SWYCH U|API Reference
    v1

    SWYCH U API

    https://swychu.com/api

    The SWYCH U API allows authorized partners to provision and manage member accounts on the SWYCH U platform. All requests are made over HTTPS to https://swychu.com and return JSON responses.

    This reference covers the partner integration endpoints as well as the affiliate tracking URL used to attribute new registrations to a partner.

    Authentication

    All API endpoints require an apikey field in the request body. This key is issued per partner and must be included with every request.

    Requests with a missing or invalid API key are rejected and logged. There is no rate limiting beyond normal server capacity, but repeated invalid-key attempts will be flagged.

    POST /api/partner/enroll
Content-Type: application/json

{
  "apikey": "YOUR_API_KEY",
  ...
}
    POST

    /api/partner/enroll

    Provisions a new member account, re-activates an existing member's subscription, or creates an order for an existing member who is already in the system. The behavior depends on whether a matching email address already exists and whether the course field is included.

    Request Body

    FieldTypeDescription
    apikeyrequiredstringYour partner API key.
    first_namerequiredstringMember's first name. Max 50 characters.
    last_namerequiredstringMember's last name. Max 50 characters.
    emailrequiredstringMember's email address. Max 50 characters. Used as the unique identifier — if a member with this email already exists, the enrollment logic updates the existing account rather than creating a new one.
    phonerequiredstringPhone number in E.164 format. Must begin with +1. Max 20 characters. Example: +15551234567
    countryrequiredstringMember's country. Max 50 characters. Example: US
    languagerequiredstringISO 639-1 language code. Max 3 characters. Example: en
    passwordrequiredstringThe member's initial password. Stored as a bcrypt hash. Ignored on re-enrollment of an existing account.
    coursestringThe course to provision access to. Accepted values:
    • helocu — HELOC U
    • cryptou — Crypto U
    • banku — Bank U

    Omit this field to renew an existing subscription without changing course access (re-activation only). When omitted, the member must already exist in the system.

    Behavior

    New member — Email not found in the system. A new account is created, a course order is recorded, and an active subscription is provisioned.
    Existing member — re-enrollment — Email found. A new course order is added to the account and the subscription is activated (or re-activated if previously cancelled).
    Renewal (no course field) — Email found, no course supplied. The existing subscription's billing date is reset and any cancellation is cleared. The member must already exist.

    Example Request

    POST https://swychu.com/api/partner/enroll
Content-Type: application/json

{
  "apikey": "YOUR_API_KEY",
  "first_name": "Jane",
  "last_name": "Smith",
  "email": "[email protected]",
  "phone": "+15551234567",
  "country": "US",
  "language": "en",
  "password": "SecurePassword123",
  "course": "helocu"
}

    Example Responses

    200 Success
    {
  "result": "success",
  "message": ""
}
    400 Error — invalid key
    {
  "result": "error",
  "message": "invalid api key"
}
    400 Error — missing field
    {
  "result": "error",
  "message": "missing first_name"
}
    POST

    /api/partner/downgrade

    Deactivates a member's SWYCH U subscription. The member record is retained but their access is cancelled. Only members originally provisioned through the partner API can be downgraded via this endpoint.

    Request Body

    FieldTypeDescription
    apikeyrequiredstringYour partner API key.
    emailrequiredstringEmail address of the member to deactivate.

    Example Request

    POST https://swychu.com/api/partner/downgrade
Content-Type: application/json

{
  "apikey": "YOUR_API_KEY",
  "email": "[email protected]"
}

    Example Responses

    200 Success
    {
  "result": "success",
  "message": ""
}
    400 Error — member not found
    {
  "result": "error",
  "message": "no member record found for: [email protected]"
}
    400 Error — member not associated to partner
    {
  "result": "error",
  "message": "[email protected] member record not associated to this partner"
}
    GET

    /ref

    This is not an API endpoint in the traditional sense — it's a redirect URL used to hand off a prospect from a partner platform to SWYCH U. When visited, it verifies the request signature, drops a first-party affiliate tracking cookie (rid) in the visitor's browser, and immediately redirects them to the appropriate page on swychu.com.

    The cookie persists for 180 days. Any account created on SWYCH U while this cookie is active will be attributed to your affiliate ID. Requests without a valid HMAC signature are silently rejected — the visitor is redirected to the home page and no cookie is set.

    Access is restricted to approved referring domains. The HMAC signing secret (REF_HMAC_SECRET) is provisioned by SWYCH U on a per-partner basis. A partner domain cannot generate valid signed URLs until SWYCH U has approved the integration and issued the shared secret. This ensures that affiliate attribution cannot be claimed by any domain that has not been explicitly authorized.

    Query Parameters

    ParameterTypeDescription
    ridrequiredintegerYour numeric affiliate/referral ID. Stored in the tracking cookie and attributed to new sign-ups.
    returnstringThe page to redirect the prospect to. Accepted values:
    • signup — Sign-up form (recommended for warm prospects)
    • login — Login page
    • heloc — HELOC U course page
    • crypto — Crypto U course page
    • banku — Bank U course page
    • basics — Finance Basics course page
    • ebook — Free eBook page

    If omitted, defaults to the login page.

    emailstringThe prospect's email address. If provided, the email field on the destination page will be pre-filled. Must be URL-encoded. Also included in the HMAC signature — use an empty string in the signature message if omitting this param.
    tsrequiredintegerUnix timestamp (seconds) at the moment the URL was generated. Signatures are valid for 15 minutes from this time.
    sigrequiredstringHMAC-SHA256 hex digest. See Signature Generation below.

    Example URLs

    Send a prospect directly to the sign-up form with email pre-filled (most common use):

    https://swychu.com/ref?rid=123456789&return=signup&email=jane%40example.com&ts=1710000000&sig=<hmac>

    Send a prospect to the sign-up form without a known email:

    https://swychu.com/ref?rid=123456789&return=signup&ts=1710000000&sig=<hmac>

    Send a prospect to a course page:

    https://swychu.com/ref?rid=123456789&return=heloc&ts=1710000000&sig=<hmac>

    Signature Generation

    The signature is an HMAC-SHA256 digest of the message `${rid}:${ts}:${email}`, where email is an empty string if not included in the URL. The output is the full 64-character lowercase hex digest. A fresh ts must be generated for each URL — signatures expire after 15 minutes.

    PHP

    $secret = 'YOUR_SHARED_SECRET';   // same value as REF_HMAC_SECRET on SWYCH U
$rid    = 123456789;               // affiliate's rid
$email  = '[email protected]';      // prospect's email, or '' if unknown
$return = 'signup';                // signup | login | heloc | crypto | banku | basics | ebook
$ts     = time();
$msg    = $rid . ':' . $ts . ':' . strtolower(trim($email));
$sig    = hash_hmac('sha256', $msg, $secret);

$url = 'https://swychu.com/ref'
     . '?rid='    . urlencode($rid)
     . '&return=' . urlencode($return)
     . '&ts='     . $ts
     . '&sig='    . $sig
     . ($email ? '&email=' . urlencode(strtolower(trim($email))) : '');

    JavaScript / Node.js

    import { createHmac } from "crypto";

const secret = process.env.REF_HMAC_SECRET;
const rid    = 123456789;
const email  = "[email protected]";  // or "" if unknown
const ret    = "signup";
const ts     = Math.floor(Date.now() / 1000);
const msg    = `${rid}:${ts}:${email.trim().toLowerCase()}`;
const sig    = createHmac("sha256", secret).update(msg).digest("hex");

const url = `https://swychu.com/ref?rid=${rid}&return=${ret}&ts=${ts}&sig=${sig}`
          + (email ? `&email=${encodeURIComponent(email.trim().toLowerCase())}` : "");

    Cookie Details

    The rid cookie is set on .swychu.com and shared between swychu.com and www.swychu.com. It is httpOnly (not readable by JavaScript) and expires after 180 days.

    Response Format

    All API responses return HTTP 200 with a JSON body. The result field indicates the outcome. Inspect this field — do not rely solely on the HTTP status code.

    {
  "result": "success" | "error",
  "message": ""         // empty string on success; error description on failure
}

    Common Error Messages

    messageCause
    invalid api keyThe apikey field is missing or does not match the key on file.
    missing <field>A required field was not included in the request body.
    <field> value exceeds N charactersA field's value is longer than the maximum allowed length.
    phone value is not in E.164 formatPhone number does not begin with +1.
    no member record foundDowngrade or renewal attempted for an email not in the system.
    <email> member record not associated to this partnerDowngrade attempted for a member provisioned outside the partner API.
    <email> was not previously upgradedDowngrade attempted for a member with no active subscription.
    server errorAn unexpected server-side error occurred.

    SWYCH U © 2026  ·  API v1