Overview

updated to 1.0.9 on 3 apr by dhaya and sukanya
Our API provides the capabilities to enable Two Factor Authentication(2FA) for your applications, by leveraging our C4E System APIs for Email and SMS communications. test The Email and SMS APIs are pre-approved and work with globally contracted services supplied by Mailjet and Sinch.

How this can help you

Instead of creating a custom solution to enable two factor authentication and on-boarding new providers for Email and SMS communications of authentication codes, which brings additional process requirements, you can leverage our pre-approved service compliant with our Cloud Governance guidelines and backed by a GDPR and ISO-27001 service provider. Allowing you to take advantage of a fully Cloud based API that can be accessed through our Incapsula (.capi) communication network (if not contact apisupport@zurich.com for more details).

How does it work

Taking advantage of our Cloud Based Integration Platform this API will facilitate the generation, maintenance, validation, and communication of two factor authentication codes from your On Premise or Cloud solutions:

How do I get access

New applications wishing to use the service can request access via the API Exchange. As part of the request, you will be asked for a cost centre and to select the service tier you require (this is linked the number of emails you expect to send). Once the API Owner accepts your request you will be issued a Client ID and Secret which you can use to call the API. See Getting Start page for more information.

Obtaining Access

These steps assume you are already registered to use the Zurich Exchange. If you are not, please Register for an account in order to proceed.

If this is your first time using one of our API's we suggest to go through our API Template page where you can find information on the basic concepts used throughout this API.

Request API access

• If you have not already done so you will need to obtain an application client identifier and secret that you use to interact with this API. This can be obtained from the Zurich Exchange by selecting this API and click "Request API access".
• Select the "Instance" you wish to access - i.e. for a specific test environment or Production. Depending on the type of API you may have multiple options or just one available to you.
• Select the "Tier" that you wish to access. The tiers represent the policies that might apply to the API (i.e. Bronze may be restricted to n calls per minute). Tiering for most APIs is set as follows:
• Click Next
• "Select an existing application" from the dropdown(if you have already requested access for other APIs), or "Create a new client application" and add a meaningful name. This Client Application will be linked to the key you'll be issued with for this API.
• Read the Terms & Conditions and check the box to accept these.
• Click "Request Access" to complete the request.
• Once submitted your access request will be reviewed and approved usually within 1 working day. You will receive an e-mail upon approval containing the client credentials required to access this API.

API Authentication

Our API is protected by Basic Auth: standard HTTP Authorization header with the authorization type to Basic

The user and password are governed through an Anypoint Platform enforced Client Id/Secret policy.

Client ID/Secret

Complete the pre-requisite steps on the Getting Started page to obtain API client credentials.

The Client Id/Secret is enforced using the Basic Authentication scheme. This requires the client_id and client_secret values are communicated using the standard HTTP Authorization header with the authorization type to Basic.

The format of the Authorization header is as follows:

Basic client_id:client_secret

In accordance with the Basic Authentication specification the client_id:client_secret value must be passed as base64-encoded string as shown below:

Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=

The API will return a 401 HTTP Status Code with code authentication_error in case of an invalid value or credential.

Local Communications Authority

Please ensure your application is also compliant with your Local Communications Authority rules.

2FA API Specific terms

Our API uses Mailjet as our base service provider for sending SMS, inheriting some of the base limitation and restrictions which can be found on their website. As per the base provider the following usage conditions and limitations will apply:

• Marketing use of this service is strictly forbidden
• Illegitimate use ofSMS spoofingsuch as impersonating another person, company or product is strictly forbidden
• Onlysupported countriesfrom Mailjet can be used for SMS delivery, not supported countries will result in an error

Global terms

1. Definitions

(a) “Terms”: refers to the API terms of use, i.e. this document.

(b) “API”: refers to the application programming interface offered by Zurich, which may include code, software libraries, software tools, sample source code, published specifications and documentation. API shall include any future, updated or otherwise modified versions.

(c) “API Content”: means information delivered through the API, subject to its appropriate license terms, as identified below, and includes portfolios, policies, claims and risk engineering information.

(d) “API Key”: means the code provided by Zurich that permits the Customer to access the API.

(e) “Documentation”: refers to the online user guides and/or help and training materials that Zurich provides regarding the use of the API.

(f) “Application”: refers to any software application, website, or product developed by the customer that interacts with the API.

(g) “Downtime”: means a period of time during which the API is unavailable and the Customer is unable to use all aspects of the service for which they have permissions. Downtime does not include the period of time when the API is not available because of:

a. a scheduled or announced maintenance outage

b. events or causes beyond Zurich’s control (e.g., natural disaster, internet outages, emergency

maintenance, etc.);

c. problems with Customer’s applications, equipment or data, or a third party’s applications,

equipment or data

d. Customer’s failure to adhere to required system configurations and supported platforms for

accessing the API, or

e. Zurich’s compliance with any designs, specifications or instructions that the Customer provides to Zurich or a third party provides to Zurich on the Customer’s behalf

(h) “Zurich”, “We”, “Our”: being the organization providing the service

(i) “Customer”, “You”, “Your”: being the owner of the application consuming the API service

(j) "Zurich Exchange": the portal that provides access to documentation and registration services related to Zurich APIs.

2. API description

The goal of the SMS API is to provide an easy way for applications to send SMS from cloud based services by enabling developers to create applications that integrate with a managed SMS service under a global contract, as described in the API documentation.

3. Agreement to the API terms

The API Terms describe Your rights and obligations as part of using the API. By accepting these Terms or by using the API , You are entering into an agreement regarding the access and use of the API. These Terms apply to the use of the API only and have to be accepted in addition to the Terms and Conditions of the Zurich Exchange. If You do not agree to these Terms you may not use the API.

If You are entering into these Terms on behalf of a company or other legal entity other than Zurich, You represent that You have the authority to bind such entity to these Terms. In that case, the terms “You” or “Your” shall also refer to such entity. If You do not have such authority, or if You do not agree with these Terms, You may not use the API.

Subject to these Terms, Zurich hereby grants the Customer a limited, non-exclusive, non-transferable license (without the right to sub-license) to use the API solely for the purpose of the Customer’s efforts to develop applications to work in conjunction with the Zurich products referenced in the API and for which the API was provided. The Customer shall have no right to distribute, license (whether or not through multiple tiers) or otherwise transfer the API to any third party or incorporate the API in any software, product, or technology.

4. Review of the terms

Zurich reserves the right to amend or modify the Terms at any time. Updates to the Terms will be notified to the Customer and communicated on the Zurich Exchange. The Terms will be under version control and the latest version will supersede the previous versions. You understand and agree that if You use the API after the date on which the Terms have changed, we will treat Your use as acceptance of the changed Terms. If a change is unacceptable to You, You may terminate the Terms by ceasing use of the API.

5. Registration and Access to the API

Zurich provides access to API Documentation and allows the Customer to register for the use of an API via the Zurich Exchange. Once the Customer subscribes to the API and accepts the Terms, a technical API user will be created and issued with a client ID and client secret. This user is not allowed to log in to other Zurich Services and has access to the API only. The client ID and secret are used to request an access token, which contains the scope for accessing the API. Every call to the API must contain the token to access the data.

You may only access the API with the credentials provided to You by Zurich. You will not disclose Your credentials to any person and will be responsible for ensuring they are kept secure. If You become aware of any unauthorized use of Your access credentials, You agree to notify Zurich immediately via the Service Desk. Zurich reserves the right to revoke Your API access should any aspect of the Terms be breached.

6. Changes to the API

All APIs which will be made available will be versioned. Zurich may introduce additional APIs and additional endpoints within these APIs and will endeavour to provide reasonable notice of any new API URLs. Zurich will try to ensure that future versions of the API are backwards compatible, but reserves the right to discontinue support for older versions if major modifications to an existing API URLs are applied. In such cases, this will be managed and communicated under the governance set out with the Change Management process.

7. Use of API

Use of the API is subject to information security policies and procedures of Zurich, which may be amended from time to time.

By using the API and acceptance of these terms, you assert that your use of and the emails you send using it is in compliance with your local data laws and Zurich's Security policy.

Your continued use of the API will constitute Your notice of, and agreement to, any amended policies and procedures. When using the API, You may not:

1. modify, obscure, reverse engineer, circumvent, or disable any element of the API or its access control features
2. disclose, share, or transfer Your access credentials to any third party
3. transmit any viruses, worms, defects, Trojan horses, or any other malware through Your Application or use of the API
4. use robots, spiders, crawlers, scraping or other similar technology to obtain any information beyond what Zurich provides to You under these Terms/
5. use the API in a manner that exceeds reasonable request volume, constitutes excessive or abusive usage or otherwise fails to comply or is inconsistent with any part of the Zurich API documentation.
6. infringe, misuse, or claim ownership of Zurich intellectual property or intellectual property rights therein
7. use it with an Application that is offensive, abusive, libelous, harassing, threatening, discriminatory, vulgar, pornographic, unethical, unlawful, or otherwise inappropriate as determined by Zurich in its sole discretion
8. assign or transfer Your rights or obligations under this Agreement

If We believe that You have attempted to exceed or circumvent these limitations, We may temporarily or permanently block Your ability to use the API.

8. Monitoring and Auditing

You agree that We may collect certain usage data and information related to Your use of our API and that We may use such usage data for any business purpose, internal or external, including providing enhancements to API, providing support, verifying Your compliance to these Terms or otherwise.

We may limit the number of API calls we permit You to make during any given period.

Zurich reserves the right to take actions (e.g. limiting number of calls or the amount of data returned by each call) necessary to ensure performance of the API is not impacted by limiting the access for persistent misuse of the API. Extreme cases may result in revoking the key for that user. Examples of misuse include, but are not limited to:

• An API is not being used as intended – for example a RESTful web service being invoked continuously for the same data set, i.e. invoking the API more than once in a half hour period for data that is only updated on a half hourly basis

• Unauthorised use of an API key (e.g. using another user’s key).

• Use of the API to send content that does not comply with Zurich's Security Policy.

9. Support

Zurich will provide API documentation with details on how to use the API services and the process required to access the service. Zurich will ensure that the API is functional and has no obligation to provide support beyond providing the API credentials, completing account registration and granting access.

Zurich will not provide formal client side technical assistance in API integration or functional usage. Support details are provided in the Support section of the documentation and tickets can be raised via ServiceNow.

10. Service Level Agreement

The SLAs described here are not financially backed, i.e. no economic recompense will be offered for downtime exceeding the availability goals. For a calendar month, the Monthly Uptime Percentage goals are defined in the following table:

Monthly Uptime Percentage (excluding any maintenance windows)

Target 99.8%

Minimum 99.5%

The Monthly Uptime Percentage is calculated by subtracting from 100% the percentage of minutes during the month in which the API was not available. The SLA does not apply to any performance or availability issues:

• due to factors outside Zurich’s reasonable control

• resulted from Customer’s or third party hardware or software

• resulted from actions or inactions of Customer or third parties

• caused by Customer’s use of the API after Zurich advised Customer to modify its use of the API, if Customer did not modified its use as advised

• during beta and trial services (as determined by Zurich)

Changes to the SLAs will Zurich will provide at least 30 days’ notice for changes to the SLAs.

11. Term and Termination

The term will commence on the date upon which You agree to these Terms and will continue until terminated as set forth below.

You may stop using our APIs at any time with or without notice however charging will continue to apply to the next billing cycle. Further, if you want to terminate the Terms, you must provide Zurich with prior written notice and upon termination, cease your use of the applicable APIs.

Zurich may suspend or terminate the Customer’s use of the API at any time if we believe You have violated the API Terms.

Upon termination of these Terms, all rights and licenses granted to You will terminate immediately.

12. License fees and payment terms

Usage of the API is charged via an annual charge to your nominated cost centre. This charge will be applied 30 days after service commencement once the 30 day trial window has elapsed. If you notify Zurich GDP before the 30 day trial window has elapsed you can exit the service without charge. Zurich reserves the right to modify the fees for the future use of and/or continued access to the API in our sole discretion. We will provide at least 30 days' notice of any variation.

If you decide to terminate the service the service will remain available for you until the next annual cycle. Due to our need to pre-pay for the service we will not offer partial refunds.

If we do change the fee for use of the API or any tools and features, You do not have any obligation to continue to use Our resources.

13. Nondisclosure

You acknowledge and agree that Zurich considers the API access credentials and non-public information about the API and API Content disclosed to You to be confidential and proprietary information of Zurich (“Confidential Information”) which may not be disclosed to any third party, except contractors working on Your behalf who are subject to non-disclosure obligations that sufficiently protect such information, without the prior written consent of Zurich.