[Py.1.1.f] As a Payee, I should be able to set my payment preferences via a Front-end and created a client ids for my orchestrator #160
Description
Context
A recipient using the Request dashboard can allow external systems (orchestrators) to create payment requests or payment links on their behalf. This is done through the creation of Client IDs associated with a destination ID.
Client IDs should allow the recipient to clearly identify which orchestrator created which requests in their dashboard and to control which orchestrators are allowed to create new requests.
Recipients must therefore be able to create, name, view, and revoke Client IDs from the dashboard.
Recipient user stories
-
As a recipient signed into the Request dashboard with a claimed destination IDs, I should be able to open the "Manage Destination" section and view the list of all Client IDs that were created for that destination.
(Each Client ID should be displayed with its name so I can clearly identify which orchestrator it belongs to.) -
As a recipient, I should be able to create a new Client ID and assign it a name so that I can clearly identify which orchestrator or integration it corresponds to.
(The purpose of the Client ID is to allow an orchestrator to create payment requests and payment links on my behalf for the associated destination.) -
As a recipient, I should be able to see all Client IDs created for a destination in a list view so I can understand which integrations currently have permission to create requests.
-
As a recipient, I should be able to revoke a Client ID at any time in order to prevent that orchestrator from creating any new payment requests or payment links for my destination.
When a Client ID is revoked:
• the orchestrator cannot create any new requests
• previously created requests remain valid
• payment links that were generated remain valid until expiration
• the orchestrator can still read the status of the requests it originally created (if possible)
(This ensures operational continuity, since payment links can remain valid for up to seven days and should not be force-expired if the Client ID is revoked)
- As a recipient, I should also be able to see which requests were created by which Client ID so that I can clearly understand which orchestrator initiated a request visible in my dashboard.
Stitch link: https://stitch.withgoogle.com/projects/10360249565856953872
Orchestrator user stories (MVP)
a. As an orchestrator with a client ID, I can create incoming requests for the destination IDs my client ID has been created for and check their status
b. As an orchestrator with a client ID, I can create outgoing requests for the destination IDs my client ID has been created for and check their status
c. As an orchestrator with a client ID, I can see all incoming and outgoing requests and their statuses created by my client ID.
Future:
In the future we’ll introduce Client ID permissions.
A. As a client with “incoming:creator” permission, I can create incoming requests and read only the status of the incoming requests I created.
B. As a client with “outgoing:creator” permission, I can create outgoing requests and read only the status of the outgoing requests I created.
C. As a client with “incoming:reader” permission, I can read all incoming requests and their statuses under an authorized destination from any client ID including mine or manual.
D. As a client with “outgoing:reader” permission, I can read all outgoing requests and their statuses under an authorized destination from any client ID including mine or manual.