SuperGlue Fraud Reporting Guide
This introductory user guide provides:
a general description and usage of the SuperGlue Fraud Reporting functionality (data API) and the fraud data reporting project
an overview of the college implementation process and options for integration with the API
an introduction to GraphQL API language for reporting and querying fraud data
API documentation and resources for executing fraud data reporting operations
Introduction
SuperGlue Fraud Reporting is an API solution that supports bi-directional communication and sharing of suspected application fraud data with the CCC Technology Center. This enables automatic sharing of fraud status with other colleges in the system. Developed using GraphQL API technology, the API supports other types of fraud data. Participating districts are provided the SuperGlue Fraud Reporting API schema and authorized access to the API during an implementation call with CCCTC Enabling Services. For more information on the schema, see About GraphQL API.
Search the Fraud Reporting Guide
Contents
On This Page
SuperGlue Fraud Reporting enables colleges to receive fraud notifications and query the API directly to get fraud information.
About this Guide
This guide is targeted at developers who have a basic understanding of concepts and capabilities of GraphQL API technology. To learn more about GraphQL, see GraphQL | A query language for your API.
The purpose of this guide is two-fold:
introduce the SuperGlue Fraud Reporting project, including the processes and procedures for college and district staff who will be participating in fraud reporting operations
provide the technical information, documentation, schema access, and query templates
About GraphQL API
GraphQL is a new API standard that provides a more efficient, powerful, and flexible alternative to REST API.
Introduction to GraphQL is an excellent primer for understanding the GraphQL language and the primary query operations used by the Fraud Data API.
See the About GraphQL API page for an introduction to the basic concepts of GraphQL, the schema, and examples of the functional operations used in the Fraud Data API (query, mutation, subscription).
The SuperGlue Fraud Reporting Data API
The SuperGlue Fraud Reporting data API provides a mechanism for colleges to report locally-identified instances of fraud to the CCCTC, as well as facilitate the ability to query against that data using an authorized MIS code with an AppID or CCCID. In turn, CCCTC server-side workflows analyze the data to determine if the submitted fraud information impacts other colleges across the system. If impacts are found, Superglue is leveraged to notify those colleges of the fraud.
By integrating the SuperGlue API to identify and share fraud data, colleges are able to extend the functionality of their own SIS systems and resources for increased efficiency. This is essential for meeting fraud reporting requirements as well as decreasing overall costs and increasing time savings. Districts are encouraged to use this API within their own internal systems.
Reporting Fraud Data Via the API
The reporting of locally identified fraud data from an individual college or district to the CCC Technology Center (CCCTC) is managed via the SuperGlue Fraud Reporting data API. Everything needed to submit fraud reports is documented in the schema, as well as through custom Postman files configured specifically for the fraud data operations. More information and detailed examples of the FraudReportSubmit mutation are provided in the Submitting a Fraud Report section.
Receive Fraud Notifications to Staging Table
Each instance of application fraud reported to the CCCTC is used to identify other instances submitted by the same CCCID. These findings are then delivered to colleges as notifications to a fraud-report staging table (for each college) via the SuperGlue College Adaptor.
Each notification response consists of:
application ID (
AppID)applicant’s CCCID (
CCID)MIS code of the college reporting the fraud (
ReportedByMisCode).
Learn more about this process in Receiving Fraud Notifications to a Staging Table.
The SuperGlue Fraud Reporting data API leverages SuperGlue to stream fraud notifications to a dedicated fraud-data staging table. See Fraud Data API Implementation Process for more details and to get started working with CCCTC Enabling Services.
Below is a diagram of the API processes leveraged by SuperGlue and the College Adaptor.
Querying Fraud Data Directly Via the API
In addition to the streaming of fraud reports via the SuperGlue College Adaptor, the API also facilitates the ability to query the fraud table directly using a CCCID, an AppID, or an authorized MIS code (withRecipientMisCode). A successful response is returned if the CCCID used in the query matches any other application(s) submitted to the authorized MIS code. The process for querying the API directly is described in the Querying Fraud Report Data section of this guide.
Authorized access via the API is restricted by college or district MIS code, which is set as the default attribute in the API account. Multi-college districts will have a default MIS code as well, but may also be granted authorization for additional MIS codes for individual colleges in their district. API accounts are set up by the CCCTC and provided to the college during the implementation process.
The SuperGlue Fraud Reporting Data API Schema
The schema is one of the most important concepts when working with GraphQL API. It specifies the capabilities of the API, the shape of the available data, and the specific queries and mutation functions that can be used to read, write, and make web requests of a GraphQL server.
The SuperGlue Fraud Reporting data API schema defines the query-type operations currently available to execute. The FraudReportSubmit mutation type provides the operation and data structure for submitting a fraud report to the CCCTC for a CCCApply Application (AppID) or a student ID (CCCID). The FraudReportQuery operation provides the structure for retrieving fraud data via the API.
The schema details everything needed to construct and execute the FraudReportSubmit operation, including the required input argument, input fields, and the payload response via an API development tool such as Postman, cURL, PowerShell, Python, Java, etc. Any of these development tools will provide the mechanism needed to make this API web request.
API Documentation, Tools, and Sandbox
One of the benefits of the CCCTC API is its ability to be self-documenting. This means that when an interactive tool like GraphiQL is used, users are able to explore what data is exposed by this API, including the fields, types, and more. Users can also explore the data through the description field, which provides supplementary notes about the endpoint.
In most cases, this provides a clear understanding of the API. However, to better understand and visualize the SuperGlue Fraud Reporting data API, the complete schema documentation and the ability to explore, test, and validate the primary API calls is provided via a Sandbox tool as well as operation templates provided by the CCCTC.
The CCCTC API sandbox supports all operation types and allows you to explore the SuperGlue Fraud Reporting Data API schema documentation.
Explore the API in the CCCTC Sandbox
Access to the SuperGlue Fraud Reporting data API schema is available in the CCCTC API Sandbox to college IT staff for:
exploration of the schema and metrics
API development and testing of the Fraud Report operations
documentation of the Fraud Report operations
Contact CCCTC Enabling Services for links and access to the sandbox.
By providing districts direct access to the SuperGlue Fraud Reporting data API schema, the CCCTC has provided colleges with the ability to create and generate a user interface of their own. Such an interface could, for example, be used to implement a more automated process for dealing with fraud application data. Or colleges can simply use Postman and the files configured for the SuperGlue Fraud Reporting data API that are provided, to educate themselves on the API’s functionality and/or visualize the data structure.
Using Postman with the SuperGlue Fraud Reporting Data API
CCCTC recommends using Postman for interacting with the Bi-Directional Fraud Data API. The Postman client (configured with ready-to-use templates provided by the CCCTC) allows colleges that may not have the immediate resources or technical skills to integrate with the API initially to submit fraud reports and query the fraud database efficiently in order to participate in the fraud data reporting effort.
Links to install Postman, as well as the custom templates for submitting and querying fraud reports and the user authorization credentials are provided to the college during the implementation process. For more information on using Postman, see Using Postman with the Fraud Data API or contact CCCTC Enabling Services.
Postman is a testing platform designed to “easily explore, debug, and test your complex API requests for HTTP, REST, SOAP, GraphQL, and WebSockets. The Postman client also includes built-in support for authentication protocols like OAuth 1.2/2.0, AWS Signature, Hawk, and more.” Learn more in the Postman Learning Center.
College Implementation Process
To get started with the SuperGlue Fraud Reporting data API, an authorized college or district IT engineer with a good understanding of API technology, must contact the CCCTC Enabling Services team to schedule a checklist meeting.
Below is an overview of the process:
Contact the CCCTC Enabling Services team to obtain your API account and credentials.
Integrate with the SuperGlue Fraud Reporting data API.
Install Postman tool and import templates (optional, but recommended).
Or, set up standard templates in preferred API tool (Python, cURL, Powershell, Ruby, Node, Java, etc.).
Install the Fraud Report staging table and deploy the latest version of the College Adaptor to receive a live stream of fraud notifications, or use the Fraud Report Query to receive a list of fraud notifications.
Click here for more information about the Fraud Data API Implementation Process.
Authorized Access Accounts
During the implementation process, one or more user accounts will be created for your college or district by a CCCTC implementation engineer. The account will be configured with the appropriate roles and attributes, and secured to the MIS codes authorized for the specific user. Users from multi-college districts may be authorized to submit and query fraud reports for all or some of the individual colleges in their district. Single-college districts will be restricted to their single-college MIS code.
More information is provided to the district during the SuperGlue Fraud Reporting Data API Implementation Process overview meeting with CCCTC Enabling Services.
Bi-Directional Fraud Data API Operations
Recommended: Non-technical college staff are encouraged to use Postman for ad hoc fraud reporting and queries. Ask your Enabling Services ICE engineer for more information about Using Postman with the SuperGlue Fraud Reporting data API.
Getting the API Access Token
With your API account created with the proper credentials in place, use the request below to return a JSON block including an “access_token” field. This token becomes the Bearer required in the Authorization head for secured requests to the API. (Reminder: Your API account is provided by the CCCTC during the implementation process.)
curl --location --request POST 'PLACE_AUTHENTICATION_ENDPOINT_URL_HERE' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=PLACE_PLAINTEXT_USERNAME_HERE' \
--data-urlencode 'password=PLACE_PLAINTEXT_PASSWORD_HERE' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=fraudReporting'Note: In the example above, the token request is made using cURL; however, any API tool can be used, such as Python, PowerShell, Ruby, Node, Java, etc.
Getting Your Access Token Using Postman
Once Postman is installed and the Fraud Report Postman Collection and the Fraud Report Postman Environment files have been imported and configured with your API account credentials and environment specifications, the process for generating and refreshing your access token is managed on the Fraud Report OAuth tab. Once generated, Postman will automatically store the token as the Bearer in the Authorization head for all secured API requests.
A primary function of the API is to facilitate the process of automating the submission of suspected or identified fraudulent admission applications to the CCCTC for use in combating system-wide fraud.
Submitting a Fraud Report
The schema defines the process for submitting fraud information to the CCCTC as the FraudReportSubmit operation. Specifications for this operation are documented in the CCCTC API Sandbox.
In general terms, the components of this operation are basic. The root of the FraudReportSubmit operation is a mutation type object that has a required Input argument (FraudReportSubmitInput) where at least one input variable field must be provided and a custom payload response is defined (FraudReportSubmitPayload). For the majority of fraud report submissions, only the CCC ID (CCCID) is needed, although additional input fields may also be added to the operation.
The FraudReportSubmit Operation
Below is an example of a basic FraudReportSubmit operation built with a template in the CCCTC API sandbox.
| In the Operation section, the root mutation, FraudReportSubmit, has been selected with the default FraudReportSubmitPayload fields displayed. In the Documentation column, the Input argument - FraudReportSubmitInput - is selected and expanded showing the fields that can be used for the required input. In the Variables table, the Before submitting the request, a value should be entered in the “appId” input field (as shown below).  |
The Documentation tab (in the sandbox) enables you to step into the Fraud Data API schema, beginning at one of its entry points. Click the ⊕ button next to any field in the Documentation tab to add that field to the operation editor, at your current path. By default, the Explorer automatically generates variables for that field's arguments
Reminder: The user’s API account is configured with their default authorized MIS code(s), which is identified in the access token that becomes part of the request heading. The appId value entered must be a legitimate application corresponding to the authorized MIS code or the request will return an error.
In this operation, the mutation has a required input argument (FraudReportSubmitInput) that specifies which data fields will be included in the submission.
Learn how to use an Input object type in a GraphQL mutation operation.
For multi-college district accounts, the operation should be modified to also include the “reportedByMisCode” field in the input argument to specify which college in the district the fraudulent application ( The default MIS code for a single college district is passed automatically in the token, so it does not need to be included as a variable in the input argument. |  |
The schema provides everything needed to construct and execute the FraudReportSubmit operation, including the required input argument, Input fields, and the payload response using an API dev tool such as cURL, PowerShell, Node, Python, Java, etc.
To export the FraudReportSubmit operation, or a variation of that template, click the three dots in the Operation section to display the context menu.
With a basic understanding of the operation and appropriate credentials and configured attributes, an API user has everything they need to effectively format a proper web request using an application development tool such as cURL, Python, Node, PowerShell, etc.
The example below shows how to submit a formatted web request for a fraud report for application id (AppID) 34110.
curl --location --request POST 'PLACE_CCCTC_API_URL_HERE'
--header 'Authorization: Bearer PLACE_AUTHORIZATION_TOKEN_HERE'
--header 'Content-Type: application/json'
--data-raw '{"query":"mutation FraudReportSubmit($input: FraudReportSubmitInput!) {\n FraudReportSubmit(input: $input) {\n cccId\n appId\n fraudType\n }\n}\n","variables":{"input":{"appId":34110}}}'Reminder: The access token code is entered as the Bearer token required in the Authorization head for secured requests to the API. The access token includes the user credentials and the reporting college’s MIS code.
Below is an example of a successful reply:
{
"data": {
"FraudReportSubmit": {
"cccId": "AAA6198",
"appId": 34110,
"fraudType": "APPLICATION"
}
}
}
Using Postman to Submit a Fraud Report
To support users who may not have the programming experience to build and submit a web request from a schema, Postman can be used for submitting fraud reports. Please reach out to CCCTC Enabling Services for more information about using Postman with CCCTC APIs.
Receiving Fraud Notifications to a Staging Table
One objective of the fraud reporting project is to leverage SuperGlue and the College Adaptor to implement more automated processes for bi-directional sharing of fraud information between colleges. CCCTC is able to broadcast notifications of reported bad actors to any other colleges that have also received applications from the same CCCID.
When this happens, a new Fraud Report is pushed to a dedicated staging table (for each college) via the SuperGlue College Adaptor. Each notification will identify the suspect CCCID and the application ID(s) (AppID), a timestamp for the fraud report, and the reporting college’s MIS code (reportedByMisCode).
In addition to sending notifications to the staging table, the SuperGlue Fraud Reporting system (or data API) also updates the fraud_status field in the CCCApply database. The fraud_status is set as follows in the CCCApply database:
5(CONFIRMED_FRAUD): For fraud report submissions
6(CONFIRMED_NOT_FRAUD): For fraud rescind actions
Update Your College Adaptor for the Fraud Data API - Please see the SuperGlue Fraud Reporting Data API Implementation Process page for integration details.
Querying Fraud Report Data
Colleges may query fraud data information for an authorized MIS code directly using the SuperGlue Fraud Reporting data API. The schema specifies this operation as the FraudReportQuery type query, which is an interface for retrieving a Fraud Report object consisting of a multi-field payload for an individual student and/or application.
The CCCTC API provides colleges the power to ask for exactly which fields they need to be given to them. Such queries always return predictable results. Apps using this API are relatively fast because they control the amount of data they get (as opposed to the server returning additional unneeded data).
The FraudReportQuery Operation
The schema describes the FraudReportQuery as a Query type object that requires at least one of three different input-object variations as part of the API call operation. Each variation has a specific input argument (variable) that can be customized to retrieve all of the FraudReport data fields in the payload response. The input variations can be used alone or in combination with each other as part of the operation.
The three query variations are:
Use this operation… | that requires the… | to… |
|---|---|---|
FraudReportQuery.withRecipientMisCode | “RecipientMisCode” field as the input variable | Return a list of FraudReport objects for a specified MIS code. |
FraudReportQuery.withAPPID | “AppId” field as the input variable | Return FraudReport objects for a specific student Application. |
FraudReportQuery.withCCCID | “CCCID” field as the input variable | Return FraudReport objects for a specific student CCCID. |
To better understand the syntax for these variable definitions, it is useful to learn the GraphQL schema language, explained in detail on the Schema page.
From Root, select Query > FraudReportQuery | Configure the Query Operation | Select fields for the expected response. |
|---|---|---|
Below is an example of the three query inputObject variations. | Below is an example of the “withCCCID” inputObject query selected. | Fields can be selected individually from the FraudReport object. |
 |  |  |
The majority of multi-college districts will find the “withRecipientMisCode” query to be the most useful and commonly used variation for retrieving information on fraudulent applications submitted to one or more colleges in their district MIS code.
Below is an example of a request using the FraudReportQuery:withRecipientMisCode query where one or more additional input variables are being used in addition to the “recipientMisCode.”
curl --location --request POST 'PLACE_CCCTC_API_URL_HERE' \
--header 'Authorization: Bearer PLACE_AUTHORIZATION_TOKEN_HERE' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"query FraudReportQuery {\n FraudReportQuery {\n withRecipientMisCode {\n submitTimestamp\n cccId\n reportedByMisCode\n recipientMisCode\n appId\n fraudType\n }\n }\n}","variables":{}}'Below is an example of the expected response.
{
"data": {
"FraudReportQuery": {
"withRecipientMisCode": [
{
"submitTimestamp": "2022-10-07T21:15:37.000Z",
"cccId": "AAA0002",
"reportedByMisCode": "ZZ2",
"recipientMisCode": "ZZ1",
"appId": 4,
"fraudType": "APPLICATION"
}
]
}
}
}Reminder: The user’s access token should be entered alongside the Bearer required in the Authorization header for secured requests to the API.
Below is an example of the FraudReportQuery:withRecipientMisCode operation configured in the CCCTC API sandbox.
Reminder: The purpose of the SuperGlue Fraud Reporting data API is to provide colleges the ability to integrate their internal systems in order to streamline their own fraud reporting processes.
Copying & Exporting Query Operations
The fastest and easiest way to create the other query variations to use in Postman is to modify the existing file in the CCCTC sandbox. The process below outlines the steps for creating a new query entry to your Fraud Report Postman collection which will allow you to make an API call using a CCCID or AppID.
To export the FraudReportQuery operation, or a configuration of the template, as defined in the schema in the sandbox, click the three dots in the Operation section to display the context menu for options.
Rescinding a Fraud Report
The schema defines the process for rescinding fraud information to the CCCTC as the FraudReportRescind operation. Specifications for this operation are documented in the CCCTC API Sandbox.
In general terms, the components of this operation are basic. The root of the FraudReportRescind operation is a mutation type of object that has a required input argument (FraudReportRescindInput) where at least one input variable field must be provided and a custom payload response is defined (FraudReportRescindPayload). For the majority of fraud report rescission, only the CCC ID (CCCID) is needed, additional input fields may also be added to the operation.
The FraudReportRescind Operation
Below is an example of a basic FraudReportRescind operation built with a template in the CCCTC API sandbox.
With a basic understanding of the operation and their API account with the appropriate credentials and configured attributes, an API user has everything they need to effectively format a proper web request using an application development tool such as cURL, Python, Node, PowerShell, etc.
The example below submits a formatted web request for rescinding a fraud report for application id (AppID) 34110.
curl --location --request POST 'PLACE_CCCTC_API_URL_HERE'
--header 'Authorization: Bearer PLACE_AUTHORIZATION_TOKEN_HERE'
--header 'Content-Type: application/json'
--data-raw '{"query":"mutation FraudReportRescind($input: FraudReportRescindInput!) {\n FraudReportRescind(input: $input) {\n cccId\n appId\n }\n}\n","variables":{"input":{"appId":34110}}}'Reminder: The access token code is entered as the Bearer token required in the Authorization head for secured requests to the API. The access token includes the user credentials and the reporting college’s MIS code.
Below is an example of a successful reply:
{
"data": {
"FraudReportRescind": {
"cccId": "AAA6198",
"appId": 34110
}
}
}Using Postman to Submit a Fraud Report
To support users who may not have the programming experience to build and submit a web request from a schema, Postman can be used for submitting fraud reports. Please reach out to CCCTC Enabling Services for more information about using Postman with CCCTC APIs.
Documentation & Supporting Resources
Item | Description | File / Link |
|---|---|---|
CCCTC API Sandbox | Fraud Data API Endpoint & Schema Documentation | Please reach out to CCCTC Enabling Services for more information about the API Sandbox and its location |
GraphQL API Documentation | (Official) Online Introduction to GraphQL API | |
About GraphQL | CCCTC-based Introduction to GraphQL API | |
Postman Documentation | Introduction to Postman / Documentation |