This document is intended as a reference manual for customers migrating Authentication Web to the new platform API.
It provides an overview of the significant changes in the new client and describes the adjustments that will be needed to be made to your implementation to use the new platform API.
The Jumio KYX Platform API allows you to manage your user journeys. It allows you to create and update accounts for your users, prompt them to provide data such as a photo ID and selfie, and get identity verification results in real time so you can complete their onboarding.
The KYX Platform API is user-based and highly flexible, allowing various workflows that can be easily combined into a single user journey. Each workflow defines a single transaction executing a series of specific tasks, such as data extraction and a liveness check. Multiple workflows can be executed on the same account.
The following diagram shows several possible workflows:
- Account Creation
- Account Update
- Data Acquisition
- Finalization
Reach out to Jumio Support for creating a test account which helps to run tests and play around with the new architecture.
API calls are protected using either HTTP Basic Authentication or OAuth2.
The Account Management Service initiates the acquisition process and returns:
- either a JSON Web Token (JWT), which can be used to authenticate to the Jumio backend system to use with the SDK
- or Redirect-URLs, which can be used to upload documents using the other channels
| ℹ️ Some functionalities described in this document might be unavailable, depending on the scope of your license with Jumio. Contact your Jumio Solutions Engineer if you have any questions. |
|---|
At the moment, your Basic Auth credentials are constructed using your API token as the User ID and your API secret as the password. You can view and manage your API token and secret in the Customer Portal under:
- Settings > API credentials > API Users
Your new OAuth2 credentials are constructed using your API token as the Client ID and your API secret as the Client secret. You can view and manage your API token and secret in the Customer Portal under:
- Settings > API credentials > OAuth2 Clients
Client ID and Client secret are used to generate an OAuth2 access token. OAuth2 has to be activated for your account. Contact your Jumio Account Manager for activation.
- US:
https://auth.amer-1.jumio.ai/oauth2/token - EU:
https://auth.emea-1.jumio.ai/oauth2/token - SG:
https://auth.apac-1.jumio.ai/oauth2/token
Note: Never share your API token, API secret, or OAuth2 credentials with anyone — not even Jumio Support!
The TLS Protocol is required to securely transmit your data, and we strongly recommend using the latest version. For information on cipher suites supported by Jumio during the TLS handshake see supported cipher suites.
Note: Calls with missing, incorrect or suspicious headers or parameter values will result in HTTP status code 400 Bad Request Error or 403 Forbidden.
curl --request POST --location 'https://auth.amer-1.jumio.ai/oauth2/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-raw 'grant_type=client_credentials' \
--basic --user CLIENT_ID:CLIENT_SECRET
{
"access_token": "YOUR_ACCESS_TOKEN",
"expires_in": 3600,
"token_type": "Bearer"
}
Your OAuth2 access token is valid for 60 minutes. After the token lifetime is expired, it is necessary to generate a new access token.
As soon as the workflow (transaction) starts, a 15 minutes session timeout starts. For each action performed (capture image, upload image) the session timeout will reset, and the 15 minutes will start again.
A token timeout can be configured via the Jumio Customer Portal and can be overwritten using the API call. Within this token lifetime the token can be used to initialize the SDK, API or Web journey.
Currently, only new enrolments that are created in the new architecture can be used for the Next-Generation Authentication.
Use one of the following workflows to enroll a new transaction. Create a new account for a new end-user or use the update account API if the end-user already exists.
- Workflow 3: ID and Identity Verification
- Workflow 6: Standalone Liveness
This workflow verifies a photo ID document and returns a) whether that document is valid, and b) data extracted from that document. It also compares the user's face with the photo on the ID and performs a liveness check to ensure the person is physically present.
- ID
- Selfie
- Facemap
- ID
- Selfie
- Facemap
- Identity Verification must be enabled for your account. (Contact your Jumio account manager for activation.)
- Allowed channels: SDK, WEB
HTTP Request Method: POST
- US:
https://account.amer-1.jumio.ai/api/v1/accounts - EU:
https://account.emea-1.jumio.ai/api/v1/accounts - SG:
https://account.apac-1.jumio.ai/api/v1/accounts
Request:
curl --request POST --location 'https://account.amer-1.jumio.ai/api/v1/accounts' \
--header 'Content-Type: application/json' \
--header 'User-Agent: User Demo' \
--header 'Authorization: Bearer
YOUR_ACCESS_TOKEN' \
--data-raw '{
"customerInternalReference": "CUSTOMER_REFERENCE",
"workflowDefinition": {
"key": 3,
"credentials": [
{
"category": "ID",
"type": {
"values": ["DRIVING_LICENSE", "ID_CARD", "PASSPORT"]
},
"country": {
"values": ["USA", "CAN", "AUT", "GBR"]
}
}
]
},
"callbackUrl": "YOUR_CALLBACK_URL",
"userReference": "YOUR_USER_REFERENCE",
}'
Response:
{
"timestamp": "2021-05-19T14:55:08.187Z",
"account": {
"id": "11111111-1111-1111-1111-aaaaaaaaaaaa"
},
"web": {
"href": "https://mycompany.web.amer-1.jumio.ai/web/v4/app?authorizationToken=xxx&locale=es"
},
"sdk": {
"token": "xxx"
},
"workflowExecution": {
"id": "22222222-2222-2222-2222-aaaaaaaaaaaa",
"credentials": [
{
"id": "33333333-3333-3333-aaaaaaaaaaaa",
"category": "ID",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-bbbbbbbbbbbb",
"category": "FACEMAP",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-cccccccccccc",
"category": "SELFIE",
"allowedChannels": [
"WEB",
"SDK"
]
}
]
}
}
HTTP Request Method: PUT
- US:
https://account.amer-1.jumio.ai/api/v1/accounts/<accountId> - EU:
https://account.emea-1.jumio.ai/api/v1/accounts/<accountId> - SG:
https://account.apac-1.jumio.ai/api/v1/accounts/<accountId>
Request:
curl --request POST --location 'https://account.amer-1.jumio.ai/api/v1/accounts/11111111-1111-1111-1111-aaaaaaaaaaaa' \
--header 'Content-Type: application/json' \
--header 'User-Agent: User Demo' \
--header 'Authorization: Bearer
YOUR_ACCESS_TOKEN' \
--data-raw '{
"customerInternalReference": "CUSTOMER_REFERENCE",
"workflowDefinition": {
"key": 3,
"credentials": [
{
"category": "ID",
"type": {
"values": ["DRIVING_LICENSE", "ID_CARD", "PASSPORT"]
},
"country": {
"values": ["USA", "CAN", "AUT", "GBR"]
}
}
]
},
"callbackUrl": "YOUR_CALLBACK_URL",
"userReference": "YOUR_USER_REFERENCE",
}'
Response:
{
"timestamp": "2021-05-19T14:55:08.187Z",
"account": {
"id": "11111111-1111-1111-1111-aaaaaaaaaaaa"
},
"web": {
"href": "https://mycompany.web.amer-1.jumio.ai/web/v4/app?authorizationToken=xxx&locale=es"
},
"sdk": {
"token": "xxx"
},
"workflowExecution": {
"id": "22222222-2222-2222-2222-aaaaaaaaaaaa",
"credentials": [
{
"id": "33333333-3333-3333-aaaaaaaaaaaa",
"category": "ID",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-bbbbbbbbbbbb",
"category": "FACEMAP",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-cccccccccccc",
"category": "SELFIE",
"allowedChannels": [
"WEB",
"SDK"
]
}
]
}
}
This workflow captures a user's face to verify that the person is physically present and not presenting a photo or other fake as their selfie.
- Selfie
- Facemap
- Selfie
- Facemap
- Identity Verification must be enabled for your account. (Contact your Jumio account manager for activation.)
- Allowed channels: SDK, WEB
HTTP Request Method: POST
- US:
https://account.amer-1.jumio.ai/api/v1/accounts - EU:
https://account.emea-1.jumio.ai/api/v1/accounts - SG:
https://account.apac-1.jumio.ai/api/v1/accounts
Request:
curl --location --request PUT 'https://account.amer-1.jumio.ai/api/v1/accounts' \
--header 'Content-Type: application/json' \
--header 'User-Agent: User Demo' \
--header 'Authorization: Bearer xxx' \
--data-raw '{
"customerInternalReference": "CUSTOMER_REFERENCE",
"workflowDefinition": {
"key": 6,
"credentials": []
}
}'
Response:
{
"timestamp": "2021-05-19T15:11:18.072Z",
"account": {
"id": "11111111-1111-1111-1111-aaaaaaaaaaaa"
},
"web": {
"href": "https://mycompany.web.amer-1.jumio.ai/web/v4/app?authorizationToken=xxx&locale=es"
},
"sdk": {
"token": "xxx"
},
"workflowExecution": {
"id": "22222222-2222-2222-2222-aaaaaaaaaaaa",
"credentials": [
{
"id": "33333333-3333-3333-aaaaaaaaaaaa",
"category": "FACEMAP",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-bbbbbbbbbbbb",
"category": "SELFIE",
"allowedChannels": [
"WEB",
"SDK"
]
}
]
}
}
HTTP Request Method: PUT
- US:
https://account.amer-1.jumio.ai/api/v1/accounts/<accountId> - EU:
https://account.emea-1.jumio.ai/api/v1/accounts/<accountId> - SG:
https://account.apac-1.jumio.ai/api/v1/accounts/<accountId>
Request:
curl --location --request PUT 'https://account.amer-1.jumio.ai/api/v1/accounts/11111111-1111-1111-1111-aaaaaaaaaaaa' \
--header 'Content-Type: application/json' \
--header 'User-Agent: User Demo' \
--header 'Authorization: Bearer xxx' \
--data-raw '{
"customerInternalReference": "CUSTOMER_REFERENCE",
"workflowDefinition": {
"key": 6,
"credentials": []
}
}'
Response:
{
"timestamp": "2021-05-19T15:11:18.072Z",
"account": {
"id": "11111111-1111-1111-1111-aaaaaaaaaaaa"
},
"web": {
"href": "https://mycompany.web.amer-1.jumio.ai/web/v4/app?authorizationToken=xxx&locale=es"
},
"sdk": {
"token": "xxx"
},
"workflowExecution": {
"id": "22222222-2222-2222-2222-aaaaaaaaaaaa",
"credentials": [
{
"id": "33333333-3333-3333-aaaaaaaaaaaa",
"category": "FACEMAP",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-bbbbbbbbbbbb",
"category": "SELFIE",
"allowedChannels": [
"WEB",
"SDK"
]
}
]
}
}
When you initiate the web client, the API returns the web.href that you use to display the web client to the end user. You can provide this URL in several ways:
- within an iFrame on your web page
- as a link on your web page that opens a new browser tab or window
- as a link shared securely with an end-user
- in a native webview
No change to embed the generated web.href from the new architecture. See the current Authentication for Web Implementation Guide for further information.
No change for recommended responsive breaking points. See the current Authentication for Web Implementation Guide for further information.
For a better user experience when creating a three-dimensional map of your user's face, you must allow full screen mode. This will address the positioning and distance between the capture interface and the camera.
allow="camera;fullscreen;accelerometer;gyroscope;magnetometer" allowfullscreen iFrame attributes must be included to enable biometric face capture in supported browsers. |
|---|
allow="camera" attribute must be added to every iFrame. |
|---|
<iframe src="https://yourcompany.netverify.com/web/v4/app?locale=en-GB&authorizationToken=xxx" width="70%" height="80%" allow="camera;fullscreen;accelerometer;gyroscope;magnetometer" allowfullscreen></iframe>
Setup and usage of the optional iFrame logging stays the same besides of some changes to a few properties in the event.data object listed below. See the current Authentication for Web Implementation Guide for further information about Optional iFrame logging.
Required items appear in bold type.
| New Property | Type | Description |
|---|---|---|
| accountId | string | UUID of the account |
Required items appear in bold type.
| Current Property | New Property | Type | Description |
|---|---|---|---|
| transactionReference | workflowExecutionId | string | Property has been renamed UUID of the workflow |
Required items appear in bold type.
| Property | Type | Description |
|---|---|---|
| authorizationToken | string | Authorization token, valid for a specified duration |
| customerInternalReference1 | string | Internal reference for a request to link it in the customer backend (must not contain any PII |
| eventType | integer | Type of event that has occurred. Possible values: • 510 (application state-change) |
| dateTime | string | UTC timestamp of the event in the browser Format: YYYY-MM-DDThh:mm:ss.SSSZ |
| payload | JSON object | Information specific to the event generated (see event.data.payload object) |
1 Values must not contain Personally Identifiable Information (PII) or other sensitive data such as email addresses.
No change for the event.data.payload object.
No change for the event.data.payload.metainfo object.
function receiveMessage(event) {
var data = window.JSON.parse(event.data);
console.log('ID Verification Web was loaded in an iframe.');
console.log('auth-token:', data.authorizationToken);
console.log('event-type:', data.eventType);
console.log('date-time:', data.dateTime);
console.log('workflow-execution-id:', data.workflowExecutionId);
console.log('account-id:', data.accountId);
console.log('customer-internal-reference:', data.customerInternalReference);
console.log('value:', data.payload.value);
console.log('metainfo:', data.payload.metainfo);
}
window.addEventListener("message", receiveMessage, false);No change for embedding Web within a WebView in your native mobile application. See the current ID Verification Implementation Guide for further information.
This workflow compares the facemap of a user to an already existing facemap that has already been captured.
The existing facemap must have been acquired during a previous workflow, e.g. Workflow 3 or Workflow 5.
- Selfie
- Facemap
- Selfie
- Facemap
- Identity Verification must be enabled for your account. (Contact your Jumio account manager for activation.)
- Account already exists,
<accountId>available - Facemap already on file, acquired through previous workflow
- Allowed channels: SDK, WEB
HTTP Request Method: POST
- US:
https://netverify.com/api/authentication/v1/web/initiate - EU:
https://lon.netverify.com/api/authentication/v1/web/initiate - SG:
https://core-sgp.jumio.com/api/authentication/v1/web/initiate
HTTP Request Method: PUT
- US:
https://account.amer-1.jumio.ai/api/v1/accounts/<accountId> - EU:
https://account.emea-1.jumio.ai/api/v1/accounts/<accountId> - SG:
https://account.apac-1.jumio.ai/api/v1/accounts/<accountId>
The request headers stay the same besides of the preferred Authorization method (Basic Authentication / OAuth2).
The following fields are required in the header section of your request:
Accept: application/json
Content-Type: application/json
Content-Length: see RFC-7230
Authorization: see RFC6749
User-Agent: YourCompany YourApp/v1.0
User-Agent value to reflect your business or entity name for API troubleshooting. |
|---|
| ℹ️ Calls with missing or suspicious headers, suspicious parameter values, or without OAuth2 will result in HTTP status code 403 Forbidden |
|---|
With this new architecture, we have begun the process of improving consistency across all of our APIs.
Some of the initiate API request fields have been retained, but have new names. We have also deprecated some fields and added a few new ones. Our changes are described below.
Required fields appear in bold type.
| Parameter | Type | Notes |
|---|---|---|
| workflowDefinition | object | Definition of the specific documents necessary to execute for the particular capabilities on them. |
| workflowDefinition.key | object | Key of the workflow definition which you want to execute. See Workflow Definition Keys |
| workflowDefinition.credentials | array (object) | Optional workflow definition object part to customize acquiring process and workflow process. Possible values: See workflowDefinition.credentials |
| web | object | Web parameters are only relevant for the WEB channel. |
| Parameter | Type | Max. Length | Notes |
|---|---|---|---|
| category | string | Possible values: • ID • FACEMAP • DOCUMENT • SELFIE |
|
| country | object | Possible values: • country.values |
|
| country.predefinedType | string | Possible values: • DEFINED (default: end user is not able to change country) • RECOMMENDED (country is preselected, end user is still able to change it) |
|
| country.values | array (string) | See possible values. | Define at least one ISO 3166-1 alpha-3 country code for the workflow definition. Possible values: • ISO 3166-1 alpha-3 country code |
| type | object | Possible values: • type.values |
|
| type.predefinedType | object | Possible values: • DEFINED (default: end user is not able to change document type) • RECOMMENDED (type is preselected, end user is still able to change it) |
|
| type.values | array (string) | See possible values. | Defined number of credential type codes. Possible values: • ID_CARD • DRIVING_LICENSE • PASSPORT • VISA |
Required fields appear in bold type.
| Current | New | Type | Max. Length | Changes |
|---|---|---|---|---|
| successUrl1 | web.successUrl2 | string | 255 | Parameter nested in web objectURL to which the browser will send the end-user at the end of a successful web acquisition user journey. |
| errorUrl1 | web.errorUrl2 | string | 255 | Parameter nested in web objectURL to which the browser will send the end-user at the end of a failed web acquisition user journey. |
| locale1 | web.locale2 | string | 5 | Parameter embedded in web object Renders content in the specified language. See supported locale values. |
| tokenLifetimeInMinutes | tokenLifetime | string | minimum: 5m, maximum: 60d, default: 30m |
Parameter has been renamed. Previously defined in minutes. Should be a valid date period unit definition: s - seconds m - minutes h - hours d - days Example: '1d' / '30m' / '600s' |
| enrollmentTransactionReference | workflowExecution.credentials.id | string | This parameter has been replaced with workflowExecution.credentials.id The credentials ID from the onboarding ID verification to be used for authentication. |
1 Overrides default setting from the Customer Portal.
Parameter web.locale can be used to render the content of the client in the specified language.
Hyphenated combination of ISO 639-1:2002 alpha-2 language code plus ISO 3166-1 alpha-2 country (where applicable).
| Value | Locale |
|---|---|
| ar | Arabic |
| bg | Bulgarian |
| cs | Czech |
| da | Danish |
| de | German |
| el | Greek |
| en | American English (default) |
| en-GB | British English |
| es | Spanish |
| es-MX | Mexican Spanish |
| et | Estonian |
| fi | Finnish |
| fr | French |
| he | Hebrew |
| hr | Croatian |
| hu | Hungarian |
| hy | Armenian |
| id | Indonesian |
| it | Italian |
| ja | Japanese |
| ka | Georgian |
| km | Khmer |
| ko | Korean |
| lt | Lithuanian |
| ms | Malay |
| nl | Dutch |
| no | Norwegian |
| pl | Polish |
| pt | Portuguese |
| pt-BR | Brazilian Portuguese |
| ro | Romanian |
| ru | Russian |
| sk | Slovak |
| sv | Swedish |
| th | Thai |
| tr | Turkish |
| vi | Vietnamese |
| zh-CN | Simplified Chinese |
| zh-HK | Traditional Chinese |
Required fields appear in bold type.
| Parameter | Type | Max. Length | Changes |
|---|---|---|---|
| userReference1 | string | 100 | No change Reference for the end user in the customer backend |
| callbackUrl2 | string | 255 | No change Definition of the callback URL for this particular request |
1 Values must not contain Personally Identifiable Information (PII) or other sensitive data such as email addresses.
2 Overrides default setting from the Customer Portal.
Unsuccessful requests will return the relevant HTTP status code and information about the cause of the error.
Successful requests will return HTTP status code 200 OK along with a JSON object containing the information described below.
| Parameter | Type | Notes |
|---|---|---|
| account | object | Possible values: • account.id |
| account.id | string | UUID of the account |
| sdk | object | Possible values: • sdk.token SDK parameters are only relevant for the SDK channel. |
| sdk.token | string | JWT token for performing any action SDK parameters are only relevant for the SDK channel. |
| workflowExecution | object | Possible values: • workflowExecution.id • workflowExecution.credentials |
| workflowExecution.credentials | array (object) | Credential response See workflowExecution.credentials |
| web.successUrl | string | URL to which the browser will send the end-user at the end of a successful web acquisition user journey. |
| web.errorUrl | string | URL to which the browser will send the end-user at the end of a failed web acquisition user journey. |
| Parameter | Type | Notes |
|---|---|---|
| id | string | UUID of the credentials |
| category | string | Credential category. Possible values: • ID • FACEMAP • DOCUMENT • SELFIE |
| country | object | Defined at least one ISO 3166-1 alpha-3 country code for the workflow definition. Possible values: • ISO 3166-1 alpha-3 country code |
| type | object | Defined number of credential type codes. Possible values: • ID_CARD • DRIVING LICENSE • PASSPORT • VISA |
| allowedChannels | array | Channels which can be used to upload particular credential Possible values: • WEB • API • SDK |
| api | object | Available actions for the API calls, actions can be omitted due to unavailability Possible values: • api.token api.parts • api.workflowExecution API parameters are only relevant for the API channel. |
| api.token | string | JWT token for performing any action for API API parameters are only relevant for the API channel. |
| api.parts | object | href to manage parts for the account credential Possible values: • FRONT • BACK • FACE API parameters are only relevant for the API channel. |
| api.workflowExecution | string | href to manage the acquisition and workflow processing API parameters are only relevant for the API channel. |
| Current | New | Type | Changes |
|---|---|---|---|
| timestamp | timestamp | string | No change. Timestamp (UTC) of the response. Format: YYYY-MM-DDThh:mm:ss.SSSZ |
| redirectUrl | web.href | string | Parameter has been renamed. URL used to load the ID Verification client. |
| transactionReference | workflowExecution.id | string | UUID of the workflow |
HTTP Request Method: PUT
- US:
https://account.amer-1.jumio.ai/api/v1/accounts/<accountId> - EU:
https://account.emea-1.jumio.ai/api/v1/accounts/<accountId> - SG:
https://account.apac-1.jumio.ai/api/v1/accounts/<accountId>
Request:
curl --location --request PUT 'https://account.amer-1.jumio.ai/api/v1/accounts/11111111-1111-1111-1111-aaaaaaaaaaaa' \
--header 'Content-Type: application/json' \
--header 'User-Agent: User Demo' \
--header 'Authorization: Bearer xxx' \
--data-raw '{
"customerInternalReference": "CUSTOMER_REFERENCE",
"workflowDefinition": {
"key": 9,
"credentials": [
{
"id": "33333333-3333-3333-aaaaaaaaaaaa",
"category": "ID"
},
{
"category": "FACEMAP"
}
]
}
}'
Response:
{
"timestamp": "2021-05-19T15:28:15.711Z",
"account": {
"id": "11111111-1111-1111-1111-aaaaaaaaaaaa"
},
"web": {
"href": "https://mycompany.web.amer-1.jumio.ai/web/v4/app?authorizationToken=xxx&locale=es"
},
"sdk": {
"token": "xxx"
},
"workflowExecution": {
"id": "22222222-2222-2222-2222-aaaaaaaaaaaa",
"credentials": [
{
"id": "33333333-3333-3333-bbbbbbbbbbbb",
"category": "FACEMAP",
"allowedChannels": [
"WEB",
"SDK"
]
},
{
"id": "33333333-3333-3333-cccccccccccc",
"category": "SELFIE",
"allowedChannels": [
"WEB",
"SDK"
]
}
]
}
}
Please refer to Implementation-Guide-Overview.pdf > Available Retrieval APIs.
A result overview page can be found in the Customer Portal under "Workflows".
© Jumio Corporation, 395 Page Mill Road, Suite 150 Palo Alto, CA 94306