynamics.com",
        "url": "https://www.globaldynamics.com",
        "tech_email_address": "it@globaldynamics.com",
        "support_email_address": "support@globaldynamics.com",
        "support_phone": "541-555-4376",
        "actions_email_address": "hr@globaldynamics.com",
        "compliance_email_address": "hr@globaldynamics.com",
        "logo": "https://vignette.wikia.nocookie.net/eureka/images/d/dd/Global_dynamics.jpg",
        ...
    },
    ...
]

If you're seeing a similar response, you're authenticated and can make requests to our API.

Order Your First Report

Reports are the main resource you'll care about. They contain the findings for each candidate, whether you're running a background check, identity verification, or a more specialized screening like Social Media. That being said, there are some other resources which need to be in place before you can order a report.

Candidates
First off, you'll need to create a candidate with whom you'll associate the report. This is the person whose information we'll use when we run the report.

Packages
Based on your business requirements, our team will choose the appropriate screenings and group them into packages for your account. Each time you order a report, you'll specify a package; this will determine the candidate information required for that report. For example, if you want to run a report with a package that includes a Motor Vehicle Record screening, we'll need the candidate's Driver's License Number and State.

Reports With Invitations
If you'd like Yardstik to invite your candidate to fill out their information in Yardstik's UI, create an invitation and we'll automatically create a corresponding report to go with it. Based on the package you specify, we'll generate a form where the candidate will fill out all the information required to run their report. Their invitation will include a link to their unique form.

Reports Without Invitations
If you don't need Yardstik to send an invitation because you've embedded Yardstik's UI and you'd like your candidate to fill out their information as part of your in-app workflow, you can skip the invitation call and create a report instead. Once the report is created, you can grab the apply url from the metadata in the response and serve that up in your embedded view.

Alternatively, if you'd like to provide all the candidate information yourself (rather than asking the candidate to fill it in), you can create a report with the parameter account_candidate_consented: true. In your API call, you'll need to send along all the information required to run the report, based on the package you specify. To order reports this way, you'll need this feature enabled for your account. Your organization will assume full legal responsibility for collecting the FCRA disclosure and consent agreements from each candidate.

Sample Redirect Flow
To create a candidate, collect the candidate's information and POST it to our /candidates route. We'll return a candidate ID. Using the candidate id along with your account id and one of your package ids, POST this data to the /reports endpoint to order a new report. This will return the apply url in the metadata, which you can use to direct the candidate to their unique intake form.

Once the candidate fills out the form and submits disclosures, the report will begin processing.

alt text

Using Webhooks

Listen for Webhook Events

Yardstik uses webhooks to publish events any time certain situations occur. You can subscribe to receive those events, allowing your application to react in real time.

To subscribe, use the Webhooks tool to register your URL to receive POST requests for your desired event type. Repeat for each event type you'd like to listen for.

Webhook event types Publishes an event each time this occurs in your account
candidate.created a candidate is successfully created
candidate.updated a candidate is updated, e.g. name has changed
candidate.deleted a candidate is deleted
candidate.consented a candidate submits signed legal docs, including consent to a background check
candidate.paid a candidate successfully completes payment (only applies in scenarios where the candidate is responsible to pay for their report)
transaction.created a payment transaction is created
transaction.updated a payment transaction is updated
transaction.deleted a payment transaction is deleted
invitation.created an invitation (and its corresponding report) is successfully created
invitation.updated an invitation to a report is updated, e.g. an expired invitation is refreshed
invitation.deleted an invitation to a report is deleted
report.created a report is successfully created
report.updated a report is updated, e.g. the report status has changed Note: this is likely the most important event type to listen for, as it sends lots of important updates about each report
report.completed a report reaches one of the "done" statuses Note: if you don't want to be notified of every report update, but you want to know when each report is completed, you can listen for this event type instead of report.updated
report.submitted a report is submitted (the candidate provides all required data)
report.deleted a report is deleted
monitor.created a monitor is created
monitor.updated a monitor is updated
monitor.deleted a monitor is deleted
monitor_record.created a monitor returns a new record about one of your candidates
monitor_record.updated a monitor record is updated
monitor_record.deleted a record a monitor returned about one of your candidates is deleted
account.updated your account is updated
sub_account.active a subaccount is activated by the Yardstik team

Here's some more info about the Webhooks resource

Webhook Signing

Using Webhook Signing, you can ensure that requests sent to your application are from Yardstik and have not been tampered with. You should use the webhook signature to avoid processing requests that are not from Yardstik and to protect your application from bad actors.

Enabling Webhook Signing

To enable webhook signatures, create an API key named WEBHOOK_SIGNATURE (see: Get Your API Keys). Make sure you copy the API key to a safe location before closing the modal, as it will not be visible again later. Yardstik will automatically use your WEBHOOK_SIGNATURE API key to sign the webhook payload using an SHA-256 HMAC hex digest. For platform accounts and any subaccounts, each one will each need their own WEBHOOK_SIGNATURE API key in order to receive the signature.

You'll use this API Key to generate your own HMAC hash against the payload you recieved to verify that

  1. The secret API key you generated was used to sign the request, proving it came from Yardstik
  2. The message payload has not been modified, protecting against man-in-the-middle attacks

How to validate webhooks

The HMAC hash value that Yardstik uses to sign your webhook will be included in the headers of the request as: x-yardstik-webhook-signature

You'll use theWEBHOOK_SIGNATURE API key to generate an HMAC hash of the body of the request and validate the authenticity of that webhook.

If the value of x-yardstik-webhook-signature is: a1342d29ce3b28c4416482f64a3e8b9f452a22755646d7ca9a553e654676b693
Then your app should also calculate the value as: a1342d29ce3b28c4416482f64a3e8b9f452a22755646d7ca9a553e654676b693

As long as those two values are equal, you should accept the request. If they differ, your application should reject the webhook and stop processing.

A verification function can be used to validate the HMAC-SHA256 value using a crypto library of your choice, such as the Node.js crypto module. The function should calculate a hash using your WEBHOOK_SIGNATURE API key, and ensure that the result matches the hash sent by Yardstik.

Putting it all together

Example Code

This is a simple Node.js example showcasing how to validate webhook signatures using Crypto libraries behind an Express server

const crypto = require('crypto');
const express = require('express');
const app = express();
const port = 3000;

app.use(express.json());

app.post('/', (req, res) => {
    const SIGNATURE = req.get('x-yardstik-webhook-signature');
    const BODY = req.body;
    console.log(BODY);

    const HASH = crypto.createHmac('sha256', process.env.WEBHOOK_SIGNATURE).update(JSON.stringify(BODY)).digest('hex');

    console.log(`This is the x-yardstik-webhook-signature: ` + SIGNATURE);
    console.log(`This is your application's calculated hash: ` + HASH);

    // Respond with a 200, if you do not respond with a success code Yardstik will retry the request.
    res.sendStatus(200);
})

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`)
})

Example Output

Example app listening on port 3000
{
  id: '42eff0e4-9bca-45da-a143-2d4e1e271d88',
  event: 'updated',
  resource_id: 'efa32155-f8cb-4331-954c-11db22ae773d',
  account_id: '16fab437-3ab5-4ee1-8a47-16ab41410a5e',
  account_name: 'Example Account',
  resource_type: 'report',
  resource_url: 'https://api.yardstik.com/reports/efa32155-f8cb-4331-954c-11db22ae773d',
  status: 'processing',
  timestamp: '2024-07-10T18:56:44Z'
}
This is the x-yardstik-webhook-signature: a1342d29ce3b28c4416482f64a3e8b9f452a22755646d7ca9a553e654676b693
This is your application's calculated hash: a1342d29ce3b28c4416482f64a3e8b9f452a22755646d7ca9a553e654676b693

The function above uses an environment variable name WEBHOOK_SIGNATURE that contains the API key you created. The app will extract the body from the request sent to the / endpoint and use the Node.js crypto library and your API key to create its own hex digest that should match the header included in the request.

Using a tool like ngrok, you can start this locally and receive calls from our API to your dev workstation to verify that webhook signing is working. Note: Ask your security team before running port forwarding applications that expose your app to the internet!

Additional sample webhook responses, POST bodies, and more are available in the Webhooks resource section.

Support

If your webhook signature has been lost or compromised, you can decommission it in Yardstik and create a new one. Here are some best practices for keeping your keys safe. If your webhook signature isn't working, don't hesitate to reach out to support@yardstik.com.

Webhook Examples

Listening for candidate.created Webhook

Register a webhook for the candidate.created event type using the Create Webhook Route. This webhook will be triggered when a new candidate is created.

Example Create candidate.created Webhook Response

{
    "id": "a87b1e1a-e9aa-4929-9f30-ad1f9b481a8c",
    "url": "https://www.yourcompany.com/webhooks/candidate_created",
    "webhook_type": "candidate.created"
}

Example candidate.created Webhook POST body

{
  "id": "dcd9a3db-d885-4695-8a92-5556126000c5",
  "event": "created",
  "resource_id": "67cae505-0bac-4eaf-a255-95421d04e303",
  "account_id": "e829bc40-89eb-4054-94e3-7e826373f8ec",
  "account_name": "Venture Industries",
  "resource_type": "candidate",
  "resource_url": "https://api.yardstik.com/candidates/67cae505-0bac-4eaf-a255-95421d04e303"
}

Now that the webhook was triggered, you should receive the response body presented above. You can use this to get the candidate ID from the resource_url key.

Listening for report.created Webhook

Let's say you also want to be notified each time a report is created. To do so, you can register for the report.created event type.

Example Create report.created Webhook Request

curl -X POST https://api.yardstik.com/accounts/[YOUR_ACCOUNT_ID]/webhooks \
    -H 'Authorization: Account [YOUR_API_KEY]' \
    -H 'Accept: application/json'
    -H 'Content-Type: application/json' \
    --data-raw '{
        "webhook_type_id": "48a9b600-e7ff-4039-bcb2-04cddab97ba8",
        "url": "https://www.yourcompany.com/webhooks/report_created"
    }'

Again, you would create a webhook for report.created.

Example Create report.created Webhook Response

{
    "id": "89ade71a-e9aa-4929-9f30-ad1f93245abf",
    "url": "https://www.yourcompany.com/webhooks/report_created",
    "enabled": true,
    "webhook_type": "report.created",
    "webhook_description": "A report has been created."
}

And once a report is created, you will be sent this

Example report.created Webhook POST body

{
  "id": "e7331072-7865-4dca-9cd2-1643656a84c7",
  "event": "created",
  "resource_id": "e7e0b119-7714-44a2-900e-9b98a4e5b1c6",
  "account_id": "e829bc40-89eb-4054-94e3-7e826373f8ec",
  "account_name": "Venture Industries",
  "resource_type": "report",
  "resource_url": "https://api.yardstik.com/reports/e7e0b119-7714-44a2-900e-9b98a4e5b1c6"
}

Report Lifecycle

From creation to completion, each report has the potential to go down a few different paths. The best way to know the current state of any given report is by checking its status. If you've opted to use an invitation with your report, the invitation also has a status. The happiest path is when no records are found on the candidate and the report sails through to a clear status. But since that's not always the case, we want to help you understand what else can happen.


Invitation Statuses
Report Statuses
Disputes
Adverse Action

Invitation Statuses

Status Description
invite_sent The invitation sent successfully, but the candidate hasn't taken action yet
viewed The candidate viewed the invitation, but hasn't clicked through to the form yet
clicked The candidate clicked the invitation link, but hasn't completed the intake form
completed The candidate submitted the intake form and the report will begin processing
canceled The invitation (and its corresponding report) was canceled, preventing the candidate from accessing the form
expired The invitation expired, preventing the candidate from accessing the form

Here's some more info about the Invitations resource

Report Statuses

There are many different statuses a candidate's report can be in. Here, we've grouped the statuses to illustrate what they mean in relation to the report's progress. The detailed descriptions of each status are below.

Not Started Moving Along Paused Action Needed Done
Created
Expired
Queued
Processing
Pending
Pre-Adverse
Approved To Process
Info Requested
Dispute
Pending Approval
YS QA Review
Exception
Consider Clear
Proceed
Final Adverse
Canceled
Pass
Fail
Status Description
created The report was successfully created and is ready to receive candidate information/consent
expired The report was created, but didn't receive candidate information/consent before its invitation's expiration date. An expired report can be reopened by refreshing its invitation. For more about expiration and how to customize, see Invitations.
queued The report is waiting for the next screening to start processing
processing Our verifications team is processing the report
pending We're waiting on a response from a third party (e.g. a court runner is retrieving records for a County Criminal check)
pre_adverse In response to the report being in consider status, one of your admins decided to kick off the Adverse Action process
approved_to_process On reports where the candidate is a minor, this indicates that their guardian provided consent for us to process their report
info_requested The candidate information we received wasn't sufficient to run the report. We've asked the candidate to provide the information we need and are waiting for their response.
dispute The candidate has filed a dispute regarding the accuracy or completeness of the results in their report. Our verifications team is investigating.
pending_approval On reports where the candidate is a minor, this indicates that we're waiting for their guardian to provide consent for us to process the report
ys_qa_review If you've opted for us to manage the Adverse Action process for you, this indicates that results have been added to the report which may disqualify the candidate. Our verifications team is reviewing and will decide next steps based on your adjudication matrix.
exception There is an issue with the report data (e.g. SSN is incorrect) that is preventing the report from processing. Our verifications team will contact the candidate for the correct information.
consider Results have been added to the report which may disqualify the candidate. One of your admins needs to review and decide whether to set the report to proceed or kick off the Adverse Action process.
clear The report has finished processing and no disqualifying results were found
proceed In response to the report being in consider status, one of your admins decided to set the report to proceed, indicating that the results found do not disqualify the candidate
final_adverse The Adverse Action process is complete and it has been determined that the results found disqualify the candidate
canceled The report was canceled and no decision has been made about the candidate. No additional activity will occur on this report.
pass On reports where there are exclusively pass/fail outcomes (e.g. reports with Identity Verification and no additional screenings), pass indicates a positive "done" state
fail On reports where there are exclusively pass/fail outcomes (e.g. reports with Identity Verification and no additional screenings), fail indicates a negative "done" state

Here's some more info about the Reports resource

Disputes

Consolidating data from several sources into a report is a complex process that can sometimes lead to unintended discrepancies between the collected information and what the consumer (i.e. candidate) knows or believes to be true. This is why the FCRA provides consumers a mechanism to dispute inaccuracies. As a consumer reporting agency, Yardsik has an obligation to provide accurate reports. When a candidate logs a dispute, we take action right away to determine whether the dispute is frivolous or if a correction to the report is necessary. We take this obligation seriously and have established internal processes to appropriately investigate, respond to, and resolve disputes in a timely manner. No action from you is needed during the dispute process.

Adverse Action

When our findings include results which may disqualify the candidate, we set the report status to consider. This gives your organization the opportunity to review the report and decide whether the candidate will proceed in your process or not. If you determine that they've been disqualified, create an adverse action (via the Yardstik UI or API) and specify which violations factored into your decision. This will set the report status to pre-adverse and kick off the FCRA-required legal process called "Adverse Action".

Adverse Action offers the candidate the opportunity to understand exactly which results disqualified them. When the adverse action is created, Yardstik will send the candidate an email containing all the FCRA-required information, including the violations you specified. The candidate will then have a set number of days (based on your account notifications setting) during which they may respond to you and provide additional information about themselves for you to consider. If you have your own process for completing an "individualized assessment", you'll want to complete that within this timeframe. The minimum number of days prescribed by the FCRA is 7, but you can set it higher.

If you change your mind during this time, you can cancel the adverse action (via the Yardstik UI or API), which will automatically move the report to the next stage. If you take no action, when the timeframe elapses the report will automatically be completed with a final adverse status and Yardstik will notify the candidate as such.

Here's some more info about the Adverse Actions resource

How do I know if the violations parameter is required?

In the response of the Get a Report Route, you'll have the adverse_action_settings key. Within is the mandatory_selection_of_violations key, which tells you whether or not you need to select violations when creating a new adverse action (most often, you do).

  adverse_action_settings: {
    "mandatory_selection_of_violations": true
  }

Which violations can I send?

In the response of the Get a Report Route, you'll have the report_screenings key, which is an array. For each report screening, you'll have an array of records, and inside each record you'll have an array of violations. (A record may not have violations. For example, a clear report probably won't have any violations.)

For each violation, you'll have a description and possibly a disposition and disposition_date.

You can map all the violations and select the ones you want to use for the adverse action.

Example of a full report response

{
    "id": "2ee83662-ea17-4233-95b9-288ee3fcb9ff",
    "reference_id": null,
    "candidate_id": "66bdcd96-adf8-4b8a-b599-ea0040a11b79",
    "status": "consider",
    "response_status": null,
    "submitted_at": "2021-04-26T22:33:18.269Z",
    "completed_at": "2021-04-30T15:44:24.333Z",
    "created_at": "2021-04-26T21:51:06.880Z",
    "decision": "",
    "usage_amount": null,
    "process_sequentially": true,
    "created_by": "cool_email@yardstik.com",
    "permissible_purpose": {
        "id": "a2c00755-b57e-40e1-9876-2c5640ce53be",
        "name": "Employment",
        "configurations": { "initial_status": "pre_adverse" }
      }
    },
    "candidate": {
        "id": "66bdcd96-adf8-4b8a-b599-ea0040a11b79",
        "full_name": "John Clean",
        "email": "cool_email@yardstik.com",
        "phone_masked": null,
        "date_of_birth_masked": "#######-12",
        "ssn_masked": null,
        "driver_license_number_masked": null,
        "full_address": {
            "address": "Mineapolis",
            "zip_code": "12345",
            "city": "Mineapolis",
            "state": "MN"
        },
    },
    "account_id": "d210dcdd-c9d4-4ced-a594-8402cb6a2ab4",
    "account_name": "Account Name",
    "report_url": null,
    "adverse_action_id": null,
    "report_screenings": [
        {
            "id": "e11b7d00-9b55-4879-8f6e-c3859f16347d",
            "type": "Criminal",
            "label": "CountyCriminal",
            "name": "CountyCriminal",
            "status": "consider",
            "order": 0,
            "decision": "Consider",
            "response_status": "ready",
            "created_at": "2021-04-26T22:33:18.218Z",
            "report_url": "",
            "elapsed_timing": "1 week",
            "records": [
                {
                    "category": {
                        "key": "County",
                        "value": "NY-NYOCA"
                    },
                    "messages": [],
                    "violations": [],
                    "personal_data": {},
                    "other_information": {
                        "jurisdiction": "NY-NYOCA",
                        "pending_notes": null
                    }
                }
            ],
            "comments": []
        },
        {
            "id": "c6851635-9ce4-47ce-a246-531fbe36aac0",
            "type": "Criminal",
            "label": "StateCriminalCourt",
            "name": "StateCriminalCourt",
            "status": "consider",
            "order": 0,
            "decision": "Consider",
            "response_status": "ready",
            "created_at": "2021-04-26T22:33:18.228Z",
            "report_url": "",
            "elapsed_timing": "1 week",
            "records": [
                {
                    "category": {
                        "key": "State",
                        "value": "NEW YORK"
                    },
                    "messages": [],
                    "violations": [
                        {
                            "comments": null,
                            "sentence": "24 Months Or Pretrial Intervention Next Court Date 01/01/2021",
                            "file_date": "2021-03-20",
                            "case_number": "ABCDEFG",
                            "description": "Felony",
                            "disposition": "Court: Pre Trial Intervention",
                            "jurisdiction": "NEW YORK",
                            "offense_date": null,
                            "count_offense": "1. Possession Of Schedule 4 Substance",
                            "dob_on_record": "XXXX-04-01",
                            "ssn_on_record": null,
                            "name_on_record": "MESS, HANK",
                            "disposition_date": "2021-03-20"
                        },
                        {
                            "description": "This one Has Only the description",
                        }
                    ],
                    "personal_data": {},
                    "other_information": {
                        "jurisdiction": "NEW YORK",
                        "pending_notes": null
                    }
                },
                {
                    "category": {
                        "key": "State",
                        "value": "MINNESOTA"
                    },
                    "messages": [],
                    "violations": [
                        {
                            "comments": null,
                            "sentence": "24 Months Or Pretrial Intervention Next Court Date 10/08/2015",
                            "file_date": "2014-08-20",
                            "case_number": "POIUYTREWQ",
                            "description": "Felony",
                            "disposition": "Court: Pre Trial Intervention",
                            "jurisdiction": "MINNESOTA",
                            "offense_date": null,
                            "count_offense": "1. Possession Of Schedule 4 Substance",
                            "dob_on_record": "XXXX-04-01",
                            "ssn_on_record": null,
                            "name_on_record": "MESS, HANK",
                            "disposition_date": "2015-09-18"
                        },
                        {
                            "comments": null,
                            "sentence": "24 Months Or Pretrial Intervention Next Court Date 10/08/2015",
                            "file_date": "2014-08-20",
                            "case_number": "502008CF012155YXYXMB",
                            "description": "Felony",
                            "disposition": "Court: Pre Trial Intervention",
                            "jurisdiction": "MINNESOTA",
                            "offense_date": null,
                            "count_offense": "2. Possession Of Schedule 2 Substance",
                            "dob_on_record": "XXXX-04-01",
                            "ssn_on_record": null,
                            "name_on_record": "MESS, HANK",
                            "disposition_date": "2014-09-18"
                        },
                        ...
                    ],
                    "personal_data": {},
                    "other_information": {
                        "jurisdiction": "MINNESOTA",
                        "pending_notes": null
                    }
                }
            ],
            "comments": []
        }
    ],
    "report_screenings_total": 2,
    "report_screenings_completed": 2,
    "elapsed_timing": "4 days",
    "package_name": "State Criminal Court",
    "comments": [],
    "course": {
        "has_courses": false,
        "courses_completed": false
    },
    "meta": {
        "entity": "https://app.yardstik.com/reports/1234....",
        "apply": "https://profile.yardstik.com/candidates/1234
    },
    "adverse_action_settings": {
        "mandatory_selection_of_violations": false
    }
}

Platforms and Subaccounts

If you're going to be operating as a platform account in Yardstik (where your customers will have their own Yardstik subaccounts "underneath" yours and they'll be the ones ordering reports), this section is for you. To manage subaccounts, you'll need this feature enabled for your account.

As a platform account, in your Yardstik account settings, you can add your logo and brand colors, which will alter the look of Yardstik for your subaccount admins.

Creating Subaccounts

Just like your own account, when you create a subaccount to represent one of your customers, you'll need to specify a permissible purpose and at least one package. Your subaccounts must use a subset of the permissible purposes and packages associated with your platform account. You'll also need to provide the credentialing information highlighted in the Get Your Accounts section.

Permissible Purposes
To see a list of your platform account's permissible purposes, check the Get Account Route. The response body will have an array of permissible_purposes with an id for each. When you create a subaccount, you'll provide the permissible_purpose_id for each permissible purpose you want the subaccount to be able to use.

Packages
Similarly, to see a list of your platform account's packages, check the Get Packages Route. The response body will have an array of account_packages with an id for each. When you create a subaccount, you'll provide an account_packages array with the id for each package you want the subaccount to be able to use. This will automatically create those packages within the subaccount, using the same configurations as the platform account.

Inside the account_packages array, your objects must follow this format:

  • id: the platform account package id
  • name: the name of the subaccount package (if not provided, this will inherit the name of the platform account package)
  • paid_by: defines who will pay for the report, with the possible options of account or candidate (if not provided, this will inherit the platform account package's setting) Note: if set to candidate, the candidate will be asked to provide their credit card information in a payment form. Their report won't start processing until we've successfully received their payment.

How to provide the account_packages parameter

  "account_packages": [
      {
          "id": "the UUID of one of the platform account packages",
          "name": "the name of the subaccount package",
          "paid_by": "candidate"
      },
      {
          "id": "the UUID of one of the platform account packages",
          "name": "if not provided, will inherit the platform account package's name",
          "paid_by": "account"
      }
  ]

Subaccount Owner
The subaccount owner will be set based on the email_address you provide when you create the subaccount. The owner will be responsible for signing legal documents and completing their subaccount setup in Yardstik.

Here's some more info about the Subaccounts Resource

Credentialing Subaccounts

Once the subaccount is created, Yardstik will send an email to the subaccount owner with a link to sign into Yardstik, where they'll be prompted to create their user account and sign applicable legal documents. Our onboarding team will review everything, and once it all looks good, they'll mark the subaccount credentialed. We'll notify the subaccount owner that they now have full access to Yardstik and can complete any additional setup, e.g. adding their brand settings, customizing their notifications, and inviting additional admin users.

Note: The API key generated when the subaccount is created won't be active until the subaccount is credentialed. Once the API key is active, you can use it to manage Yardstik resources via the API. To get notified when your subaccounts become credentialed, subscribe to the sub_account.active webhook event type.

Example Create sub_account.active Webhook Request

curl -X POST https://api.yardstik.com/accounts/[YOUR_ACCOUNT_ID]/webhooks \
    -H 'Authorization: Account [YOUR_API_KEY]' \
    -H 'Accept: application/json'
    -H 'Content-Type: application/json' \
    --data-raw '{
        "webhook_type_id": "48a9b600-e7ff-4039-bcb2-04cddab97ba8",
        "url": "https://www.yourcompany.com/webhooks/sub_account_active"
    }'

Example Create sub_account.active Webhook Response

{
    "id": "89ade71a-e9aa-4929-9f30-ad1f93245abf",
    "url": "https://www.yourcompany.com/webhooks/report_completed",
    "enabled": true,
    "webhook_type": "sub_account.active",
    "webhook_description": "A subaccount has been activated by Yardstik support."
}

Example sub_account.active Webhook POST body

{
  "id": "ca64ad1a-2018-41c4-b369-dd5c3c1581dc",
  "event": "active",
  "resource_id": "21e2830c-b886-4234-a31d-5fa316069b21",
  "account_id": "e829bc40-89eb-4054-943-7e826373f8ec",
  "account_name": "Venture Capital",
  "resource_type": "sub_account",
  "resource_url": "https://api.yardstik.com/accounts/21e2830c-b88e-42e-a5ed-5e316069b21"
}

Pagination

All top-level API resources have support for bulk fetches via list API methods. Yardstik uses page-based pagination via the page and per_page parameters. For example, you can list invitations, candidates, and reports.

Standard Request

Example Paginated Request

curl -X GET https://api.yardstik.com/invitations?page=2&per_page=25 \
    -H 'Authorization: Account [YOUR_API_KEY]' \
    -H 'Accept: application/json'

Paginated list API Request Parameters

Parameter Description
page The page number to retrieve.
type: integer
default: 1
per_page The number of records per page.
type: integer
default: 50
minimum: 1
maximum: 200

The page parameter determines which page of results will be returned in the response, and defaults to 1 if not set or set to an invalid type. If the value of page exceeds the total_number of pages available, the response will include an empty data array.

The per_page parameter determines the maximum number of results included in each response. The maximum value allowed is 200, with a default value of 50.

  • If there are fewer resources available than the per_page value, the response will include all available resources.
  • If you pass more than 200, the response will still include only 200.
  • If the per_page value is an invalid type, the default value of 50 is used.

Standard Response

Paginated list API Response Structure

Example Paginated Response

{
    "object": "list",
    "meta": {
        "page": 2,
        "per_page": 25,
        "total_count": 137,
        "total_pages": 6
    },
    "data": [
        {
            "object": "invitation",
            "id": "18e00b78-e620-4ecf-a01a-eb810f1b6751",
            ... additional response attributes based on resource schema
        },
        {
            "object": "invitation",
            "id": "d0102680-e2de-4af8-9034-f88ccb4ad267",
            ... additional response attributes based on resource schema
        },
        ... additional resources in the page
    ]
}

The standard response for all top-level list API requests will include at least these attributes

Attribute Description
object The type of object returned.
type: string
default: "list"
meta Metadata associated with the response.
Attributes:
Attribute Description
page The page number of the response.
type: integer
per_page The number of results per page.
type: integer
total_count The total number of resources available.
type: integer
total_pages The total number of pages available.
type: integer
data An array of the requested resources.
type: array
Notes: May be an empty array [] if no resources are available.

Filter and Sort

For all listing endpoints, we support a filtering query param called query that allows you to pass a field name and a matcher to use to filter the results down a specific set. We also support two query params called order_by and order that let you pass the field name you want to order by, and the direction you want the results ordered. When combined with Pagination, this allows you to build a custom UI for listing out resources.

Filtering

Parameter Description
query Field name to filter on.
type: string

Get only reports created before Jan 1 2021

curl -g -X GET \
  'https://api.yardstik.com/reports?query[created_at_lt]=2022-01-01' \
  -H 'Authorization: Account [YOUR_API_KEY]' \
  -H 'Accept: application/json'

Get only reports updated after Jan 1 2021

curl -g -X GET \
  'https://api.yardstik.com/reports?query[updated_at_gteq]=2022-01-01T00:00:00.000Z'
  -H 'Authorization: Account [YOUR_API_KEY]' \
  -H 'Accept: application/json'

Get reports created between March 23 2021 and April 1 2021

curl -g -X GET \
  'https://api.yardstik.com/reports?query[created_at_lt]=2021-04-01&query[created_at_gt]=2021-03-23' \
  -H 'Authorization: Account [YOUR_API_KEY]' \
  -H 'Accept: application/json'

Matchers

Predicates Description Notes
*_eq Equal query[status_eq]=created
Individual check, to do multiple see *_in
*_not_eq Not equal query[status_not_eq]=created
Individual check, to do multiple see *_not_in
*_lt Less than query[created_at_lt]=2022-01-01
*_lteq Less than or equal to query[created_at_lteq]=2022-01-01
*_gt Greater than query[created_at_gt]=2022-01-01
*_gteq Greater than or equal to query[created_at_gteq]=2022-01-01
*_null Is null query[completed_at_null]=true
*_not_null Is not null query[completed_at_not_null]=true
*_in Match any value in array query[status_in][]=clear&query[status_in][]=consider
*_not_in Match none of the values in array query[status_not_in][]=clear&query[status_not_in][]=consider
*_start Starts with query[status_start]=con
*_not_start Does not start with query[status_not_start]=con
*_end Ends with query[status_end]=sider
*_not_end Does not end with query[status_not_end]=sider
*_cont Contains query[status_cont]=con
*_not_cont Does not contain query[status_not_cont]=con
*_true Is true query[active_true]=true
*_false Is false query[active_false]=true

Sorting

Parameter Description
order_by Field name to sort on.
type: string
order Specifies the direction to sort.
Accepts asc and desc.
Defaults to asc when not passed
type: string

Order candidates by created_at in default ascending order (oldest first)

curl -g -X GET \
  'https://api.yardstik.com/reports?order_by=created_at
  -H 'Authorization: Account [YOUR_API_KEY]' \
  -H 'Accept: application/json'

Order candidates by updated_at in descending order (newest first)

curl -g -X GET \
  'https://api.yardstik.com/reports?order_by=updated_at&order=desc
  -H 'Authorization: Account [YOUR_API_KEY]' \
  -H 'Accept: application/json'

Combine it all together

You can use pagination, querying and ordering all on the same call to fully control the results. This will get all reports created between March 23, 2021 and April 1, 2021 and order them by the created_at field with newest first while limiting the results to 20 per page.

curl -g -X GET \
  'https://api.yardstik.com/reports?query[created_at_lt]=2021-04-01&query[created_at_gt]=2021-03-23&order_by=created_at&order=desc&page=1&per_page=20' \
  -H 'Authorization: Account [YOUR_API_KEY]' \
  -H 'Accept: application/json'

Errors

We return a number of standard HTTP errors. Below are some of the most common errors that you may run into while developing.

Status Definition
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
422 Unprocessable Entity
500 Internal Server Error

Below are the status codes with more information on what could have occurred.

Bad Request

The server cannot process the request. This error is most likely due to malformed request syntax.

  • code: 400
  • status: Bad Request

Bad Request

Response Schema: application/json
errors
Array of strings
application/json
{
  • "errors": [
    ]
}

Unauthorized

Similar to a 403 Forbidden, but specifically when authentication is provided and has failed, or not been provided.

This error is most likely due to not including or having a malformed API key in the request header.

  • code: 401
  • status: Unauthorized

Unauthorized

Response Schema: application/json
errors
Array of strings
application/json
{
  • "errors": [
    ]
}

Forbidden

The request is valid, but you are unable to execute the request. This error is most likely due to the API key not having the necessary permissions, or a prohibited action is attempted, such as creating a duplicate record where one already exists.

  • code: 403
  • status: Forbidden

Forbidden

Response Schema: application/json
errors
Array of strings
application/json
{
  • "errors": [
    ]
}

Not Found

The requested resource could not be found but may be available in the future. This error is often encountered when an id that does not exist is passed in a request. If you encounter this error, ensure that you are referencing the correct id and that it exists in your account.

  • code: 404
  • status: Not Found
{
  {
    "title": "Report Not Found",
    "detail": "The report was not found",
    "meta": {
      "report_id": "INVALID_REPORT_ID"
     },
    "src": {},
    "status": 404
  }
}

Unprocessable Entity

The request was well-formed, but was unable to be processed due to semantic errors. This error is most likely due to including invalid data in POST, PATCH, and PUT requests. Refer to the request documentation to ensure you are supplying the required attributes, and that the attribute types are correct.

  • code: 422
  • status: Unprocessable Entity

Unprocessable Entity

Response Schema: application/json
detail
string

Detailed message about the error.

meta
object

An object with more details about the response error.

src
object

An object containing references to the source of the error.

status
integer

Status code of the error.

title
string

A brief title of the error.

application/json
{
  • "title": "Resource not updated",
  • "detail": "There was a problem updating this resource.",
  • "meta": { },
  • "src": { },
  • "status": 422
}

Internal Server Error

An internal server error occurred due to an unexpected condition, and is most likely due to an issue with our servers. If you encounter such an error, please reach out to support@yardstik.com and we will work with you to resolve the issue.

  • code: 500

  • status: Internal Server Error

Embeddable Views

Yardstik has published a public npm library for utilizing Yardstik embeddable views https://www.npmjs.com/package/@yardstik/embeddable-sdk
You can also check out this quick start demo example of how it all works https://github.com/yardstik/embeddable-sdk-demo

Installation

The Yardstik embeddable-sdk library is available as an npm package.

  • with npm npm i @yardstik/embeddable-sdk

  • with yarn yarn add @yardstik/embeddable-sdk

Getting Started

Here is a quick example to get you started:

import { Yardstik } from '@yardstik/embeddable-sdk';

Available Views

Each available page view is a separate method on the exported Yardstik library object. The currently supported views are as follows:

  1. CandidateReportIframe: Allows the user to view and interact with a candidate report.
  2. AccountDisclosuresIframe: Allows the user to view and agree to account level agreements and terms.

Creating an Instance of an Available View

To create an instance of the desired view, which will be attached to a specified container on your page, call the applicable method and pass in the configuration object.

  const yardstikReport = new Yardstik.CandidateReportIframe(
    {
      token: myToken,
      reportId: myReportId,
      container: containerRef.current,
      domain: myDomain
    }
  );

CandidateReportIframe

The config object for the CandidateReportIframe takes the following parameters:

token: string - JWT for authorization

reportId: string - The ID of the report that you would like to review

container: HTMLElement - Container to which the iframe will be attached

domain: string - Yardstik domain that you would like to call

width?: string - Optional width of the iframe

height?: string - Optional height of the iframe

fullScreen?: boolean - Optional, if true, iframe will fill the entire page

AccountDisclosureIframe

The config object for the AccountDisclosureIframe takes the following parameters:

token: string - JWT for authorization

accountId: string - The ID of the account that you would like to review

container: HTMLElement - Container to which the iframe will be attached

domain: string - Yardstik domain that you would like to call

width?: string - Optional width of the iframe

height?: string - Optional height of the iframe

fullScreen?: boolean - Optional, if true, iframe will fill the entire page

Obtaining JWT

To obtain a JWT to include in the config object (from your backend), make a request to the JWT Route using your API token for authorization.

Shared Methods For Use By Parent Page

Each view has a shared method that can be called by the parent page and utilized for customization and performance.

destroy: When called, the destroy method will remove the iframe from its parent container. This method can be used by the parent page for clean-up.

yardstikReport.destroy()

Message Events

In order to allow the parent to take action, each iframe view is set up to post certain message events to the parent page in which it is contained.

loaded: Each iframe instance will post a 'loaded' message event when the iframe content has fully loaded. The parent page could listen for this event to trigger an action, such as rendering the iframe visible or turning off a loading animation.

  yardstikReport.on('loaded', () => {
    console.log("The iframe is ready.");
    setIframeReady(true)
  ;})

expiration: Each iframe instance will post an 'expiration' message event when the authorization token has expired. The parent can listen for this event to trigger an action, such as requesting a new JWT from your backend to refresh the session or instructing the user to refresh the page, so that a new token is generated.

  yardstikReport.on('expiration', () => {
  console.log("The JWT has expired.");
  setTokenExpired(true);
})

Accounts

Accounts are your primary resource for configuring the Yardstik platform.
Use this to manage users, settings, and API keys.

List all accounts

List all accounts that you have access to.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

get/accounts
Request samples
Response samples
application/json
[
  • {
    }
]

Create an API key

Generate a new API key.

SecurityApiKey
Request
path Parameters
accountId
required
string
Request Body schema: application/json
name
string

The name of the API key

Responses
201

Created

401

Unauthorized

403

Forbidden

404

Not Found

422

Unprocessable Entity

post/accounts/{accountId}/api_token
Request samples
application/json
{ }
Response samples
application/json
{
  • "id": "70adc786-904b-4954-9adb-0ede9f949c62",
  • "api_token": "c6b6e55f-5b3a-479a-9ea8-d95d13856c7d",
  • "name": "Checking x",
  • "header": "Authorization: User c6b6e55f-5b3a-479a-9ea8-d95d13856c7d"
}

Get all settings

Account settings for a given account ID.

SecurityApiKey
Request
path Parameters
accountId
required
string
Responses
200

OK

401

Unauthorized

404

Not Found

get/accounts/{accountId}/settings
Request samples
Response samples
application/json
{
  • "styles": {
    },
  • "invitations": {
    },
  • "adverse_actions": {
    },
  • "reports": {
    },
  • "report_notifications": {
    }
}

Get an account setting

Get a single account setting for the given account ID and setting key.

SecurityApiKey
Request
path Parameters
accountId
required
string
settingKey
required
string

e.g. styles

Responses
200

OK

401

Unauthorized

404

Not Found

get/accounts/{accountId}/settings/{settingKey}
Request samples
Response samples
application/json
{
  • "primary_color": "FFCD01",
  • "secondary_color": "FFCD01"
}

Update an account setting

Update an account setting for the given account ID and setting key.

SecurityApiKey
Request
path Parameters
accountId
required
string
settingKey
required
string

e.g. styles

Request Body schema: application/json
object
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

422

Unprocessable Entity

patch/accounts/{accountId}/settings/{settingKey}
Request samples
application/json
{
  • "primary_color": "FFCD01"
}
Response samples
application/json
{ }

Get an account

Account details.

SecurityApiKey
Request
path Parameters
accountId
required
string
Responses
200

OK

201

Created

400

Bad Request

401

Unauthorized

404

Not Found

get/accounts/{accountId}
Request samples
Response samples
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "account_name": "string",
  • "first_name": "string",
  • "last_name": "string",
  • "email_address": "user@example.com",
  • "url": "string",
  • "tech_email_address": "user@example.com",
  • "support_email_address": "user@example.com",
  • "support_phone": "string",
  • "compliance_email_address": "user@example.com",
  • "actions_email_address": "user@example.com",
  • "configurations": {
    },
  • "features": {
    },
  • "company_phone_number": "string",
  • "additional_company_info": "string",
  • "owner_title": "string",
  • "legal_business_name": "string",
  • "state_of_incorporation": "string",
  • "ein": "string",
  • "legal_entity_type": "string",
  • "billing_contact_first_name": "string",
  • "billing_contact_last_name": "string",
  • "billing_email": "string",
  • "address": {
    },
  • "logo": "string",
  • "meta": {
    },
  • "permissible_purposes": [
    ]
}

Subaccounts

Subaccounts are children of a platform account, and can be used to isolate resources and configuration settings. For a more detailed explanation, check out the Platforms and Subaccounts section.

List subaccounts

Retrieve a paginated list of all subaccounts that belong to your platform account. See Pagination.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

List of subaccounts

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

get/sub_accounts
Request samples
Response samples
application/json
{
  • "object": "list",
  • "meta": {
    },
  • "data": [
    ]
}

Create a subaccount

From your platform account, create a subaccount.
You'll need to provide at least one permissible purpose. You may also provide the account_packages information from your platform account. For a more detailed explanation, check out the Platforms and Subaccounts section.

Upon creating a new subaccount you will get a 201 Created response.
If you send another POST with the same account_name it will refresh the API token and return 200 OK with the existing account details.
To make any further updates to the new subaccount, use the new API key from that account and call the PATCH Accounts route.

SecurityApiKey
Request
Request Body schema:
account_name
required
string

Name of the subaccount.

Array of objects

The account packages that will be created for the subaccount. If this field and the permissible_purpose_ids are provided together, the permissible purpose from the account packages provided should be included in the permissible_purpose_ids.

actions_email_address
string

Actions email address of the subaccount.

additional_company_info
string

Any extra information that you want to provide.

required
object
billing_contact_first_name
string

The first name of the billing contact.

billing_contact_last_name
string

The last name of the billing contact.

billing_email
string

The email of the billing contact.

company_phone_number
string

This is for our business verification purposes and will not be included on candidate communication. Must be E.164 format, e.g. +14155552671.

compliance_email_address
string

Compliance email address of the subaccount.

create_api_key
boolean

If false, an API key will not be created. This value defaults to true.

ein
string
email_address
required
string

Email address of the subaccount owner. This person will be responsible for signing the subaccount's legal documents during credentialing.

See the Credentialing Subaccounts section.

first_name
required
string

First name of the subaccount owner.

last_name
required
string

Last name of the subaccount owner.

legal_business_name
string

The account legal business name.

legal_entity_type
string

The type of the legal entity, valid options: b-corporation, corporation, c-corporation, limited-liability-partnership, limited-liability-corporation, limited-partnership and non-profit.

owner_title
string

The title of the owner of the account.

permissible_purpose_id
string <UUID>

The unique identifier for the subaccount permissible purpose. This field is not required when the account packages or permissible_purpose_ids are provided.

permissible_purpose_ids
Array of strings <UUID>

The unique identifiers for the subaccount permissible purposes. If this field and the account packages are provided they should match the account packages permissible purposes.

state_of_incorporation
string
support_email_address
string

Support email address of the subaccount.

support_phone
string

Support phone number of the subaccount. Must be E.164 format, e.g. +14155552671.

tech_email_address
string

Tech email address of the subaccount.

url
string

Relevant URL for subaccount.

Responses
200

Account already exists

201

Created

400

Bad Request

401

Unauthorized

404

Not Found

422

Unprocessable Entity

post/sub_accounts
Request samples
{
  • "email_address": "string",
  • "account_name": "string",
  • "first_name": "string",
  • "last_name": "string",
  • "address": { }
}
Response samples
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "account_name": "string",
  • "first_name": "string",
  • "last_name": "string",
  • "owner_email": "user@example.com",
  • "email_address": "user@example.com",
  • "url": "string",
  • "tech_email_address": "user@example.com",
  • "support_email_address": "user@example.com",
  • "support_phone": "string",
  • "compliance_email_address": "user@example.com",
  • "actions_email_address": "user@example.com",
  • "address": {
    },
  • "logo": "string",
  • "meta": {
    },
  • "permissible_purposes": [
    ],
  • "api_tokens": [
    ]
}

Get a subaccount

You can get the details of any subaccount that belongs to your platform account.

SecurityApiKey
Request
path Parameters
sub_account_id
required
string
Responses
200

OK

400

Bad Request

401

Unauthorized

404

Not Found

get/sub_accounts/{sub_account_id}
Request samples
Response samples
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "account_name": "string",
  • "first_name": "string",
  • "last_name": "string",
  • "email_address": "user@example.com",
  • "url": "string",
  • "tech_email_address": "user@example.com",
  • "support_email_address": "user@example.com",
  • "support_phone": "string",
  • "compliance_email_address": "user@example.com",
  • "actions_email_address": "user@example.com",
  • "configurations": {
    },
  • "features": {
    },
  • "company_phone_number": "string",
  • "additional_company_info": "string",
  • "owner_title": "string",
  • "legal_business_name": "string",
  • "state_of_incorporation": "string",
  • "ein": "string",
  • "legal_entity_type": "string",
  • "billing_contact_first_name": "string",
  • "billing_contact_last_name": "string",
  • "billing_email": "string",
  • "address": {
    },
  • "logo": "string",
  • "meta": {
    },
  • "permissible_purposes": [
    ]
}

Packages

Packages are collections of background screens, searches, and verifications used to create a report.

List all packages

Returns a list of available account packages for an account using the API token.

This list will be refreshed as new account packages are added or old ones are removed.
Use id from each package to order new reports or create invitations.
DO NOT USE package_id to order a report, this is a reference ID to the parent package in our database and is only to be used by Yardstik. Make sure you're always using the id instead, which is scoped to your account.

Defaults to listing all report packages. To get monitor packages, use the query param query[action_type_eq]=monitor

SecurityApiKey
Request
query Parameters
include_disabled
boolean
Examples:
include_disabled=true
include_disabled=false
object
Examples:
query[action_type_eq]=report
query[action_type_eq]=monitor
query[action_type_eq]=certificate
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

get/packages
Request samples
Response samples
application/json
[
  • {
    },
  • {
    }
]

Account Custom Fields

You can add custom fields to resources in an account.
To begin leveraging candidate custom fields please reach out to support@yardstik.com for field setup.

List all custom fields

Retrieve a paginated list of Account Custom Fields. See Pagination.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

List of Account Custom Fields

401

Unauthorized

404

Not Found

get/custom-fields
Request samples
Response samples
application/json
{
  • "meta": {
    },
  • "data": [
    ]
}

Candidates

Candidates represent the people you'll be running reports on.
All candidates must consent to the required legal documents before the report can begin processing.
Use this resource to collect all Personally Identifiable Information (PII) required to order a report or invite the candidate.

List candidates

Retrieve a paginated list of candidates. See Pagination.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

List of candidates

401

Unauthorized

404

Not Found

get/candidates
Request samples
Response samples
application/json
{
  • "object": "list",
  • "meta": {
    },
  • "data": [
    ]
}

Create a candidate

A candidate is the person whose information we'll use when you order a report. As far as providing their information to Yardstik, you have a couple of options.

Ask the candidate to enter their own info

If you plan to create an invitation or have the candidate enter their information in an embedded Yardstik view, you only need to provide the strictly required attributes when you create the candidate

  • first_name
  • last_name
  • email

Based on the package, the candidate will be presented with a form to enter the rest of the information needed to run their report. If you have additional candidate information, feel free to provide it. We’ll autofill it into the candidate’s form, saving them time.

Provide all candidate info yourself

If you have all of the candidate's information on-hand, you can provide it to Yardstik directly. The information required for each package will differ somewhat, so we recommend that you reference the intake_fields array on the list all packages response for the package you plan to use. Provide the required intake fields when you create the candidate. Some of the most commonly required candidate-level intake fields are

  • first_name
  • last_name
  • email
  • phone
  • ssn
  • date_of_birth
  • zip_code
  • driver_license_number
  • driver_license_state

Some packages additionally require screening-level fields (a separate intake_fields array within the screenings object on the same response), which you can send when you create the report. If any of the required intake fields are missing when you create a report with account_candidate_consented: true, we’ll invite the candidate to enter the missing information themselves.

SecurityApiKey
Request
Request Body schema: application/json
required
Array of objects

The addresses of the candidate.

object (CustomFieldsCreateOrUpdate)

Custom fields must be passed in an object in key-value format

Example:

{
  age: 31,
  birth_date: "1991-01-31",
  former_employee: true
}
date_of_birth
string or null <date-time>

The date of birth of the candidate.

driver_license_number
string or null

The drivers license number of the candidate.

driver_license_state
string or null

The state the candidates drivers license is issued by as ISO 3166-2 two letter code.

email
required
string

The email address of the candidate.

external_id
string or null

This field you can use to store any identifier that you could track back on your application.

first_name
required
string

The first name of the candidate.

gender
string or null

The gender of the candidate.

last_name
required
string

The last name of the candidate.

object

Relevant links for a candidate

middle_name
string or null

The middle name of the candidate.

no_middle_name
boolean or null

True if candidate has no middle name, otherwise False or null..

phone
string or null

The primary SMS capable phone number of the candidate.
Must be E.164 format, e.g. +14155552671.

previous_driver_license_number
string or null

The previous drivers license number of the candidate.

previous_driver_license_state
string or null

The state the candidates previous drivers license is issued by as ISO 3166-2 two letter code.

ssn
string

The social security number of the candidate.
Must be in this format ###-##-####, e.g. 111-11-1111.

Responses
200

Candidate already exists.

201

Candidate was created successfully.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

post/candidates
Request samples
application/json
{ }
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "object": "candidate",
  • "first_name": "string",
  • "middle_name": "string",
  • "no_middle_name": true,
  • "last_name": "string",
  • "email": "joe.clean@example.com",
  • "phone": "+14155552671",
  • "ssn_masked": "string",
  • "date_of_birth": "2019-08-24T14:15:22Z",
  • "gender": "string",
  • "driver_license_number": "string",
  • "driver_license_state": "string",
  • "previous_driver_license_number": "string",
  • "previous_driver_license_state": "string",
  • "evergreen": "string",
  • "external_id": "string",
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "meta": {
    },
  • "addresses": {
    },
  • "custom_fields": [
    ]
}

Get a candidate

Retrieve a candidate with the given ID.

SecurityApiKey
Request
path Parameters
candidate_id
required
string <uuid> (ResourceId) <= 50 characters

The candidate unique identifier.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Candidate details.

401

Unauthorized

404

Not Found

get/candidates/{candidate_id}
Request samples
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "object": "candidate",
  • "first_name": "string",
  • "middle_name": "string",
  • "no_middle_name": true,
  • "last_name": "string",
  • "email": "joe.clean@example.com",
  • "phone": "+14155552671",
  • "ssn_masked": "string",
  • "date_of_birth": "2019-08-24T14:15:22Z",
  • "gender": "string",
  • "driver_license_number": "string",
  • "driver_license_state": "string",
  • "previous_driver_license_number": "string",
  • "previous_driver_license_state": "string",
  • "evergreen": "string",
  • "external_id": "string",
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "meta": {
    },
  • "addresses": {
    },
  • "custom_fields": [
    ]
}

Update a candidate

Update a candidate with the given ID.

SecurityApiKey
Request
path Parameters
candidate_id
required
string <uuid> (ResourceId) <= 50 characters

The candidate unique identifier.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Request Body schema: application/json
required
Array of objects

The addresses of the candidate.

object (CustomFieldsCreateOrUpdate)

Custom fields must be passed in an object in key-value format

Example:

{
  age: 31,
  birth_date: "1991-01-31",
  former_employee: true
}
date_of_birth
string or null <date-time>

The date of birth of the candidate.

driver_license_number
string or null

The drivers license number of the candidate.

driver_license_state
string or null

The state the candidates drivers license is issued by as ISO 3166-2 two letter code.

email
required
string

The email address of the candidate.

external_id
string or null

This field you can use to store any identifier that you could track back on your application.

first_name
required
string

The first name of the candidate.

gender
string or null

The gender of the candidate.

last_name
required
string

The last name of the candidate.

object

Relevant links for a candidate

middle_name
string or null

The middle name of the candidate.

no_middle_name
boolean or null

True if candidate has no middle name, otherwise False or null..

phone
string or null

The primary SMS capable phone number of the candidate.
Must be E.164 format, e.g. +14155552671.

previous_driver_license_number
string or null

The previous drivers license number of the candidate.

previous_driver_license_state
string or null

The state the candidates previous drivers license is issued by as ISO 3166-2 two letter code.

ssn
string

The social security number of the candidate.
Must be in this format ###-##-####, e.g. 111-11-1111.

Responses
200

Candidate details.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

patch/candidates/{candidate_id}
Request samples
application/json
{ }
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "object": "candidate",
  • "first_name": "string",
  • "middle_name": "string",
  • "no_middle_name": true,
  • "last_name": "string",
  • "email": "joe.clean@example.com",
  • "phone": "+14155552671",
  • "ssn_masked": "string",
  • "date_of_birth": "2019-08-24T14:15:22Z",
  • "gender": "string",
  • "driver_license_number": "string",
  • "driver_license_state": "string",
  • "previous_driver_license_number": "string",
  • "previous_driver_license_state": "string",
  • "evergreen": "string",
  • "external_id": "string",
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "meta": {
    },
  • "addresses": {
    },
  • "custom_fields": [
    ]
}

Delete candidate address.

Permanently delete a candidate's address by the given address id.

SecurityApiKey
Request
path Parameters
address_id
required
string <uuid> (ResourceId) <= 50 characters

The address ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
candidate_id
required
string <uuid> (ResourceId) <= 50 characters

The candidate ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Deleted address details.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

delete/candidates/{candidate_id}/addresses/{address_id}
Request samples
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "object": "address",
  • "line1": "string",
  • "line2": "string",
  • "city": "string",
  • "state": "string",
  • "zip_code": "string",
  • "country": "string"
}

List candidate documents.

Retrieve a paginated list of documents for a candidate. See Pagination.

SecurityApiKey
Request
path Parameters
candidate_id
required
string <uuid> (ResourceId) <= 50 characters

The candidate ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
query Parameters
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

Responses
200

List of documents

401

Unauthorized

404

Not Found

get/candidates/{candidate_id}/documents
Request samples
Response samples
application/json
{
  • "object": "list",
  • "meta": {
    },
  • "data": [
    ]
}

Create a new candidate document.

When sending a request to create a document, you can send the file in two different ways.

1. You can send the file as a binary file using the multipart/form-data content type.

2. You can send the parameter file_base64 as a base64 encoded string using the application/json content type.

The file size limit is 10MB.

SecurityApiKey
Request
path Parameters
candidate_id
required
string <uuid> (ResourceId) <= 50 characters

The candidate ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Request Body schema: application/json
document_type
required
string

The type of the document. Supported document types:

  • drivers_license_back
  • drivers_license_front
  • ga_statewide
  • pa_mvr
  • professional_license
  • proof_of_driving_experience
  • proof_of_employment
  • proof_of_insurance
  • ssn_card_front
  • va_statewide
  • medical_examiners_certificate

file
required
string

When using the multipart/form-data content type, the file must be sent as a binary file.

The file to upload. The file size limit is 10MB.

This is not a required field, if you send the file_base64 field, this field will be ignored.

file_base64
required
string

When using the application/json content type, the file must be sent as a base64 encoded string.

The file to upload encoded in base64. The file size limit is 10MB.

This is not a required field, if you send the file field, this field will be ignored.

filename
string

The filename of the document, this is the original filename that is being uploaded. You can override this filename by sending the filename in the request body.

id
string <uuid> <= 50 characters

The document identifier.

Responses
200

Create document details.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

post/candidates/{candidate_id}/documents
Request samples
application/json
{
  • "document_type": "string",
  • "file": "string",
  • "file_base64": "string"
}
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "filename": "string",
  • "content_type": "string",
  • "document_type": {
    },
  • "url": "string",
  • "file_size": 0,
  • "created_at": "string",
  • "updated_at": "string"
}

Get a candidate document

Retrieve a candidate document with the given ID.

SecurityApiKey
Request
path Parameters
candidate_id
required
string <uuid> (ResourceId) <= 50 characters

The candidate ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
document_id
required
string <uuid> (ResourceId) <= 50 characters

The document ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Document details.

401

Unauthorized

404

Not Found

get/candidates/{candidate_id}/documents/{document_id}
Request samples
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "filename": "string",
  • "content_type": "string",
  • "document_type": {
    },
  • "url": "string",
  • "file_size": 0,
  • "created_at": "string",
  • "updated_at": "string"
}

Proceed a report

Proceed a candidate's report that is in a status of consider. If successful, the report will update to a proceed status. This is a positive result, indicating that the results found on the report do not disqualify the candidate.

SecurityApiKey
Request
path Parameters
candidateId
required
string
Request Body schema: application/json
report_id
required
string <UUID>

Unique identifier for the report.

Responses
200

OK

401

Unauthorized

404

Not Found

422

Unprocessable Entity

patch/candidates/{candidateId}/approve_by_report
Request samples
application/json
{
  • "report_id": "string"
}
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "object": "candidate",
  • "first_name": "string",
  • "middle_name": "string",
  • "no_middle_name": true,
  • "last_name": "string",
  • "email": "joe.clean@example.com",
  • "phone": "+14155552671",
  • "ssn_masked": "string",
  • "date_of_birth": "2019-08-24T14:15:22Z",
  • "gender": "string",
  • "driver_license_number": "string",
  • "driver_license_state": "string",
  • "previous_driver_license_number": "string",
  • "previous_driver_license_state": "string",
  • "evergreen": "string",
  • "external_id": "string",
  • "created_at": "2019-08-24T14:15:22Z",
  • "updated_at": "2019-08-24T14:15:22Z",
  • "meta": {
    },
  • "addresses": {
    },
  • "custom_fields": [
    ]
}

Consents

Consents are documents that must be signed by the candidate before a report can be generated.
Use this resource to retrieve the necessary consents for a given account package and candidate location.

List All Consents

Retrieve the necessary consents for a given account package and candidate location

SecurityApiKey
Request
query Parameters
account_package_id
required
any

Account package ID. Use id from List Account Packages

candidate_location[city]
any

City location of the candidate.

candidate_location[country]
any

Country code of the candidate location. If not provided, default value is US.

candidate_location[state]
required
any

State location of the candidate. Two-letter state abbreviation.

Responses
200

Consent details.

401

Unauthorized

404

Not Found

get/consents
Request samples
Response samples
application/json
[
  • {
    }
]

Invitations

When an invitation is created, Yardstik will invite the candidate to complete their report (by email and/or SMS depending on your settings). The invitation will include a link to the candidate's unique intake form. When the candidate accesses their form, the information they're required to enter will be defined by the package you chose when you created the invitation. For a broader explanation, see Order Your First Report.

Invitations have their own statuses that can be tracked using the GET operation.

Note: By default, invitations expire 7 days after they're created, but you can change that timeframe in your Notifications Settings. The changes you make will be applied to new invitations; they won't impact any existing ones.

List Invitations

Retrieve a paginated list of invitations. See Pagination.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

List of invitations.

401

Unauthorized

404

Not Found

get/invitations
Request samples
Response samples
application/json
{
  • "object": "list",
  • "meta": {
    },
  • "data": [
    ]
}

Create an invitation.

Creates a new invitation and emails the candidate asking them to complete a report.

SecurityApiKey
Request
Request Body schema: application/json
account_package_id
string <uuid>

Account package ID you want to use for this invitation. Use id from List Account Packages

candidate_id
string <uuid>

ID of the candidate to invite.

expires_at
string <date-time>

The date when the invitation should expire. If not provided, the expiration date will be calculated based on your account's notification settings.

Responses
201

Invitation was created successfully.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

post/invitations
Request samples
application/json
{ }
Response samples
application/json
{
  • "id": "string",
  • "status": "string",
  • "external_id": "string",
  • "platform_service_id": "string",
  • "expires_at": "2019-08-24T14:15:22Z",
  • "canceled_at": "2019-08-24T14:15:22Z",
  • "confirmation_code": "string",
  • "account_id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "account_name": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "logo": "string",
  • "report_urls": [
    ],
  • "styles": {
    },
  • "candidate": {
    },
  • "account": {
    },
  • "meta": {
    },
  • "report": {
    }
}

Get an invitation.

Retrieve an invitation with the given ID.

SecurityApiKey
Request
path Parameters
invitation_id
required
string <uuid> (ResourceId) <= 50 characters

The invitation ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Invitation details.

401

Unauthorized

404

Not Found

get/invitations/{invitation_id}
Request samples
Response samples
application/json
{
  • "id": "string",
  • "status": "string",
  • "external_id": "string",
  • "platform_service_id": "string",
  • "expires_at": "2019-08-24T14:15:22Z",
  • "canceled_at": "2019-08-24T14:15:22Z",
  • "confirmation_code": "string",
  • "account_id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "account_name": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "logo": "string",
  • "report_urls": [
    ],
  • "styles": {
    },
  • "candidate": {
    },
  • "account": {
    },
  • "meta": {
    },
  • "report": {
    }
}

Delete an invitation.

Permanently delete an invitation with the given ID.

SecurityApiKey
Request
path Parameters
invitation_id
required
string <uuid> (ResourceId) <= 50 characters

The invitation ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
204

No Content.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

delete/invitations/{invitation_id}
Request samples
Response samples
application/json
{
  • "errors": [
    ]
}

Cancel an invitation.

Cancel an invitation with the given ID..

SecurityApiKey
Request
path Parameters
invitation_id
required
string <uuid> (ResourceId) <= 50 characters

The invitation ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Invitation successfully canceled.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

patch/invitations/{invitation_id}/cancel
Request samples
Response samples
application/json
{
  • "id": "string",
  • "status": "string",
  • "external_id": "string",
  • "platform_service_id": "string",
  • "expires_at": "2019-08-24T14:15:22Z",
  • "canceled_at": "2019-08-24T14:15:22Z",
  • "confirmation_code": "string",
  • "account_id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "account_name": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "logo": "string",
  • "report_urls": [
    ],
  • "styles": {
    },
  • "candidate": {
    },
  • "account": {
    },
  • "meta": {
    },
  • "report": {
    }
}

Refresh an invitation.

Refresh an invitation with the given invitation_id.
Minimum expires_at date must be 24 hours in the future. There is no maximum.
Can only refresh when the invitation is in expired or canceled status.

SecurityApiKey
Request
path Parameters
invitation_id
required
string <uuid> (ResourceId) <= 50 characters

The invitation ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Request Body schema: application/json
optional
expires_at
string <date-time>

The date when the invitation should expire. If not provided, the expiration date will be calculated based on your account's notification settings.

Responses
200

Invitation successfully refreshed.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

patch/invitations/{invitation_id}/refresh
Request samples
application/json
{ }
Response samples
application/json
{
  • "id": "string",
  • "status": "string",
  • "external_id": "string",
  • "platform_service_id": "string",
  • "expires_at": "2019-08-24T14:15:22Z",
  • "canceled_at": "2019-08-24T14:15:22Z",
  • "confirmation_code": "string",
  • "account_id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "account_name": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "logo": "string",
  • "report_urls": [
    ],
  • "styles": {
    },
  • "candidate": {
    },
  • "account": {
    },
  • "meta": {
    },
  • "report": {
    }
}

Reports

Reports contain the results of all background screens, searches, and verifications defined in the account package that was selected while creating the report.

See the Order Your First Report section.

List reports

Retrieve a paginated list of reports. See Pagination.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

List of reports.

401

Unauthorized

404

Unauthorized

get/reports
Request samples
Response samples
application/json
{
  • "object": "list",
  • "meta": {
    },
  • "data": [
    ]
}

Create a report

Create a new report. The report will be generated based on the candidate ID provided.
See Create Candidate for required attributes. The account packages available will be configured during onboarding by Yardstik.
Each account package will be configured with a set of screenings and configurations that determine the report flow and candidate experience.

To see available packages use List Account Packages.

SecurityApiKey
Request
Request Body schema: application/json
account_candidate_consented
boolean

If false (or not sent), indicates that you're relying on Yardstik to capture candidate consent. Once the report is created, retrieve the apply url from the meta in the response and provide to your candidate so they can enter their information and consent.

If true, indicates that you've already obtained candidate consent. As long as you provide all necessary info, the report will process without candidate interaction. However, if you miss anything, we'll automatically create an invitation and send to the candidate so they can provide the missing info. This feature must be enabled for your account.

account_package_id
required
string <UUID>

The account package ID for the package you want use to create a report. Use id from List Account Packages.

candidate_id
required
string <UUID>

Unique identifier for the candidate.

reference_id
string

A reference ID that can be used for your application.

Responses
201

Created

401

Unauthorized

422

Unprocessable Entity

post/reports
Request samples
application/json
{
  • "candidate_id": "string",
  • "account_package_id": "string"
}
Response samples
application/json
{
  • "id": "string",
  • "reference_id": "string",
  • "candidate_id": "string",
  • "status": "string",
  • "response_status": "string",
  • "adjudication": "string",
  • "submitted_at": "string",
  • "completed_at": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "decision": "string",
  • "usage_amount": 0,
  • "process_sequentially": true,
  • "permissible_purpose": "string",
  • "created_by": "string",
  • "candidate": {
    },
  • "account_id": "string",
  • "account_name": "string",
  • "report_url": "string",
  • "adverse_action_id": "string",
  • "report_screenings": [
    ],
  • "elapsed_timing": "string",
  • "package_name": "string",
  • "comments": [
    ],
  • "meta": {
    },
  • "adverse_action_settings": {
    }
}

Get a report

Get a report with the given ID.

SecurityApiKey
Request
path Parameters
reportId
required
string
Responses
200

OK

401

Unauthorized

404

Not Found

get/reports/{reportId}
Request samples
Response samples
application/json
{
  • "id": "string",
  • "reference_id": "string",
  • "candidate_id": "string",
  • "status": "string",
  • "response_status": "string",
  • "adjudication": "string",
  • "submitted_at": "string",
  • "completed_at": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "decision": "string",
  • "usage_amount": 0,
  • "process_sequentially": true,
  • "permissible_purpose": "string",
  • "created_by": "string",
  • "candidate": {
    },
  • "account_id": "string",
  • "account_name": "string",
  • "report_url": "string",
  • "adverse_action_id": "string",
  • "report_screenings": [
    ],
  • "elapsed_timing": "string",
  • "package_name": "string",
  • "comments": [
    ],
  • "meta": {
    },
  • "adverse_action_settings": {
    }
}

List report documents.

Retrieve a paginated list of documents for a report. See Pagination.

SecurityApiKey
Request
path Parameters
report_id
required
string <uuid> (ResourceId) <= 50 characters

The report ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
query Parameters
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

Responses
200

List of documents

401

Unauthorized

404

Not Found

get/reports/{report_id}/documents
Request samples
Response samples
application/json
{
  • "object": "list",
  • "meta": {
    },
  • "data": [
    ]
}

Create a new report document.

When sending a request to create a document, you can send the file in two different ways.

1. You can send the file as a binary file using the multipart/form-data content type.

2. You can send the parameter file_base64 as a base64 encoded string using the application/json content type.

The file size limit is 10MB.

SecurityApiKey
Request
path Parameters
report_id
required
string <uuid> (ResourceId) <= 50 characters

The report ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Request Body schema: application/json
document_type
required
string

The type of the document. Supported document types:

  • drivers_license_back
  • drivers_license_front
  • ga_statewide
  • pa_mvr
  • professional_license
  • proof_of_driving_experience
  • proof_of_employment
  • proof_of_insurance
  • ssn_card_front
  • va_statewide
  • medical_examiners_certificate

file
required
string

When using the multipart/form-data content type, the file must be sent as a binary file.

The file to upload. The file size limit is 10MB.

This is not a required field, if you send the file_base64 field, this field will be ignored.

file_base64
required
string

When using the application/json content type, the file must be sent as a base64 encoded string.

The file to upload encoded in base64. The file size limit is 10MB.

This is not a required field, if you send the file field, this field will be ignored.

filename
string

The filename of the document, this is the original filename that is being uploaded. You can override this filename by sending the filename in the request body.

id
string <uuid> <= 50 characters

The document identifier.

Responses
200

Create document details.

401

Unauthorized

404

Not Found

422

Unprocessable Entity

post/reports/{report_id}/documents
Request samples
application/json
{
  • "document_type": "string",
  • "file": "string",
  • "file_base64": "string"
}
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "filename": "string",
  • "content_type": "string",
  • "document_type": {
    },
  • "url": "string",
  • "file_size": 0,
  • "created_at": "string",
  • "updated_at": "string"
}

Get a report document

Retrieve a report document with the given ID.

SecurityApiKey
Request
path Parameters
document_id
required
string <uuid> (ResourceId) <= 50 characters

The document ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
report_id
required
string <uuid> (ResourceId) <= 50 characters

The report ID.

Example: 4f6cf35x-2c4y-483z-a0a9-158621f77a21
Responses
200

Document details.

401

Unauthorized

404

Not Found

get/reports/{report_id}/documents/{document_id}
Request samples
Response samples
application/json
{
  • "id": "4f6cf35x-2c4y-483z-a0a9-158621f77a21",
  • "filename": "string",
  • "content_type": "string",
  • "document_type": {
    },
  • "url": "string",
  • "file_size": 0,
  • "created_at": "string",
  • "updated_at": "string"
}

Adverse Actions

Actions taken on a report due to findings that may disqualify the candidate.

See the Adverse Action section.

Create an Adverse Action

Create an adverse action on a report with the given ID.

During the creation of the adverse action, in the violations parameter the only required information is the description

The violations parameter is required in most scenarios.
For more details about this parameter and the adverse action process as a whole, check out the Adverse Action section.

SecurityApiKey
Request
path Parameters
reportId
required
string
Request Body schema: application/json
Array of objects
Responses
200

OK

401

Unauthorized

404

Not Found

422

Unprocessable Entity

post/reports/{reportId}/adverse_actions
Request samples
application/json
{ }
Response samples
application/json
{
  • "id": "string",
  • "status": "string",
  • "title": "string",
  • "text": "string",
  • "expires_at": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "violations": [
    ],
  • "comments": [
    ],
  • "applicant_first_name": "string",
  • "account_name": "string",
  • "logo": "string",
  • "styles": { }
}

Cancel an Adverse Action

Cancel an adverse action on a report with the given ID.
See the Adverse Action section.

SecurityApiKey
Request
path Parameters
adverse_action_id
required
string
Responses
200

OK

401

Unauthorized

404

Not Found

422

Unprocessable Entity

patch/adverse_actions/{adverse_action_id}/cancel
Request samples
Response samples
application/json
{
  • "id": "string",
  • "status": "string",
  • "title": "string",
  • "text": "string",
  • "expires_at": "string",
  • "created_at": "string",
  • "updated_at": "string",
  • "violations": [
    ],
  • "comments": [
    ],
  • "applicant_first_name": "string",
  • "account_name": "string",
  • "logo": "string",
  • "styles": { }
}

Webhooks

Use Webhooks to connect Yardstik with your application. You can configure them to notify you of various events when they occur in your account.

See the Using Webhooks section.

List all webhooks

Retrieve a list of webhooks for the given account ID.

SecurityApiKey
Request
query Parameters
order
string

Order listing results in ascending or descending order, when using order_by.
Accepted values are asc or desc. If not passed, defaults to ascending asc.

Examples:
order=desc
order_by
string

Order listing results by a specific property.

Examples:
order_by=created_at
page
integer

The page number to retrieve.

per_page
integer

The maximum number of results per page.

query
string

Filter listing results by a specific property.

Examples:
query[created_at_gteq]=2022-01-01T00:00:00.000Z
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

get/webhooks
Request samples
Response samples
application/json
[
  • {
    }
]

Create a webhook

Create a webhook

SecurityApiKey
Request
Request Body schema: application/json
url
string
webhook_type_id
string
Responses
201

Created

401

Unauthorized

403

Forbidden

404

Not Found

422

Unprocessable Entity

post/webhooks
Request samples
application/json
{}
Response samples
application/json
{}

Show a webhook

Show a specific webhook for a given ID.

SecurityApiKey
Request
path Parameters
webhook_id
required
string
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

get/webhooks/{webhook_id}
Request samples
Response samples
application/json
[
  • {
    }
]

Update a webhook

Update a webhook for a given ID.

SecurityApiKey
Request
path Parameters
webhook_id
required
string
Request Body schema: application/json
enabled
boolean

True if enabled. False if disabled.

url
string

Update the webhook URL.

Responses
201

Created

401

Unauthorized

403

Forbidden

404

Not Found

422

Unprocessable Entity

patch/webhooks/{webhook_id}
Request samples
application/json
{}
Response samples
application/json
{
  • "id": "e8b57b13-0038-4c69-99ee-1dae304afd80",
  • "webhook_type": "candidate.created",
}

Delete a webhook

Delete a webhook given an Id

SecurityApiKey
Request
path Parameters
webhook_id
required
string
Responses
204

No Content

401

Unauthorized

403

Forbidden

404

Not Found

422

Unprocessable Entity

delete/webhooks/{webhook_id}
Request samples
Response samples
application/json
{
  • "errors": [
    ]
}

List all webhook types

List all webhook types enabled for your account.
For a list of available types, see Listen for Webhook Events

SecurityApiKey
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

get/webhook_types
Request samples
Response samples
application/json
[
  • {
    }
]

JWT

A JWT is required to access the Yardstik Embeddable Views.

Get a JWT

SecurityApiKey
Request
Request Body schema: application/json
user_email
string
Responses
200

OK

401

Unauthorized

403

Forbidden

422

Unprocessable Entity

post/web_tokens
Request samples
application/json
{ }
Response samples
application/json
[
  • {
    }
]