Encryption API

Overview

If you are unable to implement JWE encryption in your own systems, Figure provides an API endpoint that encrypts a JSON payload on your behalf using Figure's public key. The encrypted output is a standard JWE compact serialization string that can be used anywhere Figure expects encrypted data — for example, as a query parameter when redirecting a borrower to Figure.

Authentication

This endpoint uses the same authentication as all other Figure Partner API endpoints:

apikey header — Your API key, provided during onboarding.

See Getting Started for more information on required headers.

Request

URL

POST https://api.figure.com/encryption/v1/encrypt

Headers

Header	Required	Description
`apikey`	Yes	Your API key
`Content-Type`	Yes	Must be `application/json`

Body

The request body is any valid JSON object representing the data you want to encrypt. For example, if you are encrypting inquiry prefill data:

Example Payload
{
  "applicant": {
    "name": {
      "firstName": "Jane",
      "lastName": "Doe"
    },
    "email": "jane.doe@example.com",
    "phone": "555-123-4567"
  },
  "property": {
    "address": {
      "street1": "123 Main St",
      "city": "Anytown",
      "state": "CA",
      "zip": "90210"
    }
  }
}

Example Request

cURL
curl -X POST https://api.figure.com/encryption/v1/encrypt \
  -H "apikey: <your-api-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "applicant": {
      "name": { "firstName": "Jane", "lastName": "Doe" },
      "email": "jane.doe@example.com"
    }
  }'

Response

Response Payload
{
  "encrypted": "<JWE compact serialization string>"
}

The encrypted field contains a JWE compact serialization string (five base64url-encoded segments separated by periods). See JSON Web Encryption (JWE) for details on the JWE format.

Usage with Inquiry Prefill

The primary use case for this endpoint is encrypting borrower data before passing it as a URL parameter. After receiving the encrypted response, include the value as a query parameter when redirecting the borrower:

Redirect URL

https://apply.figure.com/heloc?inquiry=eyJhbGciOiJSU0EtT0FFUC0yNTYiLC...

This prevents sensitive borrower data from appearing in plaintext in URLs and server logs.

Error Responses

Scenario	HTTP Status	Description
Missing or invalid API key	401	The `apikey` header is missing or invalid
Invalid JSON body	400	The request body is not valid JSON
Server error	500	An unexpected error occurred during encryption

Overview​

Authentication​

Request​

Headers​

Body​

Example Request​

Response​

Usage with Inquiry Prefill​

Error Responses​