SuperGlue Bi-Directional Fraud Data API Guide
This introductory user guide provides:
a general description and usage of the SuperGlue Bi-directional Fraud Data API and the fraud data reporting project
an overview of the college implementation process and options for integration with the API
an introduction to GraphQL API language for reporting and querying fraud data
API documentation & resources for executing fraud data reporting operations
Introduction
The Bi-Directional Fraud Data API is a SuperGlue-based solution (API) supporting bi-directional communication and sharing of suspected application fraud data with the CCC Technology Center for the purpose of sharing this determination of fraud status with other colleges in the system automatically. Developed using GraphQL API technology, the first phase of development leverages the SuperGlue framework to amass a fraud data repository built on college reports and streaming notifications out to other affected colleges. Eventually through continuous improvement, the API will be extended to support other types of fraud data, including enrollment and financial aid fraud. Participating districts are provided the Bi-Directional Fraud Data API schema (GraphQL-based, described further below) and authorized access to the API during an implementation call with the CCCTC Enabling Services.
The Bi-Directional Fraud Data API will support colleges that have implemented the SuperGlue College Adaptor to receive fraud notifications as well as colleges that may choose to query the API directly to get fraud information.
About This Guide
The purpose of this guide is twofold: a) to provide an introduction to the Bi-Directional Fraud Data API project including the processes and procedures for college and district staff who will be participating in fraud reporting operations; and b) to provide the technical information and documentation for IT staff and developers who have the necessary skills and understanding of the basic concepts and capabilities of GraphQL API technology, including access to the schema and query templates used to execute the primary operations supported by this service.
About GraphQL API
GraphQL is a new API standard that provides a more efficient, powerful, and flexible alternative to REST API.
While there are many good learning resources and tutorials available, Introduction to GraphQL is an excellent primer for understanding the GraphQL language and the primary query operations used by the Fraud Data API.
See the About GraphQL API page for an introduction to the basic concepts of GraphQL, the schema, and examples of the functional operations used in the Fraud Data API (query, mutation, subscription).
The Bi-Directional Fraud Data API
In the initial phase of development, the Bi-Directional Fraud Data API provides a mechanism for colleges to report locally-identified instances of application fraud to the CCCTC, as well as facilitate the ability to query against that data using an authorized MIS code with an AppID or CCCID. In turn, CCCTC server-side workflows analyze the data to determine if the submitted fraud information impacts other colleges across the system. If impacts are found, Superglue is leveraged to notify these colleges of the bad actor.
By integrating the SuperGlue API to identify and share fraud data, colleges will be able to effectively extend the functionality of their own SIS systems and resources for increased efficiency. This is essential not only for meeting fraud reporting requirements, but also for decreasing overall costs and increasing time savings. Districts are encouraged to use this API for development within their own internal SIS system.
Reporting Fraud Data Via API
The reporting of locally identified fraud data from an individual college or district to the CCC Technology Center (CCCTC) is managed via the Bi-Directional Fraud Data API. Everything needed to submit fraud reports is documented in the schema (see the API Documentation section below), as well as through custom Postman files configured specifically for the fraud data operations. More information and detailed examples of the FraudReportSubmit mutation are provided in the Submitting a Fraud Report section of this guide.
Receive Fraud Notifications to Staging Table
Each instance of application fraud reported to the CCCTC is used to identify other instances submitted by the same CCCID. These findings are then delivered to colleges as notifications to a new fraud-report staging table (for each college) via the SuperGlue College Adaptor. Each notification response will consist of the application ID (AppID), the applicant’s CCCID, and the MIS code of the college reporting the fraud (ReportedByMisCode). Learn more about this process in the Receiving Fraud Notifications to a Staging Table section below.
For colleges that have implemented the College Adaptor, the Fraud Data API leverages SuperGlue to stream fraud notifications to a dedicated fraud-data staging table.
See the Fraud Data API Implementation Process page for more details and to get started working with CCCTC Enabling Services.
Below is a diagram of the API processes leveraged by SuperGlue and the College Adaptor.
Querying Fraud Data Directly Via API
An option for colleges that have not yet implemented the SuperGlue College Adaptor, the API facilitates the ability to query the fraud table directly using a CCCID, an AppID, or an authorized MIS code (withRecipientMisCode). A successful response is returned if the CCCID used in the query matches any other application(s) submitted to the authorized MIS code. The process for querying the API directly is described in the Querying Fraud Report Data section of this guide.
Authorized access via the API is restricted by college- or district MIS code, which is set as the default attribute in the API account. Multi-college districts will have a default MIS code as well but may also be granted authorization for additional MIS codes for individual colleges in their district. API accounts are set up by the CCCTC and provided to the college during the implementation process.
The Bi-Directional Fraud Data API Schema
The schema is one of the most important concepts when working with GraphQL API. It specifies the capabilities of the API, the shape of the available data, and the specific queries and mutation functions that can be used to read, write, and make web requests of a GraphQL server.
The Bi-Directional Fraud Data API schema defines the query type operations currently available to execute. The FraudQuerySubmit type mutation provides the operation and data structure for submitting a fraud report to the CCCTC for a CCCApply Application (AppId) or a student ID (CCCID). The FraudReportQuery operation provides the structure for retrieving fraud data via the API.
API Documentation, Tools & Sandbox
One of the benefits of a GraphQL API is its inherent ability to be self-documenting. This means that when you use an interactive tool like GraphiQL, you’re able to explore what data is exposed by your GraphQL API, including the fields, types, and more. Users can also explore the data through the description field which provides supplementary notes about the endpoint.
In most cases this provides enough API reference documentation. However, to better understand and visualize the Fraud Data API, the complete schema documentation and the ability to explore, test, and validate the primary API calls is provided via an Apollo sandbox tool and operation templates provided by the CCCTC (see links below).
The Apollo sandbox supports all GraphQL operation types (
Query,Mutation, andSubscription) and allows you to explore the Fraud Data API schema documentation.
Explore the API in the Apollo Sandbox
Access to the Bi-Directional Fraud Data API schema is available in the Apollo Sandbox to college IT staff for exploration of the schema and metrics, API development, documentation, and testing of the Fraud Report operations.
Access & explore the Fraud Data API schema in each environment.
PILOT: https://apollo-router.pilot.ccctechcenter.org/
PROD: https://apollo-router.ccctechcenter.org/
By providing districts direct access to the [Bi-Directional Fraud Data] API schema, the CCCTC has effectively empowered the colleges with the ability to create and generate a user interface of their own, for example, that could be used to implement a more automated process for dealing with fraud application data. Or they can simply use Postman and the files configured for the Fraud Data API that are provided, to educate themselves on the GraphQL API or visualize the data structure.
Using Postman with the Fraud Data API
CCCTC highly recommends using Postman for interacting with the Bi-Directional Fraud Data API. The Postman client - configured with ready-to-use templates provided by the CCCTC - will allow colleges that may not have the immediate resources or technical skills to integrate with the API initially to submit fraud reports and query the fraud database efficiently in order to participate in the fraud data reporting effort.
Links to install Postman, as well as the custom templates for submitting and querying fraud reports and the user authorization credentials are provided to the college during the implementation process. For more information on using Postman, please request a copy of Using Postman with the Fraud API from CCCTC Enabling Services.
College Implementation Process
To get started with the Bi-Directional Fraud Data API, an authorized college or district IT engineer with a good understanding of API technology must contact with the CCCTC Enabling Services team to schedule a checklist meeting.
Below is an overview of the process:
Contact the CCCTC Enabling Services team to obtain your API account and credentials
Integrate with the Fraud Report (GraphQL) API
Install Postman tool and import templates (optional, but recommended)
Or set up standard templates in preferred API tool (Python, cURL, Powershell, Ruby, Java, etc.)
Install the Fraud Report staging table and deploy latest version of the College Adaptor to receive a live stream of fraud notifications, or use the Fraud Report Query to receive a list of fraud notifications.
Authorized Access Accounts
During the implementation process, one or more user accounts will be created for your college or district by a CCCTC implementation engineer. The account will be configured with the appropriate roles and attributes, and secured to the MIS codes authorized for the specific user. Users from multi-college districts may be authorized to submit and query fraud reports for all or some of the individual colleges in their district. Single college districts will be restricted to their single college MIS code.
Bi-Directional Fraud Data API Operations
Recommended: Non-technical college staff are encouraged to use Postman for ad hoc fraud reporting and queries. Ask your Enabling Services ICE engineer for a copy of “Using Postman with the Fraud Data API”.
Getting the API Access Token
With your API account created with the proper credentials in place, the request below returns a JSON block including an “access_token” field. This token becomes the Bearer required in the Authorization head for secured requests to the API. (Reminder: Your API account is provided by the CCCTC during the implementation process.)
curl --location --request POST '<https://auth.ci.ccctechcenter.org/auth/realms/API/protocol/openid-connect/token'> \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=mis-zz1-fraudreporter' \
--data-urlencode 'password=Mis-zz1-fraudreporter' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=fraudReporting'
Getting Your Access Token Using Postman
Once Postman is installed and the two Fraud Report Postman Collection files have been imported and configured with your API account credentials and environment specifications, the process for generating and refreshing your access token is managed on the Fraud Report OAuth tab. Once generated Postman will automatically store the token as the Bearer in the Authorization head for all secured API requests.
Submitting a Fraud Report
The schema defines the process for submitting fraud information to the CCCTC as the FraudReportSubmit operation. Specifications for this GraphQL-based operation are documented in the Apollo sandbox.
In general terms, the components of this operation are quite basic. The root of the FraudReportSubmit query is a mutation type object that has a required Input argument (FraudReportSubmitInput!) where at least one input variable field must be provided and a custom payload response is defined (FraudReportSubmitPayload). For the majority of fraud report submissions, only the application Id (AppID) is truly needed, although additional input fields may also be added to the operation.
Explore the schema documentation for the FraudReportSubmit mutation and see the available Input fields.
The FraudReportSubmit Operation
Below is an example of a basic FraudReportSubmit operation built with a template in the Apollo sandbox.
 | In the Operation section, the root mutation, FraudReportSubmit, has been selected with the default FraudReportSubmitPayload fields displayed. In the Documentation column, the Input argument - FraudReportSubmitInput - is selected and expanded showing the fields that can be used for the required input. In the Variables table, the “appId” field as been added as the only input variable for this basic operation (currently displaying a null value in the adjacent screenshot). |
In this operation, the mutation has a required input argument (FraudReportSubmitInput!) that specifies which data fields will be included in the submission.
Learn how to use an Input object type in a GraphQL mutation operation.
For multi-college district accounts, the operation should be modified to also include the “reportedByMisCode” field in the input argument to specify which college in the district the fraudulent application (appId) is being submitted for (see example shown in the Variables table). The default MIS code for a single college district is passed automatically in the token, so it does not need to be included as a variable in the input argument. |
In the hands of a knowledgable API programmer, the schema provides everything they need to construct and execute the FraudReportSubmit operation, including the required input argument, Input fields, and the payload response using an API dev tool such as CURL, PowerShell, Python, Java, etc. Any of these development tools will provide the mechanism needed to make this API web request.
With a basic understanding of the operation and their API account with the appropriate credentials and configured attributes, a skilled API programmer has everything they need to effectively format a proper web request using an application development tool such as Curl, Python, PowerShell, etc.
The example below submits a formatted web request for a fraud report for application id (AppID) 34110.
curl --location --request POST 'https://apollo-router.qa.ccctechcenter.org'
--header 'Authorization: Bearer eyJ......'
--header 'Content-Type: application/json'
--data-raw '{"query":"mutation FraudReportSubmit($input: FraudReportSubmitInput!) {\n FraudReportSubmit(input: $input) {\n cccId\n appId\n fraudType\n }\n}\n","variables":{"input":{"appId":34110}}}'Below is an example of a successful reply:
{
"data": {
"FraudReportSubmit": {
"cccId": "AAA6198",
"appId": 34110,
"fraudType": "APPLICATION"
}
}
}
Receiving Fraud Notifications to a Staging Table
One objective of the fraud reporting project is to leverage SuperGlue and the College Adaptor to implement more automated processes for bi-directional sharing of fraud information between colleges. In the early phase, CCCTC is able to broadcast notifications of reported bad actors to any other colleges that have also received applications from the same CCCID.
When this happens, a new fraud-report is pushed to a dedicated staging table (for each college) via the SuperGlue College Adaptor. Each notification will identify the suspect CCCID and the application ID(s) (AppID), a timestamp for the fraud report, and the reporting college’s MIS code (reportedByMisCode).
Querying Fraud Report Data
Colleges that have not yet integrated with the SuperGlue College Adaptor may query fraud data information for an authorized MIS code directly using the Fraud Data API. The schema specifies this operation as the FraudReportQuery type query, which is an interface for retrieving a FraudReport object consisting of a 10-field payload response for an individual student and/or application.
GraphQL provides a complete and understandable description of the data in your API, allowing [colleges] the power to ask for exactly what they need, nothing more and nothing less. GraphQL queries always return predictable results. Apps using GraphQL are fast and stable because they control the data they get, not the server.
The FraudReportQuery Operation
The schema describes the FraudReportQuery as a Query type object that requires at least one of three different inputObject variations as part of the API call operation. Each variation has a specific input argument (variable) that can be customized to return all or some of the ten different FraudReport data fields in the payload response. The input variations can be used alone or in combination with each other as part of the operation. The payload response returned is the FraudReport.
The three query variations are:
Use this operation… | that requires the… | to… |
|---|---|---|
FraudReportQuery.withRecipientMisCode | “RecipientMisCode!” field as the input variable | Return a list of FraudReport responses for a specified MIS code. |
FraudReportQuery.withAPPID | “AppId!” field as the input variable | Return a FraudReport response for a specific student Application. |
FraudReportQuery.withCCCID | “CCCID!” field as the input variable | Return a FraudReport response for a specific student CCCID. |
To better understand the syntax for these variable definitions, it's useful to learn the GraphQL schema language, explained in detail on the Schema page.
The FraudReport object currently contains ten fields:
appId
cccId
recipientMisCode
reportedByMisCode
submitTiimestamp
fraudType
ccpgAid
federalAid
localAid
otherAid
From Root, select Query > FraudReportQuery | Configure the Query Operation | Select fields for the expected response. |
|---|---|---|
Below is an example of the three query inputObject variations. | Below shows the “withCCCID” inputObject query selected. | Fields can be selected individually from the FraudReport object. |
The majority of multi-college districts will find the “withRecipientMisCode” query to be the most useful and commonly used variation for retrieving information on fraudulent applications submitted to one or more colleges in their district mis code.
Below is an example of a request using the FraudReportQuery:withRecipientMisCode query where one or more additional input variables are being used in addition to the “recipientMisCode”.
This is an example of the expected response.
Copying & Exporting Query Operations
The fastest and easiest way to create the other query variations to use in Postman is to modify the existing file starting in the Apollo sandbox. The process below outlines the steps for creating a new query entry to your Fraud Report Postman collection which will allow you to make an API call using a CCCID or App ID.
Documentation & Supporting Resources
Item | Description | File / Link |
|---|---|---|
Apollo API Sandbox | Fraud Data API Endpoint & Schema Documentation | Pilot: https://apollo-router.pilot.ccctechcenter.org/ |
GraphQL API Documentation | (Official) Online Introduction to GraphQL API | |
About GraphQL | CCCTC-based Introduction to GraphQL API | https://cccnext.jira.com/wiki/spaces/GLUEPD/pages/2849641174 |
Postman Documentation | Introduction to Postman / Documentation | https://learning.postman.com/docs/getting-started/introduction/ |
Using Postman with the Fraud Data API | CCCTC Guide for Using Postman with the Fraud Data API |
|