...

...

...

...

...

Contents

Introduction

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

While there are many excellent learning guides and tutorials on GraphQL online, including what it is and how to work with it, this document will primarily focus on understanding the query operations of the Fraud Data API developed based on GraphQL technology.

^{*Courtesy of GraphQL EdEx Course}

...

...

...

...

...

...

...

fraud.

Image Added

By integrating the SuperGlue API to identify and share fraud data, colleges

...

...

...

...

...

...

The API can also be used ad hoc to perform the three primary workflow operations:

• Submit fraud information to a CCCTC centralized database

• Receive fraud notifications to a dedicated staging table using the College Adaptor

• Query the fraud database directly via the API

Eventually through continuous improvement, the API will be extended to also support other types of fraud data, including financial aid fraud. Participating districts are provided the Fraud Data API schema (GraphQL-based, described further below) and authorized access to the API during the implementation process with the CCCTC.

Enabling bi-directional use of SuperGlue, whenever a college suspects or identifies admission application, enrollment, or financial aid fraud, information about that application can be shared with the CCC Tech Center, which in turn can suspend or block the profile effectively protecting all other colleges automatically.

Reporting Fraud Data Via API

...

Receive Fraud Notifications to Staging Table

Instances of application fraud reported to the CCCTC are used to identify other instances submitted by the same CCCID. These findings are then delivered to colleges as notifications to a new fraud-report staging table (for each college) via the SuperGlue College Adaptor. Each notification response will consist of the application ID (AppID), the applicant’s CCCID, and the MIS code of the college reporting the fraud (ReportedByMisCode).  Learn more about this process in the Receiving Fraud Notifications to a Staging Table section below.

...

...

Below is a diagram of the API processes leveraged by SuperGlue and the College Adaptor.

...

Querying Fraud Data Directly Via API

...

...

The schema is one of the most important concepts when working with a GraphQL API. It specifies the capabilities of the API, the shape of the available data, and the specific queries and mutation functions that can be used to read, write and make web requests from a GraphQL server. GraphQL enables users to specify exactly what data they get back in their response—nothing more, and nothing less, and it allows querying for multiple field

...

• Apollo API documentation & sandbox (see links below)

• Query examples for each operation

• Postman API tool and custom collections configured with the schema, OAuth specifications, and ready-to-use turnkey fraud report operations.

...

Reporting Fraud Data Via the API

The reporting of locally identified fraud data from an individual college or district to the CCC Technology Center (CCCTC) is managed via the SuperGlue Fraud Reporting data API. Everything needed to submit fraud reports is documented in the schema, as well as through custom Postman files configured specifically for the fraud data operations. More information and detailed examples of the FraudReportSubmit mutation are provided in the Submitting a Fraud Reportsection.

Receive Fraud Notifications to Staging Table

Each instance of application fraud reported to the CCCTC is used to identify other instances submitted by the same CCCID. These findings are then delivered to colleges as notifications to a fraud-report staging table (for each college) via the SuperGlue College Adaptor.

Each notification response consists of:

• application ID (AppID)

• applicant’s CCCID (CCID)

• MIS code of the college reporting the fraud (ReportedByMisCode).

Learn more about this process in Receiving Fraud Notifications to a Staging Table.

Panel
panelIconId atlassian-info panelIcon :info: bgColor #F4F5F7
The SuperGlue Fraud Reporting data API leverages SuperGlue to stream fraud notifications to a dedicated fraud-data staging table. See Fraud Data API Implementation Process for more details and to get started working with CCCTC Enabling Services.

Below is a diagram of the API processes leveraged by SuperGlue and the College Adaptor.

Image Added

Querying Fraud Data Directly Via the API

In addition to the streaming of fraud reports via the SuperGlue College Adaptor, the API also facilitates the ability toquery the fraud table directly using aCCCID, an AppID, or an authorized MIS code(withRecipientMisCode). A successful response is returned if the CCCID used in the query matches any other application(s) submitted to the authorized MIS code. The process for querying the API directly is described in the Querying Fraud Report Datasection of this guide.

Note

Authorized access via the API is restricted by college or district MIS code, which is set as the default attribute in the API account. Multi-college districts will have a default MIS code as well, but may also be granted authorization for additional MIS codes for individual colleges in their district. API accounts are set up by the CCCTC and provided to the college during the implementation process.

_{Back to Top}

---

The SuperGlue Fraud Reporting Data APISchema

The schema is one of the most important concepts when working with GraphQL API. It specifies the capabilities of the API, the shape of the available data, and the specific queries and mutation functions that can be used to read, write, and make web requests of a GraphQL server.

The SuperGlue Fraud Reporting data API schema defines the query-type operations currently available to execute. The FraudReportSubmit mutation typeprovidesthe operation and data structure for submitting a fraud report to the CCCTC for a CCCApply Application (AppID) or a student ID (CCCID). The FraudReportQuery operation provides the structure for retrieving fraud data via the API.

Panel
panelIconId atlassian-info panelIcon :info: bgColor #F4F5F7
The schema details everything needed to construct and execute the FraudReportSubmit operation, including the required input argument, input fields, and the payload response via an API development tool such as Postman, cURL, PowerShell, Python, Java, etc. Any of these development tools will provide the mechanism needed to make this API web request.

API Documentation, Tools, and Sandbox

One of the benefits of the CCCTC API is its ability to be self-documenting. This means that when an interactive tool like GraphiQL is used, users are able to explore what data is exposed by this API, including the fields, types, and more. Users can also explore the data through the description field, which provides supplementary notes about the endpoint.

In most cases, this provides a clear understanding of the API. However, to better understand and visualize the SuperGlue Fraud Reporting data API, the complete schema documentation and the ability to explore, test, and validate the primary API calls is provided via a Sandbox tool as well as operation templates provided by the CCCTC.

The CCCTC API sandbox supports all operation types and allows you to explore the SuperGlue Fraud Reporting Data API schema documentation.

Explore the API in the CCCTC Sandbox

Access to the SuperGlue Fraud Reporting data API schema is available in the CCCTC API Sandbox to college IT staff for:

• exploration of theschema and metrics

• API development and testing of the Fraud Report operations

• documentation of the Fraud Report operations

Contact CCCTC Enabling Services for links and access to the sandbox.

By providing districts direct access to the SuperGlue Fraud Reporting data API schema, the CCCTC has provided colleges with the ability to create and generate a user interface of their own. Such an interface could, for example,

...

...

...

...

API Documentation, Tools & Sandbox

One of the benefits of a GraphQL API is its inherent ability to be self-documenting. This means that when you use an interactive tool like GraphiQL, you’re able to explore what data is exposed by your GraphQL API, including the fields, types, and more. Users can also explore the data through the description field which provides supplementary notes about the endpoint.

In most cases this provides enough API reference documentation. However, to better understand and visualize the Fraud Data API, the complete schema documentation and the ability to explore, test, and validate the primary API calls is provided via an Apollo sandbox tool and operation templates provided by the CCCTC (see links below).

The Apollo sandbox supports all GraphQL operation types (Query, Mutation, and Subscription) and allows you to explore the Fraud Data API schema documentation.

Explore the API in the Apollo Sandbox

...

Access & explore the Fraud Data API schema in each environment.

PILOT: https://apollo-router.pilot.ccctechcenter.org/

PROD: https://apollo-router.ccctechcenter.org/

The Documentation tab (in the sandbox) enables you to step into the Fraud Data API schema, beginning at one of its entry points. Click the ⊕ button next to any field in the Documentation tab to add that field to the operation editor, at your current path. By default, the Explorer automatically generates variables for that field's arguments.

Postman supports working with GraphQL

College Implementation Process

To get started with the Fraud Data API, an authorized college or district IT engineer with a good understanding of API technology must contact with the CCCTC Enabling Services team to schedule a checklist meeting.

Below is an overview of the process:

• Work the CCCTC Enabling Services team to obtain API account and credentials

• Integrate with the Fraud Report (GraphQL) API

  • Install Postman tool and import event collections (optional, but recommended)

  • Or set up standard templates in preferred API tool (Python, cURL, Powershell, Ruby, Java, etc.)

• Install the Fraud Report staging table and deploy latest version of College Adaptor to receive a live stream of fraud notifications; or use the GraphQL Fraud Report Query to receive a list of fraud notification

Authorized Access Accounts

During the implementation process, one or more user accounts will be created for your college or district by a CCCTC implementation engineer. The account will be configured with the appropriate roles and secured to the mis codes authorized for the user. Users from multi-college districts may be authorized to submit and query fraud reports for each of the colleges in their district. Single college districts will be restricted to their single mis code.

Fraud Data API Operations

...

• Getting the API Access Token

• Submitting a Fraud Report Via API

• Receiving Fraud Notifications to Staging Table

• Querying Fraud Data Via API

Getting the API Access Token

With your API account created with the proper credentials in place, the request below returns a JSON block including an “access_token” field. This token becomes the Bearer required in the Authorization head for secured requests to the API. (Reminder: Your API account is provided by the CCCTC during the implementation process.)

curl --location --request POST '<https://auth.ci.ccctechcenter.org/auth/realms/API/protocol/openid-connect/token'> \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'username=mis-zz1-fraudreporter' \
  --data-urlencode 'password=Mis-zz1-fraudreporter' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode 'client_id=fraudReporting'

Getting Your Access Token Using Postman

...

...

Once Postman is installed and the two Fraud Report Postman Collection files have been imported and configured with your API account credentials and environment specifications, the process for generating and refreshing your access token is managed on the Fraud Report OAuth tab. Once generated Postman will automatically store the token as the Bearer in the Authorization head for all secured API requests.

From Your Postman Workspace…

1: Expand the Fraud Report collection and click on the Fraud Report OAuth file..

2: See the Fraud Report OAuth file open in a tab on your Workbench.

3: Ensure the appropriate environment is selected. In the adjacent example, the “GraphQL:Pilot” environment is selected (active).

4: Click the Send button to generate the access token.

5. The ‘access_token’ appears in the lower half of the body of the Fraud Report OAuth tab, which is then embedded for authorization for the next web request or post.

Access Token

The 'access_token” becomes the Bearer required in the Authorization head for secured requests to the API. (Reminder: Your API account is provided by the CCCTC during the implementation process.)

Each time you refresh your authorization, the new ‘access_token’ is automatically saved to the header for the next API operation you intend to execute.

Each token expires in 300 seconds (5 mins).

...

Submitting a Fraud Report Via API

The process for reporting fraud information to the CCCTC via the API is known as the FraudReportSubmit operation. The full schema is documented in the Apollo sandbox.

In general terms, the components of the GraphQL operation are quite basic. The FraudReportSubmit query is a mutation type object that requires an Input argument (FraudReportSubmitInput!) where at least one variable input field must be provided, and a structured payload response is defined (FraudReportSubmitPayload). For the majority of fraud report submissions, only the input of the application Id (AppID) is truly needed; however additional input fields may also be added to the operation.

The FraudReportSubmit Operation

Below is an example of a basic FraudReportSubmit operation built in the Apollo sandbox.

...

In the Operation section, the root mutation, FraudReportSubmit, has been selected with the default FraudReportSubmitPayload fields displayed.

In the Documentation column, the Input argument - FraudReportSubmitInput - is selected and expanded showing the fields that can be used for the required input.

In the Variables table, the “appId” field as been added as the only input variable for this basic operation (currently displaying a null value).

...

...

For multi-college district accounts, the operation should be modified to also include the “reportedByMisCode” field in the input argument to specify which college in the district the fraudulent application (appId) is being submitted for (see example shown in the Variables table).

...

With a better understanding of the basic operation, a skilled API developer has everything they need to effectively format a proper web request using an application development tool such as Curl, Python, PowerShell, etc. The Operation becomes the query itself

The example below submits a fraud report for application id (AppID) 34110.

curl --location --request POST 'https://apollo-router.qa.ccctechcenter.org' 
--header 'Authorization: Bearer eyJ......' 
--header 'Content-Type: application/json' 
--data-raw '{"query":"mutation FraudReportSubmit($input: FraudReportSubmitInput!) {\n  FraudReportSubmit(input: $input) {\n    cccId\n    appId\n    fraudType\n  }\n}\n","variables":{"input":{"appId":34110}}}'

Below is an example of a successful reply:

{
    "data": {
        "FraudReportSubmit": {
            "cccId": "AAA6198",
            "appId": 34110,
            "fraudType": "APPLICATION"
        }
    }
}

In the hands of a knowledgable API programmer, the schema provides everything needed to construct and execute the FraudReportSubmit operation, including the required argument, Input fields, and the payload response using an API dev tool such as CURL, PowerShell, Python, Java, etc. Any of these development tools will provide the

In the hands of a GraphQL tool, such as CURL, the operation must be formatted as a web request (web request object) - have to have the skill set to know how to do that. We provide the schema and information to do that

...

Learn how to use an Input object type in a GraphQL mutation operation.

A Mutation type is a special root type that is used to modify server-side data. Just like in queries, if the mutation field returns an object type, you can ask for nested fields. It can also contain multiple fields. However, unlike queries, mutation fields run in series, one after the other.

Learn more about GraphQL mutations

Explore the schema documentation for the FraudReportSubmit mutation and see the available Input fields.

Submit a Fraud Report Using Postman

In your Postman workspace, click on the Fraud Report Submit file in the Fraud Report collection.

To support users that may not have the necessary skillset to build and submit a web request from the schema, the report can be submitted via the Postman tool - operation can be using be API developers, In the body of the post, the data structure for the FraudReportSubmit mutation appears in the Query portion of the workspace, with ($input: FraudReportSubmitInput!) as the required argument. In GraphQL, an Input can be an argument against an object. In this case, FraudReportSubmit is an object type. The three fields below the object indicate the fields that we want values for in the response. The input variables appear in the GraphQL VARIABLES box

...

Image Removed

Receiving Fraud Notifications to a Staging Table

An objective of the fraud data project is to leverage SuperGlue and the College Adaptor to implement more automated processes for bi-directional sharing of fraud information between colleges. In the early phase, CCCTC is able to broadcast notifications of reported bad actors to any other colleges that have also received applications from the same CCCID.

When this happens, a new fraud-report is pushed to a dedicated staging table (for each college) via the SuperGlue College Adaptor. Each notification contains will identify suspect CCCID and the application ID(s) (AppID), and the reporting college’s MIS code (reportedByMisCode). 

...

...

Querying Fraud Data via API

For colleges that aren’t able to stream fraud notifications via the SuperGlue College Adaptor, fraud data can be queried directly using the FraudReportQuery API request. The FraudReportQuery is the query interface for a FraudReport type object, which is basically the “fraud report” response for a student and/or application that includes 10 fields.

When an authorized user fetches fraud reports related to your college through the API, the Access Token authenticates the user’s credentials and also identifies the user’s MIS code as the “recipientMisCode” in a query and responds with a list of fraud reports that match your MIS code.

There are three different variations of the FraudReportQuery that can be used to query fraud reports:

...

FraudReportQuery:withRecipientMisCode

...

FraudReportQuery:withAPPID

...

FraudReportQuery:withCCCID

FraudReport object has the following fields:

• appId!

• cccId!

• recipientMisCode!

• reportedByMisCode!

• submitTiimestamp!

• fraudType

• ccpgAid

• federalAid

• localAid

• otherAid

Three FraudReportQuery three Input arguments:

• withAPPID

• withCCCID

• withRecipientMisCode

Each argument

Mostly used with the “withRecipientMisCode” query (because the district or college will be retrieving the applications or CCCIDs of the applicants that have submitted applications to their institution’s mis code.

Fraud Report Query (FraudReportQuery)

The FraudReportQuery type :

Example: FraudReportQuery Request

curl --location --request POST 'https://apollo-router.qa.ccctechcenter.org' \
  --header 'Authorization: Bearer eyJhb' \
  --header 'Content-Type: application/json' \
  --data-raw '{"query":"query FraudReportQuery {\n  FraudReportQuery {\n    withRecipientMisCode {\n      submitTimestamp\n      cccId\n      reportedByMisCode\n      recipientMisCode\n      appId\n      fraudType\n      federalAid\n      ccpgAid\n      localAid\n      otherAid\n    }\n  }\n}","variables":{}}'

with example of expected response:

...

Using Postman with the SuperGlue Fraud Reporting Data API

CCCTC recommends using Postman for interacting with the Bi-Directional Fraud Data API. The Postman client (configured with ready-to-use templates provided by the CCCTC) allows colleges that may not have the immediate resources or technical skills to integrate with the API initially to submit fraud reports and query the fraud database efficiently in order to participate in the fraud data reporting effort.

Links to install Postman, as well as the custom templates for submitting and querying fraud reports and the user authorization credentials are provided to the college during the implementation process. For more information on using Postman, see Using Postman with the Fraud Data API or contact CCCTC Enabling Services.

Panel
panelIconId 33bfe2b7-860e-4d5a-bd01-ea85976cc352 panelIcon :Postman-Logo: panelIconText :Postman-Logo: bgColor #FFFAE6
Postman is a testing platform designed to “easily explore, debug, and test your complex API requests for HTTP, REST, SOAP, GraphQL, and WebSockets. The Postman client also includes built-in support for authentication protocols like OAuth 1.2/2.0, AWS Signature, Hawk, and more.” Learn more in the Postman Learning Center.

_{Back to Top}

---

College Implementation Process

To get started with the SuperGlue Fraud Reporting data API, an authorized college or district IT engineer with a good understanding of API technology, must contact the CCCTC Enabling Services team to schedule a checklist meeting.

Below is an overview of the process:

• Contact the CCCTC Enabling Services team to obtain your API account and credentials.

• Integrate with the SuperGlue Fraud Reporting data API.

  • Install Postman tool and import templates (optional, but recommended).

  • Or, set up standard templates in preferred API tool (Python, cURL, Powershell, Ruby, Node, Java, etc.).

• Install the Fraud Report staging table and deploy the latest version of the College Adaptor to receive a live stream of fraud notifications, or use the Fraud Report Query to receive a list of fraud notifications.

Panel
panelIconId atlassian-check_mark panelIcon :check_mark: bgColor #F4F5F7
Click here for more information about the Fraud Data API Implementation Process.

Authorized Access Accounts

During the implementation process, one or more user accounts will be created for your college or district by a CCCTC implementation engineer. The account will be configured with the appropriate roles and attributes, and secured to the MIS codes authorized for the specific user. Users from multi-college districts may be authorized to submit and query fraud reports for all or some of the individual colleges in their district. Single-college districts will be restricted to their single-college MIS code.

Panel
panelIconId atlassian-info panelIcon :info: bgColor #F4F5F7
More information is provided to the district during the SuperGlue Fraud Reporting Data API Implementation Process overview meeting with CCCTC Enabling Services.

_{Back to Top}

---

Bi-Directional Fraud Data API Operations

Panel
bgColor #FFFAE6
Recommended: Non-technical college staff are encouraged to use Postman for ad hoc fraud reporting and queries. Ask your Enabling Services ICE engineer for more information about Using Postman with the SuperGlue Fraud Reporting data API.

• Getting the API Access Token

• Submitting a Fraud Report Via API

• Receiving Fraud Notifications to Staging Table

• Querying Fraud Data Via API

• Rescinding a Fraud Report

Getting the API Access Token

With your API account created with the proper credentials in place, use the request below to return a JSON block including an “access_token” field. This token becomes the Bearer required in the Authorization head for secured requests to the API. (Reminder: Your API account is provided by the CCCTC during the implementation process.)

Code Block
curl --location --request POST 'PLACE_AUTHENTICATION_ENDPOINT_URL_HERE' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'username=PLACE_PLAINTEXT_USERNAME_HERE' \ --data-urlencode 'password=PLACE_PLAINTEXT_PASSWORD_HERE' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'client_id=fraudReporting'

Panel
panelIconId atlassian-info panelIcon :info: bgColor #F4F5F7
Note: In the example above, the token request is made using cURL; however, any API tool can be used, such as Python, PowerShell, Ruby, Node, Java, etc.

Getting Your Access Token Using Postman

Once Postman is installed and the Fraud Report Postman Collection and the Fraud Report Postman Environment files have been imported and configured with your API account credentials and environment specifications, the process for generating and refreshing your access token is managed on the Fraud Report OAuth tab. Once generated, Postman will automatically store the token as the Bearer in the Authorization head for all secured API requests.

---

Panel
panelIconId atlassian-info panelIcon :info: bgColor #F4F5F7
A primary function of the API is to facilitate the process of automating the submission of suspected or identified fraudulent admission applications to the CCCTC for use in combating system-wide fraud.

Submitting a Fraud Report

The schema defines the process for submitting fraud information to the CCCTC as the FraudReportSubmit operation. Specifications for this operation are documented in the CCCTC API Sandbox.

In general terms, the components of this operation are basic. The root of the FraudReportSubmit operation is a mutation type object that has a required Input argument (FraudReportSubmitInput) where at least one input variable field must be provided and a custom payload response is defined (FraudReportSubmitPayload). For the majority of fraud report submissions, only the CCC ID (CCCID) is needed, although additional input fields may also be added to the operation.

The FraudReportSubmit Operation

Below is an example of a basic FraudReportSubmit operation built with a template in the CCCTC API sandbox.

Image Added

In the Operation section, the root mutation, FraudReportSubmit, has been selected with the default FraudReportSubmitPayload fields displayed. In the Documentation column, the Input argument - FraudReportSubmitInput - is selected and expanded showing the fields that can be used for the required input. In the Variables table, the appId field has been added as the only input variable for this basic operation (currently displaying a null value in the adjacent screenshot). Panel panelIconId atlassian-check_mark panelIcon :check_mark: bgColor #FFFFFF Before submitting the request, a value should be entered in the “appId” input field (as shown below). Image Added

Panel
panelIconId atlassian-info panelIcon :info: panelIconText :info: bgColor #FFFFFF
The Documentation tab (in the sandbox) enables you to step into the Fraud Data API schema, beginning at one of its entry points. Click the ⊕ button next to any field in the Documentation tab to add that field to the operation editor, at your current path. By default, the Explorer automatically generates variables for that field's arguments

Panel
panelIconId atlassian-warning panelIcon :warning: bgColor #F4F5F7
Reminder: The user’s API account is configured with their default authorized MIS code(s), which is identified in the access token that becomes part of the request heading. The appId value entered must be a legitimate application corresponding to the authorized MIS code or the request will return an error.

In this operation, the mutation has a required input argument (FraudReportSubmitInput) that specifies which data fields will be included in the submission.

Learn how to use an Input object type in a GraphQL mutation operation.

For multi-college district accounts, the operation should be modified to also include the “reportedByMisCode” field in the input argument to specify which college in the district the fraudulent application (appId) is being submitted for (see example shown in the Variables table). The default MIS code for a single college district is passed automatically in the token, so it does not need to be included as a variable in the input argument.

Image Added

The schema provides everything needed to construct and execute the FraudReportSubmit operation, including the required input argument, Input fields, and the payload response using an API dev tool such as cURL, PowerShell, Node, Python, Java, etc.

Panel
panelIconId atlassian-info panelIcon :info: panelIconText :info: bgColor #F4F5F7
To export the FraudReportSubmit operation, or a variation of that template, click the three dots in the Operation section to display the context menu.

Image Added

With a basic understanding of the operation and appropriate credentials and configured attributes, an API user has everything they need to effectively format a proper web request using an application development tool such as cURL, Python, Node, PowerShell, etc.

The example below shows how to submit a formatted web request for a fraud report for application id (AppID) 34110.

Code Block
curl --location --request POST 'PLACE_CCCTC_API_URL_HERE' --header 'Authorization: Bearer PLACE_AUTHORIZATION_TOKEN_HERE' --header 'Content-Type: application/json' --data-raw '{"query":"mutation FraudReportSubmit($input: FraudReportSubmitInput!) {\n FraudReportSubmit(input: $input) {\n cccId\n appId\n fraudType\n }\n}\n","variables":{"input":{"appId":34110}}}'

Info
Reminder: The access token code is entered as the Bearer token required in the Authorization head for secured requests to the API. The access token includes the user credentials and the reporting college’s MIS code.

Below is an example of a successful reply:

Code Block
{ "data": { "FraudReportSubmit": { "cccId": "AAA6198", "appId": 34110, "fraudType": "APPLICATION" } } }

Panel
bgColor #FFF0B3
Using Postman to Submit a Fraud Report To support users who may not have the programming experience to build and submit a web request from a schema, Postman can be used for submitting fraud reports. Please reach out to CCCTC Enabling Services for more information about using Postman with CCCTC APIs.

_{Back to Top}

---

Receiving Fraud Notifications to a Staging Table

One objective of the fraud reporting project is to leverage SuperGlue and the College Adaptor to implement more automated processes for bi-directional sharing of fraud information between colleges. CCCTC is able to broadcast notifications of reported bad actors to any other colleges that have also received applications from the same CCCID.

When this happens, a new Fraud Report is pushed to a dedicated staging table (for each college) via the SuperGlue College Adaptor. Each notification will identify the suspect CCCID and the application ID(s) (AppID), a timestamp for the fraud report, and the reporting college’s MIS code (reportedByMisCode).

In addition to sending notifications to the staging table, the SuperGlue Fraud Reporting system (or data API) also updates the fraud_status field in the CCCApply database. The fraud_status is set as follows in the CCCApply database:

5(CONFIRMED_FRAUD): For fraud report submissions
6(CONFIRMED_NOT_FRAUD): For fraud rescind actions

Panel
panelIconId atlassian-info panelIcon :info: bgColor #F4F5F7
Update Your College Adaptor for the Fraud Data API - Please see the SuperGlue Fraud Reporting Data API Implementation Process page for integration details.

---

Querying Fraud Report Data

Colleges may query fraud data information for an authorized MIS code directly using the SuperGlue Fraud Reporting data API. The schema specifies this operation as the FraudReportQuery type query, which is an interface for retrieving a Fraud Report object consisting of a multi-field payload for an individual student and/or application.

The CCCTC API provides colleges the power to ask for exactly which fields they need to be given to them. Such queries always return predictable results. Apps using this API are relatively fast because they control the amount of data they get (as opposed to the server returning additional unneeded data).

The FraudReportQuery Operation

The schema describes the FraudReportQuery as a Query type object that requires at least one of three different input-object variations as part of the API calloperation. Each variation has a specific input argument (variable) that can be customized to retrieve all of the FraudReport data fields in the payload response. The input variations can be used alone or in combination with each other as part of the operation.

The three query variations are:

Use this operation…	that requires the…	to…
FraudReportQuery.withRecipientMisCode	“RecipientMisCode” field as the input variable	Return a list of FraudReport objects for a specified MIS code.
FraudReportQuery.withAPPID	“AppId” field as the input variable	Return FraudReport objects for a specific student Application.
FraudReportQuery.withCCCID	“CCCID” field as the input variable	Return FraudReport objects for a specific student CCCID.

To better understand the syntax for these variable definitions, it is useful to learn the GraphQL schema language, explained in detail on the Schema page.

From Root, select Query > FraudReportQuery	Configure the Query Operation	Selectfields for the expected response.
Below is an example of the three query inputObject variations.	Below is an example of the “withCCCID” inputObject query selected.	Fields can be selected individually from the FraudReport object.
Image Added	Image Added	Image Added

The majority of multi-college districts will find the “withRecipientMisCode” query to be the most useful and commonly used variation for retrieving information on fraudulent applications submitted to one or more colleges in their district MIS code.

Below is an example of a request using the FraudReportQuery:withRecipientMisCode query where one or more additional input variables are being used in addition to the “recipientMisCode.”

Code Block
curl --location --request POST 'PLACE_CCCTC_API_URL_HERE' \ --header 'Authorization: Bearer PLACE_AUTHORIZATION_TOKEN_HERE' \ --header 'Content-Type: application/json' \ --data-raw '{"query":"query FraudReportQuery {\n FraudReportQuery {\n withRecipientMisCode {\n submitTimestamp\n cccId\n reportedByMisCode\n recipientMisCode\n appId\n fraudType\n }\n }\n}","variables":{}}'

Below is an example of the expected response.

Code Block
{ "data": { "FraudReportQuery": { "withRecipientMisCode": [ { "submitTimestamp": "2022-10-07T21:15:37.000Z", "cccId": "AAA0002", "reportedByMisCode": "ZZ2", "recipientMisCode": "ZZ1", "appId": 4, "fraudType": "APPLICATION" } ]

...

...

      }
    

...

} }

Panel
panelIconId atlassian-warning panelIcon :warning: bgColor #FFFFFF
Reminder: The user’s access token should be entered alongside the Bearer required in the Authorization header for secured requests to the API.

Panel
panelIconId 0b602188-3068-459a-af34-8f1e8dab2e4d panelIcon :apollo-graphql-logo: panelIconText :apollo-graphql-logo: bgColor #F4F5F7
Below is an example of the FraudReportQuery:withRecipientMisCode operation configured in the CCCTC API sandbox.

Image Added

Panel
panelIconId atlassian-light_bulb_on panelIcon :light_bulb_on: panelIconText :light_bulb_on: bgColor #FFFFFF
Reminder: The purpose of the SuperGlue Fraud Reporting data API is to provide colleges the ability to integrate their internal systems in order to streamline their own fraud reporting processes.

Copying & Exporting Query Operations

The fastest and easiest way to create the other query variations to use in Postman is to modify the existing file in the CCCTC sandbox. The process below outlines the steps for creating a new query entry to your Fraud Report Postman collection which will allow you to make an API call using a CCCID or AppID.

Panel
panelIconId 0b602188-3068-459a-af34-8f1e8dab2e4d panelIcon :apollo-graphql-logo: panelIconText :apollo-graphql-logo: bgColor #F4F5F7
To export the FraudReportQuery operation, or a configuration of the template, as defined in the schema in the sandbox, click the three dots in the Operation section to display the context menu for options.

Image Added

_{Back to Top}

---

Rescinding a Fraud Report

The schema defines the process for rescinding fraud information to the CCCTC as the FraudReportRescind operation. Specifications for this operation are documented in the CCCTC API Sandbox.

In general terms, the components of this operation are basic. The root of the FraudReportRescind operation is a mutation type of object that has a required input argument (FraudReportRescindInput) where at least one input variable field must be provided and a custom payload response is defined (FraudReportRescindPayload). For the majority of fraud report rescission, only the CCC ID (CCCID) is needed, additional input fields may also be added to the operation.

The FraudReportRescind Operation

Below is an example of a basic FraudReportRescind operation built with a template in the CCCTC API sandbox.

Image Added

With a basic understanding of the operation and their API account with the appropriate credentials and configured attributes, an API user has everything they need to effectively format a proper web request using an application development tool such as cURL, Python, Node, PowerShell, etc.

The example below submits a formatted web request for rescinding a fraud report for application id (AppID) 34110.

Code Block
curl --location --request POST 'PLACE_CCCTC_API_URL_HERE' --header 'Authorization: Bearer PLACE_AUTHORIZATION_TOKEN_HERE' --header 'Content-Type: application/json' --data-raw '{"query":"mutation FraudReportRescind($input: FraudReportRescindInput!) {\n FraudReportRescind(input: $input) {\n cccId\n appId\n }\n}\n","variables":{"input":{"appId":34110}}}'

Panel
panelIconId atlassian-warning panelIcon :warning: bgColor #F4F5F7
Reminder: The access token code is entered as the Bearer token required in the Authorization head for secured requests to the API. The access token includes the user credentials and the reporting college’s MIS code.

Below is an example of a successful reply:

Code Block
{ "data": { "FraudReportRescind": { "

...

cccId": 

...

"AAA6198",

...

...

"appId": 

...

34110
        

...

}
    }

...

...

}

...

See also:

...

Definitions of Terms

...

...

...

Pilot: https://apollo-router.pilot.ccctechcenter.org/

...

GraphQL API Documentation

...

Table of Fraud API Data Fields

...

CCCTC Fraud API Data Element

...

Definition of Terms

...

...

Postman Collection Files

...

Fraud Report Collection:

• Fraud Report OAuth

• Fraud Report Submit

• Fraud Report Query

GraphQL:Pilot Environment Collection