PingOne Neo
PingOne Neo is a decentralized identity solution that gives control of identity data back to users. PingOne Neo empowers businesses to give their users full control over how they securely store and share verified credentials without unnecessary friction.
PingOne Neo also provides organizations with identity verification capabilities and the capability to issue credentials for users to store in their wallet app and verify user data with access to:
PingOne Credentials A self-service interface included to customize and issue verifiable digital credentials that users can store in their wallet app with no code required.
PingOne Neo Native SDK Embed personal identity using the SDK into a service to issue digital cards to users and let them store verifiable, shareable data in their wallet app. It is composed of PingOne Credentials, PingOne Verify, and a unified SDK, PingOne Neo SDK.
PingOne Verify Enabled secure user identity verification based on a government-issued document and live face capture (a selfie) using the PingOne Verify Integration Kit. For more information, refer to PingOne Verify Integration Kit.
For more information, refer to PingOne Neo.
PingOne Credentials
Use the Credentials service to create custom verifiable credentials for users. The resulting credentials can then be shared with compatible wallet apps. The Credentials service enables you to:
-
Revoke credentials or expire credentials issued to PingOne users
Automatic deletion and revocation
Typical behavior for credential types is to automatically revoke user credentials when a credential type, user, or environment is deleted. However, some credential types, such as birth certificates, university degrees, or marriage certificates, should never be automatically revoked even if the user or environment is deleted. You control this using onDelete.revokeIssuedCredentials
on the credential type.
The selected deletion and revocation behavior cascades over all resources managed by the service: credential types, issuance rules, staged changes, digital wallet applications, digital wallets, and user credentials.
Environment deleted:
-
Delete all credential types
-
Delete all issuance rules
-
Delete all staged changes
-
Delete all digital wallet applications
-
Delete all digital wallets
-
Delete all user credentials
-
Delete all provisioned credentials
-
Delete all credential type counts
-
Delete environment credential count
Population deleted:
- Remove population from existing issuance rules
Group deleted:
- Remove group from existing issuance rules
User deleted:
-
Delete user credential
-
Delete digital wallets
Application (associated with digital wallet applications) deleted:
- No impact
Credential type deleted:
-
Revoke issued credentials based on delete flag
-
Delete issuance rule
Issuance rule deleted
- Delete staged changes
Digital wallet application deleted:
- Disable digital wallets that are of this type
Digital wallet deleted:
- Revoke credentials that were provisioned to the digital wallet based on credential type delete flag
User credential deleted:
- Revoke provisioned credentials based on credential type delete flag
Regardless of the setting of onDelete.revokeIssuedCredentials
, the service always deletes any pending credentials. (Pending credentials are staged for issue but not provisioned to a wallet because no paired digital wallet exists.)
Credential Issuers
Use the Credential Issuers operations to retrieve or update the credential issuer information. A credential issuer profile, which enables issuance of credentials, is automatically created when the credential service is added to an environment.
Credential Issuers data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
applicationInstance.id |
String | N/A | Read-only | Identifier (UUID) of the application instance registered with the PingOne platform service. This enables the client to send messages to the service. |
createdAt |
DateTime | N/A | Read-only | Date and time the issuer profile was created. |
id |
String | N/A | Read-only | Identifier (UUID) of the credential issuer. |
logo |
String | Optional | Mutable | A URI containing the logo for the issuer. Restricted to a valid URL with a scheme of https: or a scheme of data: with a base64-encoded image. Included in credentials issued. |
name |
String | Required | Immutable | The name of the credential issuer. Included in credentials issued. |
siteUrl |
String | Optional | Mutable | URL, chosen by the issuer, that references the issuer in issued credentials. |
updatedAt |
DateTime | N/A | Read-only | Date and time the credential issuer profile was last updated; can be null. |
The logo
and name
can be shown to the user when indicating the credential issuer by the wallet app using using the PingOne Neo Native SDKs with getIssuerMetadata for Android and getCredentialIssuerMetadataFromClaim(_:) for iOS.
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | Unexpected server error. |
Read Credential Issuer Profile
Update Credential Issuer Profile
Credential Types
Use the Credentials Types operations to create, read, and update the credential types used by compatible wallet apps.
Versioning
If the updated credential type differs from the existing credential type, the service saves the existing credential type as a Credential Type Version and increments version.number
in the updated credential type. Credential Type Versions can be read with Read All Credential Type Versions.
Credential schema
When the service creates a credential from a credential type, it maintains the full credential schema, including attributes without corresponding values in the Create a User Credential request, so that the credential structure is consistent and predictable. It assigns an empty string (""
) to any attribute without a value in the request body.
Credential Types data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
cardDesignTemplate |
String | Required | Immutable | An SVG formatted image containing placeholders for the credentials fields that need to be displayed in the image. Refer to warning following this table. Not returned with Read All Credential Types. You must Read One Credential Type with the id of the credential type you want to review. |
cardType |
String | Optional | Mutable | A descriptor of the credential type. Can be non-identity types such as proof of employment or proof of insurance. |
createdAt |
DateTime | N/A | Read-only | Date and time the credential type was created. |
deletedAt |
DateTime | N/A | Read-only | Date and time the credential type was deleted. Returned only with Read One Credential Type. |
description |
String | Optional | Mutable | A description of the credential type. |
environment.id |
String | N/A | Read-only | PingOne environment identifier (UUID) in which the credential type exists. |
expiration |
Object | Optional | Mutable | Object that identifies how to evaluate the expiration date. Requires one and only one of after , timestamp , or expression . Permitted only when management.mode is AUTOMATED . |
expiration.after |
Object | Required/Optional | Mutable | Contains the numeric duration and its time unit for calculating an expiration date. |
expiration.after.duration |
Integer | Required | Mutable | Length of time before transaction timeout expires; range is from a 1 hour minimum (or equivalent) to an (effectively) unbounded maximum. |
expiration.after.timeUnit |
String | Required | Mutable | Time unit of transaction timeout; can be SECONDS , MINUTES , HOURS , or DAYS . |
expiration.expression |
String | Required/Optional | Mutable | PingOne Expression Language (PEL) expression that evaluates to an ISO 8601 date. For more information on PEL, refer to PingOne expression language. |
expiration.fieldName |
String | Required/Optional | Mutable | On issuance, name of the field in the credential to hold the expiration that, when evaluated, returns an expiration date. Must be unique from all fields defined in the metadata object of Create Credential Type. Required when expiration.type is SOFT . Optional when expiration.type is HARD and ignored if used. |
expiration.timestamp |
DateTime | Required/Optional | Mutable | The date and time to expire in ISO 8601 YYYY-MM-DDTHH:MM:SS.sssZ format (milliseconds optional). |
expiration.type |
String | Required | Mutable | Indicates how expiration of the credential is presented. Can be SOFT or HARD . A SOFT expiration appears as a user-defined field (named in fieldName ) in the credential but returns no expiration date in Read One User Credential. A HARD expiration appears as a standards-based expiration field in the credential and returns an expiration date in Read One User Credential. |
id |
String | N/A | Read-only | Identifier (UUID) associated with the credential type. |
issuer.id |
String | N/A | Read-only | The identifier (UUID) of the issuer. |
issuerName |
String | Optional | Mutable | Issuer name associated with the card, can differ from title. |
management.mode |
String | Optional | Mutable | Management mode of the credential type. Can be AUTOMATED (the default) or MANAGED . Refer to the note following this table. |
metadata |
Object | Required | Mutable | Contains the names, data types, and other metadata related to the credential; refer to metadata object data model. |
multiple |
Object | Optional | Mutable | Object containing directives that enable you to Issue multiple credentials to a user based on a directory attribute. |
multiple.expression |
String | Required | Mutable | A PingOne Expression Language (PEL) expression that evaluates to a number or array. If an array, calculates the array length for the count. Populates the limit to a variable, __ITERATOR__ , available to PEL expressions in metadata.fields.attribute . |
onDelete.revokeIssuedCredentials |
Boolean | Optional | Mutable | Whether user credentials are automatically revoked when a credential type, user, or environment is deleted. Defaults to true . For credential types (such as birth certificates, university degrees, or marriage certificates) that should never be automatically revoked even if the user or environment is deleted, set this to false . |
title |
String | Required | Immutable | Title of the credential. Verification sites are expected to be able to request the issued credential from the compatible wallet app using the title. |
updatedAt |
DateTime | N/A | Read-only | Date and time the credential type was last updated; can be null. |
version.id |
String | N/A | Read-only | Identifier (UUID) of this version of the credential type. The service assigns identifiers. |
version.number |
Integer | N/A | Read-only | Version of this credential type. The service assigns versions. |
version.uri |
String | N/A | Read-only | A URI to of this version of the credential type. The service assigns URIs. |
If management.mode
is AUTOMATED
, the credential type is only issued by its associated credential issuance rule. If management.mode
is MANAGED
, the credential type is only issued by Create a User Credential or Update a User Credential API requests. If you change management.mode
from AUTOMATED
to MANAGED
and an associated issuance rule exists, the rule is disabled, but not deleted.
If management.mode
is AUTOMATED
, you can value one and only one of the three properties in the expiration
object and the associated credential issuance rule automatically assigns an expiration date when it issues the credential. If management.mode
is MANAGED
and an expiration
object is present, it causes an error.
If you want to change management.mode
from AUTOMATED
to MANAGED
, but one of the three properties in the expiration
object is valued, you must remove the expiration
object. Use Update the Credential Type with no expiration
object, which removes it from the credential type, and with management.mode
set to MANAGED
.
metadata object data model
The metadata
object is not returned with Read All Credential Types. You must Read One Credential Type with the id
of the credential type you want to review.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
backgroundImage |
String | Optional | Mutable | URL to an image of the background to show in the credential. Must be no more than 50 KB in size. |
bgOpacityPercent |
String | Optional | Mutable | Percent opacity of the background image in the credential. High percentage opacity may make reading text difficult. |
cardColor |
String | Optional | Mutable | Color to show on the credential. |
columns |
Integer | Optional | Mutable | Number of columns of visible fields to use when displaying the credential. Must be between 1 and 3. Defaults to 1. |
description |
String | Optional | Mutable | Description of the credential. |
fields |
Object[] | Optional | Mutable | Array of objects representing the fields. |
fields.attribute |
String | Required/Optional | Mutable | Name of the PingOne Directory attribute. Required if field.type is Directory Attribute , otherwise optional and ignored if used. Refer to fields.attribute definition. |
fields.default |
String | Optional | Mutable | Assigns a default value if a PingOne Expression Language (PEL) in the fields.attribute evaluates to no value. |
fields.id |
String | Required | Mutable | Identifier of the field. Ping Identity recommends that id is text formatted as "<fields.type> -> <fields.title>" to show the type of data expected as well as for what it is used. Examples include: "Alphanumeric Text -> Department" or "Directory Attribute -> Username" . |
fields.fileSupport |
String | Optional | Mutable | Specifies how an image is stored in the credential; refer to fields.fileSupport types. |
fields.isVisible |
Boolean | Required | Mutable | Whether the field should be visible to viewers of the credential. |
fields.required |
Boolean | Optional | Mutable | Whether the field is required for the credential. Defaults to false . |
fields.title |
String | Required | Mutable | Descriptive text when showing the field. |
fields.type |
String | Required | Mutable | Type of data in the field; refer to fields.type types. |
fields.value |
String | Required/Optional | Mutable | The text to appear on the credential for a type of Alphanumeric Text . Required if type is Alphanumeric Text and management.mode is AUTOMATED , optional if type is Alphanumeric Text and management.mode is MANAGED (effectively a default that can be overridden by a data value in Create a User Credential or Update a User Credential), and otherwise ignored if present. |
logoImage |
String | Optional | Mutable | URL to an image of the logo to show in the credential. Must be no more than 25 KB in size. |
name |
String | Optional | Mutable | Name of the credential. |
textColor |
String | Optional | Mutable | Color of the text to show on the credential. |
version |
Integer | Optional | Mutable | Version of this credential metadata. If not provided, the service assigns a version. |
fields.attribute definition
Although fields.attribute
is always a string type, the service supports two interpretations of its string.
If the string begins with ${
and ends with }
, the string is interpreted as a PingOne Expression Language (PEL) expression. As a PEL expression, the string must have user.
before any attribute names. A PEL expression is essential to Issue multiple credentials to a user based on a directory attribute. The PEL expression extracts specific elements from the multiple potential credentials found in the attribute.
If the string does not have ${
and }
, the string is interpreted as the traditional pointer to an attribute name in the directory. That is, you supply an attribute name as the string and the service supplies the value of that attribute to the credential. When used as a pointer, the string does not need user.
to reference an attribute.
fields.fileSupport types
A credential field
that uses a type
of Directory Attribute
can contain a URL that references a JPEG, PNG, or GIF image file uploaded with Create Image. The credential type is limited to 5 fields that have fileSupport
set to BASE64_STRING
or INCLUDE_FILE
. For credentials, an image file has a maximum size of 2 MB. A credential cannot exceed 2.5 MB including all images.
Type | Description |
---|---|
BASE64_STRING | Image is base64-encoded to a string in the credential. |
INCLUDE_FILE | Image binary is included in the credential. |
REFERENCE_FILE | Only a URL referencing the image is in the credential. The image binary remains stored external to the credential. |
fields.type types
Type | Description |
---|---|
Alphanumeric Text | A static text string of letters, numbers, or punctuation set on fields.value . |
Issued Timestamp | Date and time the credential was issued. |
Directory Attribute | Any PingOne Directory standard or custom attribute. When used in a credential for a user, the service reads that attribute from the user and puts the value in the credential. The name of the attribute is in fields.attribute . |
Automatic deletion and revocation
Typical behavior for credential types is to automatically revoke user credentials when a credential type, user, or environment is deleted. However, some credential types, such as birth certificates, university degrees, or marriage certificates, should never be automatically revoked even if the user or environment is deleted. You control this using onDelete.revokeIssuedCredentials
on the credential type.
The selected deletion and revocation behavior cascades over all resources managed by the service: credential types, issuance rules, staged changes, digital wallet applications, digital wallets, and user credentials.
If onDelete.revokeIssuedCredentials
is true:
-
User credentials are revoked and deleted when the credential type is deleted.
-
Provisioned credentials are revoked when a user credential is deleted, its credential type is deleted, or its digital wallet is disabled or deleted.
If onDelete.revokeIssuedCredentials
is false:
-
User credentials are only revoked if the issuance rule causes it to be revoked or if Update a User Credential sets the expiration date.
-
Provisioned credentials are revoked if the user credential is revoked (refer to previous item).
Issue multiple credentials to a user based on a directory attribute
Some customers must issue multiple credentials to a user based on a directory attribute. For example, a bank might issue credit cards in their own name while also issuing credit cards branded for their customers. A user may have more than one of these credit cards in their wallet. The directory service requires an attribute that contains all the credit cards for that user and the service must support credential issuance to any or all of that user's credit cards.
The customer can define a single directory attribute for each user to hold a data object that contains the different accounts owned by the user. Our hypothetical bank wants to support the end user being able to present a verifiable credential that contains only the information from one of these accounts. Although issuance of multiple credentials is initiated by a single directory attribute, definition of the credential type can reference any directory attributes for its fields
.
The definition of the data object is up to the customer. They then use PingOne Expression Language (PEL) expressions to retrieve any information as required. The Credential Types multiple.expression
contains a PEL expression that counts qualifying entries in the data object. The Credential Types metadata.fields.attribute
contains a PEL expression to retrieve individual data elements that populates a field in the credit type definition.
When you Apply Credential Issuance Rule Staged Changes for a user for a credential type that has multiple configured, the service creates multiple, separate user credentials for the credential type.
An example may better illustrate applying these concepts.
Example data object
Our hypothetical bank customer, BigBank, uses this JSON object, stored as a JSON binary large object (blob), as the source for credit card information.
{
"credit_cards": {
"branded": [
{
"oem_merchant": "ChainRetailer",
"customer_id": "0010380",
"user_id": "1506980157738"
},
{
"oem_merchant": "GlobalOil",
"customer_id": "0475932",
"user_id": "1506980157739"
}
],
"owned": [
{
"customer_id": "0010380",
"int_id" : "03918203198"
},
{
"customer_id": "0475932",
"int_id" : "03918203100"
}
]
}
}
An administrator at BigBank creates two different credential types, one each for branded
and owned
. Each credential type is configured to issue a credential for each JSON object in that array.
Example API
This demonstrates the API using the branded
array. An administrator at BigBank created this credential type for branded
.
A body for Create a credential type (automated) that creates multiple credentials from the data object for the credit_cards.branded
is:
{
"title": "Branded Cards",
"description": "Example for branded cards attribute for BigBank",
"metadata": {
"fields": [
{
"id": "title",
"title": "oem_merchant",
"attribute": "${user.credit_cards['branded'][__ITERATOR__].oem_merchant}",
"isVisible": true,
"type": "Directory Attribute",
"default": "Use this if missing"
},
{
"id": "Directory Attribute -> user_id",
"title": "user_id",
"attribute": "${user.credit_cards['branded'][__ITERATOR__].user_id}",
"isVisible": true,
"type": "Directory Attribute"
},
{
"id": "Directory Attribute -> customer_id",
"title": "customer_id",
"attribute": "${user.credit_cards['branded'][__ITERATOR__].customer_id}",
"isVisible": true,
"type": "Directory Attribute"
}
]
},
"cardDesignTemplate": "<svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 740 480\">...</svg>",
"multiple": {
"expression": "${user.credit_cards['branded']}"
}
}
The PEL expression in multiple.expression
returns the count of objects in the credit_cards.branded
object array of the data object. This populates the iteration limit of the system __ITERATOR__
variable seen in the PEL expressions of the three metadata.fields.attribute
values.
A body for Create a credential type (automated) that creates multiple credentials from the data object for the credit_cards.owned
is:
{
"title": "Owned",
"description": "Example for owned attribute for BigBank",
"metadata": {
"fields": [
{
"id": "Directory Attribute -> int_id",
"title": "int_id",
"attribute": "${user.credit_cards['owned'][__ITERATOR__].int_id}",
"isVisible": true,
"type": "Directory Attribute"
},
{
"id": "Directory Attribute -> customer_id",
"title": "customer_id",
"attribute": "${user.credit_cards['owned'][__ITERATOR__].customer_id}",
"isVisible": true,
"type": "Directory Attribute"
}
],
"textColor": "#000000",
"version": 4
},
"cardDesignTemplate": "<svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 740 480\">...</svg>",
"multiple": {
"expression": "${user.credit_cards['owned']}"
}
}
The PEL expression in multiple.expression
returns the count of objects in the credit_cards.owned
object array of the data object. This populates the iteration limit of the system __ITERATOR__
variable seen in the PEL expressions of the two metadata.fields.attribute
values.
Important considerations
-
Do not use a multi-valued attribute type. Use a single JSON attribute that contains the necessary arrays.
When configuring a custom JSON attribute for issuing multiple credentials for a user, the administrator can set it to a multi-valued type, which allows the attribute to be an array of JSON blobs. The PingOne Directory does not guarantee ordering for multi-valued attributes. Multi-valued attributes values are treated as a set rather than a list. This conflicts with how the service determines if a credential has changed, where order is essential. For example, a user has three credentials issued using a multi-valued type of [A, B, C]. If you add another JSON blob to the user attribute, one might expect the change to look like [A, B, C, D] (where each letter is a different credential) and issue one more credential to the user. However, with a multi-valued custom JSON attribute, the change may look like [A, C, D, B]. When the service compares the order, it interprets that two credentials have been updated and one more credential has been added.
Due to this involuntary re-ordering behavior, multi-valued custom JSON attributes are strongly discouraged.
-
Revocation can be affected by re-ordering.
If the user has an array like [A, B, C] so that the service issues three credentials and an administrator then revokes the credential B, credential B remains revoked. If the user is updated to change some values in A, B, and C, A and C update while B remains revoked. However, if the user is updated with a new object or value added to the array such that it becomes [A, D, B, C], credential C updates to the values of B and a new credential issues for C. No credential will be issued or updated to have the values of D because it is in the second place and the credential for second place was revoked.
To mitigate this behavior, always add new entries to the end of the arrays in the JSON blob.
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | Unexpected server error. |
Create Credential Type (automated)
Create Credential Type (managed)
Read All Credential Types
Read All Credential Type Versions
Read One Credential Type
Read One Credential Type Version
Update a Credential Type
Delete a Credential Type
Credential Issuance Rules
Use the Credentials Issuance Rules operations to create, read, and update rules for issuing, updating, and revoking credentials by credential type. Rules are defined for:
-
A specific Credential Type in the endpoint
-
A specific Digital Wallet App in the request body
-
A specific set of users defined by one, and only one, of these filters in the request body:
-
Membership in one or more Groups.
-
Membership in one or more Populations.
-
Satisfying a SCIM query. For information about SCIM syntax and operators, refer to Filtering collections.
-
A credential rule contains an automation
object with available actions as keys: issue
, revoke
, and update
. If an action is set to PERIODIC
, the service performs the action at the end of the period. If an action is set to ON_DEMAND
, you must use Apply Credential Issuance Rule Staged Changes to perform staged changes for those ON_DEMAND
actions.
The general procedure for rules is:
-
Create - create a new rule to stage actions for for the credential by user
-
Update - update an existing rule to stage actions for the credential by user
-
Staged Changes - show actions staged for execution
-
Apply - act upon credentials staged for actions.
You can also monitor credential rules:
-
All Rules - view all rules defined for a credential type
-
One Rule - view a specific rule for a credential
-
Usage Counts - show counts by action applied to the credential by user
-
Usage Details - show details by action applied to the credential by user
You can, finally, remove a rule for a credential type:
- Delete - remove a rule from a credential type
For actions set to PERIODIC
, an improper credential could cause endless repetitious errors. The service monitors staged changes for errors. When an error occurs during processing, the service adds details of the error to the staged change so that errors can be tracked, counted, and returned to the user. If more than 3 errors occur for the same scheduled staged change, the service unschedules (changes stagedChanges.scheduled
from true
to false
) that staged change so that the service no longer attempts to process it. The user can manually trigger the staged change with Apply Credential Issuance Rule Staged Changes.
Credentials unscheduled due to errors are reported. Some errors are known but there can also be unexpected errors. The errors.errorDetail
object provides an error code and message. If the error was related to processing a specific credential field, the field name will be in errors.errorDetail.target
. This includes the staged changes that exist when the request is made with 1 or more errors. It does not include a staged change that was failed in the past, but has since completed successfully or was deleted (because the user no longer matches the issuance rule). Requests that report errors include:
Credential Issuance Rules data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
automation |
Object | Required | Mutable | Contains a list of actions, as key names, and the update method for each action. |
automation.issue |
String | Required | Mutable | The method the service uses to issue credentials with the credential issuance rule. Can be PERIODIC or ON_DEMAND . |
automation.revoke |
String | Required | Mutable | The method the service uses to revoke credentials with the credential issuance rule. Can be PERIODIC or ON_DEMAND . |
automation.update |
String | Required | Mutable | The method the service uses to update credentials with the credential issuance rule. Can be PERIODIC or ON_DEMAND . |
createdAt |
DateTime | N/A | Read-only | Date and time the credential issuance rule was created. |
credentialType.id |
String | N/A | Read-only | Identifier (UUID) of the credential type with which this credential issuance rule is associated. |
digitalWalletApplication.id |
String | Optional | Mutable | Identifier (UUID) of the customer's Digital Wallet App that will interact with the user's Digital Wallet. Optional, and if present, digital wallet pairing automatically starts when a user matches the credential issuance rule. |
environment.id |
String | N/A | Read-only | PingOne environment identifier (UUID) in which the credential issuance rule exists. |
filter |
Object | Optional | Mutable | Contains one and only one filter (.groupIds , .populationIds , or .scim ) that selects the users to which the credential issuance rule applies. |
filter.groupIds |
String[] | Required/Optional | Mutable | Array of one or more identifiers (UUIDs) of groups, any of which a user must belong for the credential issuance rule to apply. One and only one filter is required in filter , others are optional and cause an error if used. |
filter.populationIds |
String[] | Required/Optional | Mutable | Array of one or more identifiers (UUIDs) of populations, any of which a user must belong for the credential issuance rule to apply. One and only one filter is required in filter , others are optional and cause an error if used. |
filter.scim |
String | Required/Optional | Mutable | A SCIM query that selects users to which the credential issuance rule applies. One and only one filter is required in filter , others are optional and cause an error if used. For more information about SCIM syntax and operators, refer to Filtering collections. |
id |
String | N/A | Read-only | Identifier (UUID) of the credential issuance rule. |
notification |
Object | Optional | Immutable | Contains notification information. When this property is supplied, the information within is used to create a custom notification. |
notification.methods |
String[] | Optional | Immutable | Array of methods for notifying the user; can be EMAIL , SMS , or both. |
notification.template |
Object | Optional | Immutable | Contains template parameters. |
notification.template.locale |
String | Optional | Immutable | The ISO 2-character language code used for the notification; for example, en . |
notification.template.variables |
Object[] | Required/Optional | Immutable | An object of name-value pairs that defines the dynamic variables used by the content variant. Required if the template requires variables, otherwise ignored. For more information on dynamic variables, refer to Dynamic variables. |
notification.template.variant |
String | Optional | Immutable | The unique user-defined name for the content variant that contains the message text used for the notification. For more information on variants, refer to Creating custom contents. |
status |
String | Required | Mutable | Status of the credential issuance rule. Can be ACTIVE or DISABLED . |
updatedAt |
DateTime | N/A | Read-only | Date and time the credential issuance rule was last updated; can be null. |
Actions within automation
(.issue
, .update
, and .revoke
) can be PERIODIC
, the service applies the rule frequently every hour, or ON_DEMAND
, the service applies the rule only with an Apply Credential Issuance Rule Staged Changes request. For ON_DEMAND
, use Read Credential Issuance Rule Staged Changes to determine staged changes.
The one notification.template
object applies a variant and locale to all three credential notification templates: credential_issued
, credential_updated
, and credential_revoked
. When adding a variant or locale to any of the three notification templates, consider adding the same variant or locale to the other notification templates. If a requested variant is not defined, the notification uses the default notification template. If a requested locale is not defined, the notification uses the user's preferred language or, if the user has no preferred language, the default language of the environment.
Credential Issuance Rules staged changes data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
stagedChanges.action |
String | N/A | Read-only | Action determined by the service that should be taken for the credential based on the request that staged it. Can be ISSUE , UPDATE , or REVOKE . |
stagedChanges.createdAt |
DateTime | N/A | Read-only | Date and time the change was staged by the service. |
stagedChanges.credentialType.id |
String | N/A | Read-only | Identifier (UUID) of the credential type with which this credential issuance rule is associated. |
stagedChanges.environment.id |
String | N/A | Read-only | PingOne environment identifier (UUID) in which the credential issuance rule exists. |
stagedChanges.issuanceRule.id |
String | N/A | Read-only | Identifier (UUID) of the credential issuance rule. |
stagedChanges.scheduled |
String | N/A | Read-only | Whether or not the staged change is scheduled: true if the action on the credential issuance rule is set to PERIODIC and false if the action is set to ON_DEMAND . |
stagedChanges.user.id |
String | N/A | Read-only | Identifier (UUID) of the user identified by the filter on the credential issuance rule. |
stagedChanges.errors |
Object[] | N/A | Read-only | Array of objects representing credentials that had errors when attempting an action on it. Refer to Credential Issuance Rules errors object. |
Credential Issuance Rules apply staged changes data model
This data model applies only to Read Credential Issuance Rule Staged Changes and Apply Credential Issuance Rule Staged Changes.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
issue |
String[] | Optional | Mutable | Array of one or more identifiers (UUIDs) of users whose credentials are in an issue action state and should be issued. |
revoke |
String[] | Optional | Mutable | Array of one or more identifiers (UUIDs) of users whose credentials are in a revoke action state and should be revoked. Used only in the body of Apply Credential Issuance Rule Staged Changes. |
update |
String[] | Optional | Mutable | Array of one or more identifiers (UUIDs) of users whose credentials are in an update action state and should be updated. Used only in the body of Apply Credential Issuance Rule Staged Changes. |
errors |
Object[] | N/A | Read-only | Array of objects representing credentials that had errors when attempting an action on it. Refer to Credential Issuance Rules errors object. |
Credential Issuance Rules usage counts data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
issued |
Integer | N/A | Read-only | Count of credentials issued by the rule since the time the credential issuance rule was created. |
accepted |
Integer | N/A | Read-only | Count of credentials accepted by users of credentials issued by the credential issuance rule since the time the credential issuance rule was created. |
updated |
Integer | N/A | Read-only | Count of credentials updated by the rule since the time the credential issuance rule was created. |
revoked |
Integer | N/A | Read-only | Count of credentials revoked by the rule since the time the credential issuance rule was created. |
errors |
Integer | N/A | Read-only | Count of credentials that caused errors since the time the credential issuance rule was created. |
Credential Issuance Rules usage details data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
issued |
Object[] | N/A | Read-only | Credentials issued by the rule since the time the credential issuance rule was created. |
issued.user.id |
String | N/A | Read-only | Identifier (UUID) of the user identified by the filter on the credential issuance rule. |
issued.credential.id |
String | N/A | Read-only | Identifier (UUID) of the credential subject to the issue action identified by the credential issuance rule. |
issued.createdAt |
DateTime | N/A | Read-only | Date and time the credential was issued by the service. |
updated |
Object[] | N/A | Read-only | Credentials updated by the rule since the time the credential issuance rule was created. |
updated.user.id |
String | N/A | Read-only | Identifier (UUID) of the user identified by the filter on the credential issuance rule. |
updated.credential.id |
String | N/A | Read-only | Identifier (UUID) of the credential subject to the update action identified by the credential issuance rule. |
updated.createdAt |
DateTime | N/A | Read-only | Date and time the credential was updated by the service. |
revoked |
Object[] | N/A | Read-only | Credentials revoked by the rule since the time the credential issuance rule was created. |
revoked.user.id |
String | N/A | Read-only | Identifier (UUID) of the user identified by the filter on the credential issuance rule. |
revoked.credential.id |
String | N/A | Read-only | Identifier (UUID) of the credential subject to the revoke action identified by the credential issuance rule. |
revoked.createdAt |
DateTime | N/A | Read-only | Date and time the credential was revoked by the service. |
errors |
Object[] | N/A | Read-only | Array of objects representing credentials that had errors when attempting an action on it. Refer to Credential Issuance Rules errors object. |
Credential Issuance Rules errors object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
errors |
Object[] | N/A | Read-only | Array of objects representing errors recorded when attempting an action on a credential. |
errors.recordedAt |
DateTime | N/A | Read-only | Date and time the error was recorded by the service. |
errors.errorDetail.code |
String | N/A | Read-only | A code that indicates the error encountered by the service. Refer to Credential Issuance Rules staged changes error codes. |
errors.errorDetail.target |
String | N/A | Read-only | The part of the credential that caused the error encountered by the service. |
errors.errorDetail.message |
String | N/A | Read-only | A message that describes the error encountered by the service. |
credentialType.id |
String | N/A | Read-only | Identifier (UUID) of the credential type with which this credential issuance rule is associated. |
environment.id |
String | N/A | Read-only | PingOne environment identifier (UUID) in which the credential issuance rule exists. |
issuanceRule.id |
String | N/A | Read-only | Identifier (UUID) of the credential issuance rule. |
user.id |
String | N/A | Read-only | Identifier (UUID) of the user identified by the filter on the credential issuance rule. |
id |
String | N/A | Read-only | Identifier (UUID) of the error. |
action |
String | N/A | Read-only | Action determined by the service that should be taken for the credential based on the request that staged it. Can be ISSUE , UPDATE , or REVOKE . |
scheduled |
String | N/A | Read-only | Whether or not the staged change is scheduled: true if the action on the credential issuance rule is set to PERIODIC and false if the action is set to ON_DEMAND . |
createdAt |
DateTime | N/A | Read-only | Date and time the error was created by the service. |
updatedAt |
DateTime | N/A | Read-only | Date and time the error was updated by the service. |
Credential Issuance Rules staged changes error codes
Error Code | Description |
---|---|
TEMPLATE_ERROR |
An error in the template placeholders of the cardDesignTemplate SVG. |
SVG_ERROR |
An error in the syntax of the cardDesignTemplate SVG. |
CREDENTIAL_TYPE_INVALID |
Credential Type was invalid when the staged change was performed. |
FILE_RESOLUTION_ERROR |
User attribute for a field with fileSupport did not reference a supported file, such as an unsupported URL, file too large, or error reading file. |
CREDENTIAL_TOO_LARGE |
Size of data collected for the credential exceeds the maximum that can be stored in a credential. |
UNEXPECTED_ERROR |
An unexpected error occurred. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | Unexpected server error. |
Create Credential Issuance Rule
Read All Credential Issuance Rules
Read One Credential Issuance Rule
Read All Credential Issuance Rule Staged Changes
Read One Credential Issuance Rule Staged Change
Read Credential Issuance Rule Usage Counts
Read Credential Issuance Rule Usage Details
Update Credential Issuance Rule
Apply Credential Issuance Rule Staged Changes
Delete Credential Issuance Rule
Digital Wallet Apps
The credential digital wallet apps service controls the relationship between the customer's digital wallet app, which communicates with users' digital wallets, and a customer's PingOne application.
Credential digital wallet app data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
application.id |
String | Required | Immutable | The identifier (UUID) of the PingOne application associated with the digital wallet app. |
appOpenUrl |
String | Required | Mutable | URL sent in notifications to the user to communicate with the service. |
createdAt |
DateTime | N/A | Read-only | Date and time the credential digital wallet app was created. |
environment.id |
String | N/A | Read-only | PingOne environment identifier (UUID) in which the credential digital wallet app exists. |
id |
String | N/A | Read-only | Identifier (UUID) associated with the credential digital wallet app. |
name |
String | Required | Mutable | Name associated with the digital wallet app. |
updatedAt |
DateTime | N/A | Read-only | Date and time the credential digital wallet app was last updated; can be null. |
usesPingOneWalletSDK |
Boolean | Optional | Immutable | Whether the user's wallet app uses the PingOne Wallet SDK; default is true . |
Create Digital Wallet App
Read All Digital Wallet Apps
Read One Digital Wallet App
Update Digital Wallet App
Delete Digital Wallet App
Digital Wallets
The credential Digital Wallet service controls the relationship between a user's phone wallet app, which uses the Wallet SDK, and the customer's PingOne application. It also offers notifications when the PingOne application communicates with the user's Wallet SDK. Settings on the Digital Wallet configure sending push notifications from PingOne Credentials to the Wallet SDK of the user.
In the normal digital wallet pairing use case, you use Create Digital Wallet to create the Digital Wallet without the applicationInstance.id
and a pairing session is created. The Digital Wallet service uses the digital_wallet_pairing
notification template to send the pairing session URL (refer to appOpen.href
in the response) to the user via email or text or you show a QR code (refer to qrUrl.href
in the response) of the pairing session URL to the user. When the user opens the URL, it opens your app or takes them to a page with instructions on how to install the app. When the app opens the URL, it shares its applicationInstance.id
with the service using the Wallet SDK.
Alternatively, you send the applicationInstance.id
when you create the Digital Wallet. For example, if you have the user install your app, the user authenticates with your servers. When your app is installed, it creates an application instance. Since the app knows who the user is, the app sends its application instance identifier to your server and then your application sends the applicationInstance.id
to the service when creating or updating the Digital Wallet. This creates a Digital Wallet with a known application instance identifier. Activation of the Digital Wallet requires sending some device data, such as SDK version and application bundle ID or package name, to PingOne Credentials:
- The service creates a pairing session and sends a pairing request message to the device.
- The Wallet SDK receives this request and the app approves the request.
- The Wallet SDK sends the device data to PingOne Credentials, which activates the Digital Wallet.
Credential digital wallet data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
applicationInstance.id |
String | Required/Optional | Immutable | Identifier (UUID) of the application running the Wallet SDK on the user's device and registered with the service. Registration is required before the wallet can be used. Registration is performed by a compatible wallet app using the Wallet SDK, or by the customer application using Create Digital Wallet or one Update Digital Wallet. |
createdAt |
DateTime | N/A | Read-only | Date and time the credential Digital Wallet was created. |
deviceData |
Object | N/A | Read-only | Contains metadata collected about the user's Wallet SDK. |
digitalWalletApplication.id |
String | Required | Immutable | Identifier (UUID) of the customer's PingOne application that interacts with the user's Wallet SDK. |
environment.id |
String | N/A | Read-only | PingOne environment identifier (UUID) in which the credential digital wallet app exists. |
id |
String | N/A | Read-only | Identifier (UUID) associated with the credential digital wallet. |
notification |
Object | Optional | Immutable | Contains notification information. When this property is supplied, the information within is used to create a custom notification. |
notification.methods |
String[] | Optional | Immutable | Array of methods for notifying the user; can be EMAIL , SMS , or both. |
notification.results |
Object[] | N/A | Read-only | Array of objects that contain the results of attempts to notify the user. |
notification.results.error |
Object | N/A | Read-only | Contains information regarding why a notification failed to send. |
notification.results.error.code |
String | N/A | Read-only | A short alphanumeric code identifying the error. |
notification.results.error.details |
Object[] | N/A | Read-only | Array of objects that contain details of the error as provided by the source of the error. Exact format varies by source. |
notification.results.error.id |
String | N/A | Read-only | Identifier (UUID) of the error message. |
notification.results.error.message |
String | N/A | Read-only | A textual message explaining the error. |
notification.results.method |
String | N/A | Read-only | Method used in the attempt to notify the user; can be EMAIL or SMS . |
notification.results.notification.id |
String | N/A | Read-only | Identifier (UUID) of the notification that was sent. |
notification.results.sent |
Boolean | N/A | Read-only | Whether the notification was successfully sent. |
notification.template |
Object | Optional | Immutable | Contains template parameters. |
notification.template.locale |
String | Optional | Immutable | The ISO 2-character language code used for the notification; for example, en . |
notification.template.variables |
Object[] | Required/Optional | Immutable | An object of name-value pairs that defines the dynamic variables used by the content variant. Required if the template requires variables, otherwise ignored. For more information on dynamic variables, refer to Dynamic variables. |
notification.template.variant |
String | Optional | Immutable | The unique user-defined name for the content variant that contains the custom message text used for the notification. For more information on variants, refer to Creating custom contents. |
pairingAttempts |
Object[] | N/A | Read-only | Array of result objects of all pairing attempts between the Digital Wallet and the Wallet SDK. Not returned when no pairing was attempted or when creating a Digital Wallet. |
pairingAttempts.attemptedAt |
DateTime | N/A | Read-only | Date and time the credential pairing was attempted. |
pairingAttempts.details |
Object | N/A | Read-only | Object with details regarding a pairing failure. Not returned when a pairing was successful. Content of the object varies depending on the error as explained in the Description column of Pairing attempt errors. |
pairingAttempts.error |
String | N/A | Read-only | As listed in the Error column of Pairing attempt error. |
pairingAttempts.message |
String | N/A | Read-only | Explanation of the error. |
pairingAttempts.success |
Boolean | N/A | Read-only | Whether the pairing attempt was successful. |
pairingSession |
Object | N/A | Read-only | Contains information regarding the pairing session. |
status |
String | Optional | Mutable | Status of the wallet; can be PAIRING_REQUIRED , ACTIVE , EXPIRED , or DISABLED . |
updatedAt |
DateTime | N/A | Read-only | Date and time the credential digital wallet was last updated; can be null. |
user.id |
String | N/A | Read-only | Identifier (UUID) of the user associated with the credential digital wallet. |
Pairing attempt errors
Error | Description |
---|---|
APP_PACKAGE_MISMATCH |
The package name or bundle ID sent by the Wallet SDK does not match the mobile settings of the PingOne Application (identified by digitalWalletApplication.id ), details includes what was sent by the Wallet SDK in appPackage . |
WALLET_ALREADY_PAIRED |
The digital wallet is already successfully paired or the instance of the Wallet SDK on the device has already been paired with a different digital wallet of the same user. If a user attempts to pair the same digital wallet twice, details includes the new application instance ID in newApplicationInstanceId . If a user attempts to pair the same Wallet SDK instance with a second digital wallet, details includes the existing digital wallet ID in existingDigitalWalletId . |
WALLET_DISABLED |
Wallet is disabled. |
UNEXPECTED_ERROR |
An unexpected error occurred in the service, no details object returned. |
The digital wallet service uses the digital_wallet_pairing
notification template to send the pairing session URL to the user via email or SMS text. The notification.template
object can define a variant and locale for the notification, if needed.
Provisioned Credentials data model (wallet)
This object is shared with user credentials. It is returned only with Read One Digital Wallet Credentials and Read One User Credential Wallets. The former returns all user credentials associated with the specified digital wallet, the latter returns all digital wallets associated with the specified user credential.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
claimReference |
Object | N/A | Read-only | The serialized JSON object used to create the ClaimReference object returned. This is needed to revoke an issued credential. |
createdAt |
DateTime | N/A | Read-only | Date and time the credential was provisioned. |
credential.id |
String | N/A | Read-only | Identifier (UUID) of the user credential associated with the provisioned credential. |
digitalWallet.id |
String | N/A | Read-only | Identifier (UUID) of the digital wallet associated with the provisioned credential. |
environment.id |
String | N/A | Read-only | Identifier (UUID) of the environment associated with the provisioned credential. |
expiresAt |
Date | N/A | Read-only | The date that the provisioned credential expires. If this value is null, the provisioned credential never expires. |
id |
String | N/A | Read-only | Identifier (UUID) of the provisioned credential. |
status |
String | N/A | Read-only | Status of the provisioned credential. |
user.id |
String | N/A | Read-only | Identifier (UUID) of the user associated with the provisioned credential. |
walletActions |
Object[] | N/A | Read-only | Array of actions taken regarding the provisioned credential. |
walletActions.action |
String | N/A | Read-only | Action taken regarding the provisioned credential; can be CREDENTIAL_ACCEPTED , CREDENTIAL_REJECTED , CREDENTIAL_REVOKED , or CREDENTIAL_DELETED . |
walletActions.occurredAt |
DateTime | N/A | Read-only | Date and time that the action occurred. |
Create Digital Wallet
Read All Digital Wallets
Read One Digital Wallet
Read One Digital Wallet Credentials
Update Digital Wallet
Delete Digital Wallet
User Credentials
Use the User Credentials service to create a user credential and get the credential status. To issue the credential to the user you must first create a credential type (automated) or create a credential type (managed). After you create a credential type, you can issue credentials to users two ways depending on the management.mode
of the credential type:
-
if
management.mode
isAUTOMATIC
, create a credential issuance rule and the service issues the credential to all users who match the rule. -
if
management.mode
isMANAGED
, create a credential type (managed) or update a user credential and the service issues the credential to that user.
Regardless of management.mode
, you can revoke a user credential, read all user credentials, read one user credential, or read one user credential wallets.
User Credentials data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
DateTime | N/A | Read-only | Date and time the user credential was created. |
credentialType.id |
String | Required | Immutable | Identifier of the credential type. |
data |
Object | Optional | Mutable | Fields submitted for the credential. |
data.<field> |
String | Required/Optional | Mutable | Fields for user data; refer to data object data model. |
environment.id |
String | N/A | Read-only | Identifier (UUID) of the environment associated with the user. |
expiresAt |
DateTime | Optional | Mutable | The date that the user credential expires. If this value is null, the credential never expires. |
id |
String | N/A | Read-only | Identifier (UUID) of the user credential. |
notification |
Object | Optional | Immutable | Contains notification information. When this property is supplied, the information within is used to create a custom notification. |
notification.methods |
String[] | Optional | Immutable | Array of methods for notifying the user; can be EMAIL , SMS , or both. |
notification.results |
Object | N/A | Read-only | Contains the results of attempts to notify the user. |
notification.results.error |
Object | N/A | Read-only | Contains information regarding why a notification failed to send. |
notification.results.method |
String | N/A | Read-only | Method used in the attempt to notify the user; can be EMAIL or SMS . |
notification.results.notification.id |
String | N/A | Read-only | Identifier (UUID) of the notification that was sent. |
notification.results.sent |
Boolean | N/A | Read-only | Whether the notification was successfully sent. |
notification.template |
Object | Optional | Immutable | Contains template parameters. |
notification.template.locale |
String | Optional | Immutable | The ISO 2-character language code used for the notification; for example, en . |
notification.template.variables |
Object[] | Required/Optional | Immutable | An object of name-value pairs that defines the dynamic variables used by the content variant. Required if the template requires variables, otherwise ignored. For more information on dynamic variables, refer to Dynamic variables. |
notification.template.variant |
String | Required | Immutable | The unique user-defined name for the content variant that contains the message text used for the notification. For more information on variants, refer to Creating custom contents. |
status |
String | N/A | Read-only | Status of the user credential. |
title |
String | N/A | Read-only | Returned as defined in the credential type. |
updatedAt |
DateTime | N/A | Read-only | Date and time the credential type was last updated; can be null. |
user.id |
String | Required | Immutable | Identifier (UUID) of the user. Supplied in the endpoint. |
The one notification.template
object applies a variant and locale to all three credential notification templates: credential_issued
, credential_updated
, and credential_revoked
. When adding a variant or locale to any of the three notification templates, consider adding the same variant or locale to the other notification templates. If a requested variant is not defined, the notification uses the default notification template. If a requested locale is not defined, the notification uses the user's preferred language or, if the user has no preferred language, the default language of the environment.
Although notification.template
is immutable, Update a User Credential can change notification.template
on a specific credential for its life span.
data object data model
The data
object can only be used for Credential Types where its management.mode
is MANAGED
. Individual fields in data
can only be used where the corresponding credential type's metadata.fields.type
is Alphanumeric Text
. If the corresponding credential type's metadata.fields.value
is valued, that value represents a default for the field and can be overridden in Create a User Credential or Update a User Credential API requests.
The data
object contains any number of keys, where the key is the title
in metadata.fields
that represents a specific attribute of the credential type required by the issuer. For example, an insurance company might have a metadata.fields.title
of Medical Limitations
and the corresponding data
key would be Medical Limitations
. These data
fields must match the metadata.fields
defined for the credential type in credentialType.id
. For more information on fields, refer to the fields
object in metadata object data model and the data types in fields.type types.
Whether any given data.<field>
is required or optional depends on the corresponding fields.required
and fields.value
in the metadata object of the credential type. A data.<field>
is required when fields.required
is true
and no fields.value
exists and optional when fields.required
is false
or when fields.value
has a value.
Provisioned Credentials data model (credential)
This object is shared with digital wallets. It is returned only with Read One User Credential Wallets and Read One Digital Wallet Credentials. The former returns all digital wallets associated with the specified user credential, the latter returns all user credentials associated with the specified digital wallet.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
claimReference |
Object | N/A | Read-only | The serialized JSON object used to create the ClaimReference object returned. This is needed to revoke an issued credential. |
createdAt |
DateTime | N/A | Read-only | Date and time the credential was provisioned. |
credential.id |
String | N/A | Read-only | Identifier (UUID) of the user credential associated with the provisioned credential. |
digitalWallet.id |
String | N/A | Read-only | Identifier (UUID) of the digital wallet associated with the provisioned credential. |
environment.id |
String | N/A | Read-only | Identifier (UUID) of the environment associated with the provisioned credential. |
expiresAt |
Date | N/A | Read-only | The date that the provisioned credential expires. If this value is null, the provisioned credential never expires. |
id |
String | N/A | Read-only | Identifier (UUID) of the provisioned credential. |
status |
String | N/A | Read-only | Status of the provisioned credential. |
user.id |
String | N/A | Read-only | Identifier (UUID) of the user associated with the provisioned credential. |
walletActions |
Object[] | N/A | Read-only | Array of actions taken regarding the provisioned credential. |
walletActions.action |
String | N/A | Read-only | Action taken regarding the provisioned credential; can be CREDENTIAL_ACCEPTED , CREDENTIAL_REJECTED , CREDENTIAL_REVOKED , or CREDENTIAL_DELETED . |
walletActions.occurredAt |
DateTime | N/A | Read-only | Date and time that the action occurred. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | Unexpected server error. |
Create a User Credential
Read All User Credentials
Read One User Credential
Read One User Credential Wallets
Update a User Credential
Revoke a User Credential
Credential Verifications
The Credential Verification service receives, and responds to, requests for credential verification using Decentralized Identity Foundation Java Web Token Verifiable Credentials Presentation Profile (DIF JWT-VC Profile). The profile uses such open standards as:
-
World Wide Web Consortium (W3C) Decentralized Identifiers (DID) for core architecture, data model, and representations
-
W3C Verifiable Credentials Data Model for the presentation data model
-
DIF Presentation Exchange for credential request
-
OpenID for Verifiable Presentations (OpenID4VP ID1) as the base protocol for transportation
Use of these standards provides interoperability with any app that complies with DIF JWT-VC Profile.
The service can also use PingOne native protocols. The PingOne native protocol only works with apps that use the PingOne Neo Native SDKs, which has more features but is restricted to only supported apps.
Credential Verifications session data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
_links.appOpenURL.href |
String | N/A | Read-only | URL to use in a mobile browser to open a compatible wallet app, such as the PingOne Neo Sample App. |
_links.qr.href |
String | N/A | Read-only | URL to return a QR code that, when evaluated, opens the compatible wallet app to this verification. |
_links.self.href |
String | N/A | Read-only | URL to return this same response. |
applicationInstance.id |
String | Required/Optional | Immutable | Identifier (UUID) of the application running the Wallet SDK on the user's device and registered with the service. When set and protocol is NATIVE , the service sends a push notification to the application instance using the settings of the digital wallet application. |
didMethod |
String | Optional | Immutable | The decentralized identifier method to use during the credential verification session. Can be JWK , the default, or ION . |
digitalWalletApplication.id |
String | Optional | Immutable | Identifier (UUID) of the customer's digital wallet app that interacts with the user's digital wallet. When set and protocol is NATIVE , the service uses the appOpenURL defined on the Digital Wallet App instead of shocard.pingone.com . |
errors |
Object[] | N/A | Read-only | Array of objects representing errors recorded when attempting an action on a credential. Refer to Credential Verifications errors object data model. |
id |
String | N/A | Read-only | Identifier (UUID) of the credential verification session. |
issuerFilter.dids |
String[] | Optional | Immutable | Array of unique Decentralized Identifiers (DID). Ignored if protocol is NATIVE . Refer to the note following this table. |
issuerFilter.environmentIds |
String[] | Optional | Immutable | Array of PingOne environment identifiers. Refer to the note following this table. |
message |
String | Optional | Immutable | A message shown to the user by the compatible wallet app to alert the user. |
notification |
Object | Optional | Immutable | Contains notification information. When protocol is NATIVE and applicationInstance.id is set, permits administrators to customize their push notification. |
notification.template |
Object | Optional | Immutable | Contains template parameters. |
notification.template.locale |
String | Optional | Immutable | The ISO 2-character language code used for the notification; for example, en . |
notification.template.variables |
Object[] | Required/Optional | Immutable | An object of name-value pairs that defines the dynamic variables used by the content variant. Required if the template requires variables, otherwise ignored. For more information on dynamic variables, refer to Dynamic variables. |
notification.template.variant |
String | Optional | Immutable | The unique user-defined name for the content variant that contains the message text used for the notification. For more information on variants, refer to Creating custom contents. |
protocol |
String | Optional | Immutable | Protocol to use for verification; can be OPENID4VP or NATIVE . If not present, defaults to NATIVE . |
requestedCredentials |
Object[] | Required | Immutable | Array of objects that contain the type of credentials to verify and the keys to return from the credential. Refer to the important note following this table. |
requestedCredentials.keys |
String[] | Optional | Immutable | Array of strings that identify the key names for selective disclosure to return from the credential. |
requestedCredentials.type |
String | Required | Immutable | Type of credential to verify. Must be the name of a PingOne credential type issued by the credential issuer. |
status |
String | N/A | Read-only | Status of the verification request; can be INITIAL , WAITING , VERIFICATION_SUCCESSFUL , VERIFICATION_FAILED , or VERIFICATION_EXPIRED . |
The digital wallet service uses the credential_verification
notification template to send a push notification to a digital wallet when a Create Credential Verification Session (NATIVE - Push Notification) is created. The notification.template
object can define a variant and locale for the notification, if needed.
If issuerFilter.environmentIds
is submitted, the service searches all listed environments for the issuer of the presented credential. If the user presents a credential that is not from one of these issuers, the verification fails with status
of VERIFICATION_FAILED
.
If issuerFilter.dids
is submitted and protocol
is OPENID4VP
, the service searches all listed decentralized identifiers (DID) for the issuer of the presented credential. If the user presents a credential that is not from one of these issuers, the verification fails with status
of VERIFICATION_FAILED
.
This issuerFilter.dids
typically contains decentralized identifiers for issuers that are not using PingOne Credentials for JWT-VC issuance. The service supports these three DID methods:
-
did:jwk - https://github.com/quartzjer/did-jwk/blob/main/spec.md
-
did:ion - https://identity.foundation/ion/ (The service supports only long-form URIs for this method)
Credential Verifications credential data data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
_links.self.href |
String | N/A | Read-only | URL to return this verification credential data. |
credentialData |
Object[] | N/A | Read-only | Array of objects containing the data found on the credential. |
credentialData.data |
Object[] | N/A | Read-only | Array of objects containing the name-value pairs found on the credential. If a credential has not yet been shared, status is INITIAL or WAITING , then returns as an empty array. |
credentialData.data.key |
String | N/A | Read-only | Name of the key of a name-value pair found on the credential. |
credentialData.data.value |
String | N/A | Read-only | Value of a name-value pair found on the credential. |
credentialData.issuerId |
String | N/A | Read-only | Identifier (UUID) of the issuer of the credential verified in the format from the credential issuer. |
credentialData.issuerLogo |
String | N/A | Read-only | Base64-encoded logo of the issuer of the credential. |
credentialData.issuerName |
String | N/A | Read-only | Name of the issuer of the credential verified. |
credentialData.type |
String | N/A | Read-only | Space-delimited list of the types of credential verified. |
credentialData.types |
String[] | N/A | Read-only | Array of the types of credential verified. |
errors |
Object[] | N/A | Read-only | Array of objects representing errors recorded when attempting an action on a credential. Refer to Credential Verifications errors object data model. |
id |
String | N/A | Read-only | Identifier (UUID) of the verification credential data. |
status |
String | N/A | Read-only | Status of the verification request; can be INITIAL , WAITING , VERIFICATION_SUCCESSFUL , VERIFICATION_FAILED , or VERIFICATION_EXPIRED . |
Credential Verifications session data data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
_links.appOpenURL.href |
String | N/A | Read-only | URL to use in a mobile browser to open a compatible wallet app, such as the PingOne Neo Sample App. |
_links.qr.href |
String | N/A | Read-only | URL to return a QR code that, when evaluated, opens the compatible wallet app to this verification. |
_links.self.href |
String | N/A | Read-only | URL to return this verification session data. |
applicationInstance.id |
String | N/A | Read-only | Identifier (UUID) of the application running the Wallet SDK on the user's device and registered with the service. |
errors |
Object[] | N/A | Read-only | Array of objects representing errors recorded when attempting an action on a credential. Refer to Credential Verifications errors object data model. |
id |
String | N/A | Read-only | Identifier (UUID) of the verification session data. |
status |
String | N/A | Read-only | Status of the verification request; can be INITIAL , WAITING , VERIFICATION_SUCCESSFUL , VERIFICATION_FAILED , or VERIFICATION_EXPIRED . |
verifiedData |
Object[] | N/A | Read-only | Array of objects containing the data found on the credential. |
verifiedData.data |
Object[] | N/A | Read-only | Array of objects containing the name-value pairs found on the credential. If a credential has not yet been shared, status is INITIAL or WAITING , then returns as an empty array. |
verifiedData.data.key |
String | N/A | Read-only | Name of the key of a name-value pair found on the credential. |
verifiedData.data.value |
String | N/A | Read-only | Value of a name-value pair found on the credential. |
verifiedData.metaData |
Object | N/A | Read-only | Contains metadata associated with the credential. |
verifiedData.metaData.issuanceDate |
String | N/A | Read-only | The date and time the credential was issued in ISO 8601 YYYY-MM-DDTHH:MM:SS.sssZ format (milliseconds optional). |
verifiedData.metaData.issuerId |
String | N/A | Read-only | Identifier (UUID) of the issuer of the credential verified in the format from the credential issuer. |
verifiedData.metaData.issuerLogo |
String | N/A | Read-only | Base64-encoded logo of the issuer of the credential. |
verifiedData.metaData.issuerName |
String | N/A | Read-only | Name of the issuer of the credential verified. |
verifiedData.metaData.verificationStatus |
String | N/A | Read-only | Verification status of the credential. Can be VALID or INVALID . |
verifiedData.type |
String | N/A | Read-only | Space-delimited list of the types of credential verified. |
verifiedData.types |
String[] | N/A | Read-only | Array of the types of credential verified. |
Credential Verifications errors object data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
errors.code |
String | N/A | Read-only | A code that indicates the error encountered by the service. Refer to Credential Verifications error codes. |
errors.target |
String | N/A | Read-only | The part of the credential that caused the error encountered by the service. |
errors.message |
String | N/A | Read-only | A message that describes the error encountered by the service. |
Credential Verifications error codes
Code | Message |
---|---|
REQUESTED_CREDENTIAL_MISSING | One or more of the requested credential types is not included in the presentation from the user. |
REQUESTED_FIELD_MISSING | One or more of the requested fields for one or more credential types is not included in the presentation from the user. |
INVALID_TOKEN | The idToken presented by the user's wallet is not valid (format or signature error). |
INVALID_CREDENTIAL | One or more of the credentials presented by the user could not be validated. Many different errors can cause this. A more specific error is returned in the errors array of the Read Credential Verification Credential Data or Read Credential Verification Session Data response. |
UNEXPECTED_ERROR | An unexpected error occurred during credential verification. |
Response codes
Code | Message |
---|---|
200 | Successful operation. |
400 | The request could not be completed. |
401 | You do not have access to this resource. |
403 | You do not have permissions or are not licensed to make this request. |
404 | The requested resource was not found. |
500 | Unexpected server error. |
Create Credential Verification Session (OPENID4VP)
Create Credential Verification Session (NATIVE)
Create Credential Verification Session (NATIVE - Push Notification)
Delete Credential Verification Session
Read One Credential Verification Status
Read Credential Verification Credential Data
Read Credential Verification Session Data
PingOne Verify
For a user to initiate an ID verification request, the client must obtain an ID verification transaction record from the ID verification service. The transaction record is created when a POST {{apiPath}}/environments/{{envID}}/users/{{userID}}/verifyTransactions
request is made.
The transaction record acts as permission for the user to engage in the verification process. The user can then submit the necessary user ID information (such as a driver license or passport) for verification by the ID Validation service. The user can also send a self-image that the ID Validation service compares to the submitted identity document, to ensure the submitter is the person on the document, and checks for liveness, to prevent fraud.
One of the challenges to identity proofing is getting high quality images from the user. Our Universal Capture frontends do the best quality verification they can, but it is still possible that the images will not pass the quality check of the identity proofing vendor. When images are taken during verification (such as submitting government documents, liveness checks, or selfies), retries can be permitted to obtain a satisfactory image for processing. The number of retries permitted, if any, are set on the Verify Policy. The user's Universal Capture interface, such as a mobile phone with an app using the PingOne Verify Native SDKs, and the verification service negotiate directly for retries when an unacceptable image is submitted and a retry is permitted. Interaction at the API level is not required.
Once verified, the transaction record also acts as a tracking mechanism to identify the user provisioned using ID Validation. This information is logged with the transaction record by the ID Validation service when the transaction ID is received by the client.
US-based Driver Licenses
Document verification provides additional verification support with American Association of Motor Vehicle Administrators (AAMVA). AAMVA offers a service, Driver's License Data Verification (DLDV), for identity proofing and vetting driver license, identity cards, mobile driver license (mDL), and other secure credentials. Most states (43) and the District of Columbia participate in DLDV. No U.S. territories participate. The states that do not participate in DLDV are:
- Alaska (under review)
- California (SSA only)
- Louisiana (SSA only)
- Minnesota (SSA only)
- New York (SSA only)
- Pennsylvania (participates but requires written permission from the individual)
- Utah (SSA only)
SSA only
indicates that only the Social Security Administration has access, not even other government agencies have access. SSA uses AAMVA for employment eligibility.
Submitting state-issued driver's license or identity document to DLDV increases the accuracy of document authentication and also checks their validity by the state government. Accuracy and validity increase by comparing the biographic data, selfie, or both with the issuing government system of record, or another authoritative commercial system of record when the government system of record is unavailable. Results of DLDV checks are returned with the results of other checks in the Verification Metadata.
Request groups
The requests are grouped by endpoints for ease of use.
Documentation | Endpoint |
---|---|
Verify policies | /environments/{{envID}}/users/{{userID}}/verifyPolicies |
Verify transactions | /environments/{{envID}}/users/{{userID}}/verifyTransactions |
Verify voice phrases | /environments/{{envID}}/voicePhrases |
Verify reference data | /environments/{{envID}}/users/{{userID}}/referenceData |
Verify identity record matching | /environments/{{envID}}/users/{{userID}}/identityRecordMatching |
Verify documents | /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/documents |
Verified data | /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/verifiedData |
Verification metadata | /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/metaData |
Verification metrics | /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/appEvents |
Verification actions | /environments/{{envID}}/users/{{userID}}/<action> |
Verify Policies
With verify policies, you can:
- Configure what is required to verify a user.
- Configure parameters for verification, such as the number of one-time password (OTP) attempts and OTP expiration.
You can create as many verify policies as needed to satisfy every verification scenario.
Verify policies can perform any of ten checks:
-
Government identity document - Validate a government-issued identity document, which includes a photograph, and can optionally compare biographic data extracted from the government-issued identity document to biographic data provided by the client from their records
-
AAMVA - For US-based government identity documents, you can enable system of record verification, using American Association of Motor Vehicle Administrators(AAMVA) Driver's License Data Verification (DLDV, for environments in the North America region (licensed separately) on the governmentID configuration object. This is an option to government identity document verification.
-
Aadhaar - For India-based government Aadhaar documents, you can enable system of record verification, using Unique Identification Authority of India (UIDAI), of the resident's unique identification (UID) number, termed Aadhaar. The resident submits images of their Aadhaar card, the UID, and a selfie, and must successfully respond to a one-time passcode (OTP) sent to the mobile phone linked to their Aadhaar account. This is an option to government identity document verification. If Aadhaar is enabled, the verify policy must have facial comparison
REQUIRED
. If Aadhaar is enabled and initial evaluation of the submitted document indicates an Aadhaar document, Veriff is the provider irrespective of thegovernmentId.provider
object. -
Facial comparison - Compare a self-image to a reference photograph, such as on a government ID or previously verified photograph
-
Liveness - Inspect a self-image for evidence that the subject is alive and not a representation, such as a photograph or mask, and that the image is not an injection attack, such as a 3D rendering or deep fake
-
Identity record matching - Compare submitted biographic data (address, birth date, full name, given name, or family name) to an identity record
-
Email - Receive a one-time password (OTP) on an email address and return the OTP to the service
-
Phone - Receive a one-time password (OTP) on a mobile phone and return the OTP to the service
-
Voice - Compare a voice recording to a previously submitted reference voice recording
-
Credentials - Verify a presented digital credential
A verify policy defines which of the ten checks are performed for a verification transaction and configures the parameters of each check. The checks can be either required or optional. All checks are performed for every document type received regardless of whether any check fails. If a type is optional, then the transaction can be processed with or without the documents for that type. If the documents are provided for that type and the optional type verification fails, it will not cause the entire transaction to fail.
Injection attack detection check (IAD) is performed automatically when liveness check is required, after the liveness check is performed. When face comparison is required or both face comparison and liveness are required, the following rules apply:
-
If face comparison and liveness are required: Face comparison check is performed and liveness check is performed then IAD is performed. If data collection only is set, face comparison and liveness checks are skipped and only IAD is performed.
-
If face comparison is required and liveness is not required: Face comparison check is performed and, if successful, IAD is performed regardless of the state of data collection only.
-
If face comparison is not required and liveness is required: Liveness check is performed then IAD is performed. If data collection only is set liveness checks is skipped and IAD is performed.
Available to a verify policy for any of the checks is the optional data collection only mode, when dataCollectionOnly
is set to true
(found in the transaction configuration object). In data collection only mode, the user submits all documents defined by the policy, but the service verifies none of them. Once submitted, you can retrieve the documents with Read All Verification Documents or Read One Verification Document.
You assign one verify policy as the default policy. When you create a verification transaction, a verify policy identifier is preferred, but not required. If you create a verification transaction without a policy identifier, the default policy is applied. You cannot delete a policy set as the default policy, you must first assign a different policy as the default and then delete this policy. Use the Update Verify Policy request to change the default policy or use the Create Verify Policy to create a new default policy by setting its default
to true
. The initial default policy, provided by PingOne Verify, performs government identity document, facial comparison, and liveness checks.
Verify policies also permit voice enrollment. Voice enrollment requires a verify policy that has enrollment
set to true
. When you prepare a voice enrollment, you Create Verify Transaction that references that verify policy with enrollment
set to true
. Subsequent voice verification requires a verify policy that has enrollment
set to false
. When you prepare a voice verification, you Create Verify Transaction that references that verify policy with enrollment
set to false
.
Verify policy data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
String | N/A | Read-only | Date and time the verify policy was created |
default |
Boolean | Optional | Mutable | Required as true to set this verify policy as the default policy for the environment; otherwise optional and defaults to false |
description |
String | Optional | Mutable | Description displayed in PingOne Admin UI, 1-1024 characters |
email |
Object | Optional | Mutable | email and phone configuration object |
environment.id |
String | Required | Immutable | Ping environment identifier (UUID) for user |
facialComparison |
Object | Optional | Mutable | facialComparison configuration object |
governmentId |
Object | Optional | Mutable | governmentID configuration object |
id |
String | N/A | Read-only | Policy identifier (UUID) |
identityRecordMatching |
Object | Optional | Mutable | identityRecordMatching configuration object |
liveness |
Object | Optional | Mutable | liveness configuration object |
name |
String | Required | Mutable | Name displayed in PingOne Admin UI |
phone |
Object | Optional | Mutable | email and phone configuration object |
transaction |
Object | Optional | Mutable | transaction configuration object |
updatedAt |
String | N/A | Read-only | Date and time the verify policy was updated. Can be null. |
voice |
Object | Optional | Mutable | voice configuration object |
governmentID configuration object
The GOVERNMENT_ID
configuration object includes BIOGRAPHIC_MATCHING
in the policy (if biographic data is provided when the client creates a verify transaction), but results are returned separately in Verification Metadata.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
aadhaar |
Object | Optional | Mutable | Aadhaar configuration |
aadhaar.enabled |
Boolean | Optional | Mutable | Whether Aadhaar verification is enabled or not |
aadhaar.otp |
Object | Optional | Mutable | Aadhaar one-time password (OTP) configuration |
aadhaar.otp. deliveries |
Object | Required | Mutable | OTP delivery configuration |
aadhaar.otp. deliveries. coolDown |
Object | Required | Mutable | Cooldown (waiting period between OTP deliveries) configuration |
aadhaar.otp. deliveries. coolDown. duration |
Integer | Required | Mutable | Cooldown duration configuration; can be 60-1800 seconds (1-30 minutes) |
aadhaar.otp. deliveries. coolDown. timeUnit |
String | Required | Mutable | Time unit of cooldown duration: SECONDS or MINUTES |
aadhaar.otp. deliveries. count |
Integer | Required | Mutable | Maximum number of OTP deliveries. Must be 1 to 3. |
failExpiredId |
Boolean | Optional | Mutable | Whether the Government ID verification fails when the document is expired |
inspectionType |
String | Optional | Mutable | Determine whether document authentication is automated, manual, or possibly both. Can be AUTOMATIC , MANUAL , or STEP_UP . Refer to notes following this table. |
provider.auto |
String | Optional | Mutable | Provider to use for the automatic verification service. Can be MITEK (the default) or VERIFF |
provider.manual |
String | Optional | Mutable | Provider to use for the manual verification service. Can be MITEK |
retry.attempts |
Integer | Optional | Mutable | Number of retries permitted when submitting images. Must be 0 (no retries permitted) to 3. |
verify |
String | Required | Mutable | Controls if Government ID verification is REQUIRED , OPTIONAL , or DISABLED |
verifyAamva |
Boolean | Optional | Mutable | Whether AAMVA DLDV verification is enabled for supported driver licenses |
Options for inspectionType
are:
-
AUTOMATIC
invokes automated identification inspection only -
MANUAL
invokes manual identification inspection only (additional license required) -
STEP_UP
invokes automated identification inspection and, if that fails, invokes manual identification inspection (additional license required)
If verify
is set to DISABLED
, inspectionType
is optional and ignored if used.
If inspectionType
is not used, it defaults to the highest option available to the license capabilities in your environment. Similarly, availability of the options depend on the license capabilities of your environment. For example, if your environment is only licensed for automated identification inspection, then MANUAL
and STEP_UP
will not be available.
facialComparison configuration object
If Aadhaar is enabled in the GOVERNMENT_ID
configuration object, the FACIAL_COMPARISON
configuration object must have verify
set to REQUIRED
.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
threshold |
String | Required | Mutable | Threshold for successful facial comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
verify |
String | Required | Mutable | Controls if facial comparison is REQUIRED , OPTIONAL , or DISABLED |
liveness configuration object
The LIVENESS
configuration object includes INJECTION_DETECTION
in the policy, but results are returned separately in Verification Metadata.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
retry.attempts |
Integer | Optional | Mutable | The number of times a user can retake a selfie if prior attempt fails due to photo quality issues. Possible values for selfie retry attempts are 0-3. |
threshold |
String | Required | Mutable | Threshold for successful facial comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
verify |
String | Required | Mutable | Controls if liveness check is REQUIRED , OPTIONAL , or DISABLED |
identityRecordMatching configuration object
If governmentId.verify
is DISABLED
, then identity record matching is disabled. To enable identity record matching, at least one field must be defined with a threshold
. If identity record matching is enabled and biographic data is provided when the client creates a verify transaction, results are returned separately in Verification Metadata.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
address |
String | Optional | Mutable | Address of the user. |
address.fieldRequired |
Boolean | Required | Mutable | Whether the field is required or not |
address.threshold |
String | Required | Mutable | Threshold for successful address comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
birth_date |
String | Optional | Mutable | Birth date of the user. |
birth_date.fieldRequired |
Boolean | Required | Mutable | Whether the field is required or not |
birth_date.threshold |
String | Required | Mutable | Threshold for successful birth date comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
family_name |
String | Optional | Mutable | Family name of the user. |
family_name.fieldRequired |
Boolean | Required | Mutable | Whether the field is required or not |
family_name.threshold |
String | Required | Mutable | Threshold for successful family name comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
given_name.fieldRequired |
Boolean | Required | Mutable | Whether the field is required or not |
given_name |
String | Optional | Mutable | Given name of the user. |
given_name.threshold |
String | Required | Mutable | Threshold for successful given name comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
name |
String | Optional | Mutable | Full name of the user. |
name.fieldRequired |
Boolean | Required | Mutable | Whether the field is required or not |
name.threshold |
String | Required | Mutable | Threshold for successful full name comparison. Can be LOW , MEDIUM , or HIGH (for which PingOne Verify uses industry and vendor recommended definitions). |
email and phone configuration object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createMfaDevice |
Boolean | Optional | Mutable | When enabled, PingOne Verify registers the email address or phone number with PingOne MFA as a verified MFA device |
otp |
Object | Optional | Mutable | SMS/Voice/Email one-time password (OTP) configuration |
otp. attempts |
Object | Required | Mutable | OTP attempts configuration |
otp. attempts. count |
Integer | Required | Mutable | Maximum number of attempts to type the OTP |
otp. deliveries |
Object | Required | Mutable | OTP delivery configuration |
otp. deliveries. coolDown |
Object | Required | Mutable | Cooldown (waiting period between OTP deliveries) configuration |
otp. deliveries. coolDown. duration |
Integer | Required | Mutable | Cooldown duration configuration; can be 0-1800 seconds (0-30 minutes) |
otp. deliveries. coolDown. timeUnit |
String | Required | Mutable | Time unit of cooldown duration: SECONDS or MINUTES |
otp. deliveries. count |
Integer | Required | Mutable | Maximum number of OTP deliveries |
otp. lifeTime |
Object | Required | Mutable | The length of time for which the OTP is valid |
otp. lifeTime. duration |
Integer | Required | Mutable | OTP duration configuration. Can be 60-1800 seconds (1-30 minutes) |
otp. lifeTime. timeUnit |
String | Required | Mutable | Time unit of OTP duration configuration: SECONDS or MINUTES |
otp. notification |
Object | Required | Mutable | OTP notification template configuration; for more information about templates, refer to Notifications Templates |
otp. notification. templateName |
String | Required | Mutable | Name of the template to use to pass a one-time passcode; must be email_phone_verification |
otp. notification. variantName |
String | Optional | Mutable | Name of the template variant to use to pass a one-time passcode |
verify |
String | Required | Mutable | Controls if email or phone verification is REQUIRED , OPTIONAL , or DISABLED |
The notification.variantName
in the email
and phone
configuration objects can define a variant for the email_phone_verification
notification submitted in notification.templateName
, if needed. After receipt of a Create Verify Transaction request, the verification service uses an email_phone_verification
notification template to send notice of the action taken to the user via email or SMS text.
transaction configuration object
In the verify transaction response is expiresAt
. Transactions do not allow users an unlimited amount of time to submit verification data and complete the verify transaction. If the verify transaction is not completed before the expiresAt
date and time, the transaction fails. If all required documents are collected but are still being processed when expiresAt
is reached, document processing continues and the transaction either passes or fails based on the processing result. The default verify transaction timeout is 30 minutes from transaction creation.
Furthermore, data collection is also time-constrained. (Data collected, such as the images of documents and images of the user ("selfies"), are required by the verification service.) Data collection time starts when the user initiates data collection using PingOne Verify web or native SDK. If required data are not submitted by the lesser of the data collection timeout and the time remaining before expiresAt
, the transaction fails. The default data collection timeout is 15 minutes from the start of data collection.
To understand the timeouts, particularly the data collection timeout, an example may help. Let us say that the verify transaction timeout is 30 minutes and the data collection timeout is 15 minutes. If the user does not begin data collection for 18 minutes, the data collection timeout becomes 12 minutes - the lesser of the data collection timeout (15 minutes) and the remaining time before expiresAt
(12 minutes).
You can create a new verify policy or update an existing verify policy to use different timeouts.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
dataCollection |
Object | Optional | Mutable | Object for data collection timeout definition |
dataCollection. timeout |
Object | Required | Mutable | Object for data collection timeout |
dataCollection. timeout. duration |
Integer | Required | Mutable | Length of time before data collection timeout expires. Can be 0-1800 seconds (0-30 minutes) |
dataCollection. timeout. timeUnit |
String | Required | Mutable | Time unit of data collection timeout. Can be SECONDS or MINUTES |
dataCollectionOnly |
Boolean | Optional | Mutable | When true, collects documents specified in the policy without determining their validity; defaults to false |
timeout |
Object | Optional | Mutable | Object for transaction timeout |
timeout. duration |
Integer | Required | Mutable | Length of time before transaction timeout expires. Can be 60-1800 seconds (1-30 minutes) |
timeout. timeUnit |
String | Required | Mutable | Time unit of transaction timeout. Can be SECONDS or MINUTES |
If dataCollectionOnly
is true
, documents submitted by a user are retained and available from Verify Documents, but are not verified. Additionally, when the verification policy requires facialComparison configuration object or liveness configuration object, injection attack detection is still automatically performed.
voice configuration object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
comparison. threshold |
String | Required | Mutable | Comparison threshold. Can be LOW , MEDIUM , or HIGH |
enrollment |
Boolean | Required | Mutable | Controls if the transaction performs voice enrollment (true ) or voice verification (false ) |
liveness. threshold |
String | Required | Mutable | Liveness threshold. Can be LOW , MEDIUM , or HIGH |
referenceData |
Object | Optional | Mutable | Object for configuration of reference data stored per user for voice verification |
referenceData. retainOriginalRecordings |
Boolean | Optional | Mutable | Controls if the service stores the original voice recordings; defaults to false |
referenceData. updateOnReenrollment |
Boolean | Optional | Mutable | Controls updates to user's voice reference data (voice recordings) upon user re-enrollment. If true , new data adds to existing data. If false , new data replaces existing data. |
referenceData. updateOnVerification |
Boolean | Optional | Mutable | Controls updates to user's voice reference data (voice recordings) upon user verification. If true , new data adds to existing data. If false , new voice recordings are not retained as reference data. |
textDependent |
Object | Optional | Mutable | Object for configuration of text dependent voice verification |
textDependent. phrase. id |
String | Required | Mutable | Identifier (UUID) of the voice phrase to use |
textDependent. samples |
Integer | Required | Mutable | Number of voice samples to collect |
verify |
String | Required | Mutable | Controls if voice verification is REQUIRED , OPTIONAL , or DISABLED |
Create Verify Policy
Read All Verify Policies
Read One Verify Policy
Update Verify Policy
Delete Verify Policy
Verify Transactions
For each verification attempt, all the necessary information is gathered in a transaction. The verifyTransactions
endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions
, receives all read, status, and control requests associated with the verification attempt.
In the responses is the verificationStatus
object, a list that indicates the verification types being verified by the service and the verification status of each step. The verification types are keys in the list and the verification status is the value in the list.
The verification types for a verify transaction are determined from the verify policy.
In the response is expiresAt
. Transactions do not allow users an unlimited amount of time to submit verification data and complete the verify transaction. If the verify transaction is not completed before the expiresAt
date and time, the transaction fails. If all required documents are collected but are still being processed when expiresAt
is reached, document processing continues and the transaction either passes or fails based on the processing result. The default verify transaction timeout is 30 minutes from transaction creation.
Furthermore, data collection is also time-constrained. (Data collected, such as the images of documents and images of the user ("selfies"), are required by the verification service.) Data collection time starts when the user initiates data collection using PingOne Verify web or native SDK. If required data are not submitted by the lesser of the data collection timeout and the time remaining before expiresAt
, the transaction fails. The default data collection timeout is 15 minutes from the start of data collection.
To understand the timeouts, particularly the data collection timeout, an example may help. Let us say that the verify transaction timeout is 30 minutes and the data collection timeout is 15 minutes. If the user does not begin data collection for 18 minutes, the data collection timeout becomes 12 minutes - the lesser of the data collection timeout (15 minutes) and the remaining time before expiresAt
(12 minutes).
You can create a new verify policy or update an existing verify policy to use different timeouts.
Verify transaction data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
callback |
Object | Optional | Immutable | Object containing a callback target. The first time a transaction transitions to SUCCESS or FAIL (expired transactions are ignored when they transition to FAIL), the service makes one GET request to the URL with the expected headers. |
callback.headers |
Object | Optional | Immutable | Object containing request header fields to include with the callback request. Can contain any number of key-value pairs where the key is a header field name and its value is the header field value, which cannot be null. Duplicate keys are not permitted. |
callback.url |
String | Required | Immutable | The URL to which a callback is sent. Must use HTTPS protocol and be a valid URL. |
createdAt |
DateTime | N/A | Read-only | Date and time the ID verification request was sent |
environment.id |
String | Required | Immutable | PingOne environment identifier (UUID) for user |
expiresAt |
DateTime | N/A | Read-only | Date and time the ID verification expires. A null value indicates it never expires. |
id |
String | N/A | Read-only | Transaction identifier (UUID) |
qrUrl |
String | N/A | Read-only | A link to retrieve a QR code image encoded with webVerificationUrl |
redirect |
Object | Optional | Mutable | Contains the URL and user message for where users are redirected after document collection. |
requirements |
Object | Optional | Mutable | Contains one or more objects that contain information used by the service: requirements object |
sendNotification |
Object | Optional | Mutable | Endpoint to which notifications are sent: sendNotification object |
transactionStatus |
Object | Required | Immutable | Status of the transaction: transactionStatus object |
updatedAt |
DateTime | N/A | Read-only | Date and time the response was received by the identity provider; can be null |
user.id |
String | Required | Immutable | Identifier (UUID) for the user submitting the verify transaction |
verifyPolicy.id |
String | Optional | Mutable | Identifier (UUID) of the verify policy |
webVerificationCode |
String | N/A | Read-only | A code used to identify a particular transition from the desktop web interface to the mobile web interface |
webVerificationUrl |
String | N/A | Read-only | A link to continue the transition from the desktop web interface to the mobile web interface. Refer to the note regarding query parameter options following this table. |
The webVerificationUrl
has query parameter options:
-
You can append a
&dt=1
query parameter towebVerificationUrl
. You can offer to redirect your users to a mobile or desktop browser-based verification. By default, on laptop or desktop browsers, you present to the user a page with the QR code to continue verification on their mobile device. A&dt=1
query parameter also permits verification on laptop or desktop browsers. -
Deprecated - This query parameter is replaced by
message
in the redirect object. You can append a&redirectMessage=<message>
query parameter towebVerificationUrl
, where<message>
is an unquoted, URL-encoded text string. The message appears after document collection. For example:&redirectMessage=You%27ve%20successfully%20collected%20all%20document%2e%20Return%20to%20registration
. -
Deprecated - This query parameter is replaced by
url
in the redirect object. You can append a&redirectUrl=<redirect URL>
query parameter towebVerificationUrl
, where<redirect URL>
is a URL-encoded redirect URL. The redirect URL appears after document collection. For example:&redirectUrl=https%3A%2F%2Fhome.example.com%2Fs%2Fmembership
.
redirect object
Used only in the request body of Create Verify Transaction and never returned by any API response.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
redirect.url |
String | Required | Mutable | The redirect URL where the user is returned to after document collection |
redirect.message |
String | Optional | Mutable | The message presented to the user after document collection but before redirecting to the redirect.url |
requirements object
Biographic matching occurs when the Verify Policy includes governmentId
and the Create Verify Transaction includes the optional biographic matching data requirements
(given_name
, family_name
, name
, address
, and birth_date
). If the client does not provide biographic matching data, the service performs the verifications required by the verify policy. If the client does provide biographic matching data, the service performs the verifications required by the verify policy and then compares the data extracted from the government identity document to the data provided by the client.
Identity record matching occurs when the Verify Policy includes governmentId
and the Create Verify Transaction includes the optional biographic matching data requirements
(given_name
, family_name
, name
, address
, and birth_date
). If the identityRecordMatching configuration object has at least one field defined with a threshold
and the client does not provide biographic matching data corresponding to the required fields in the identityRecordMatching
configuration object, an error is returned. If the client does provide biographic matching data, the service performs the verifications required by the verify policy and then compares the data extracted from the government identity document to the data provided by the client. If name
required by the identityRecordMatching
configuration object but only given_name.value
and family_name.value
are submitted in requirements, given_name.value
and family_name.value
will be combined as name
.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
address |
Object | Optional | Immutable | Object containing an array of addresses; can contain value or options , but not both |
address.options |
String[] | Required/Optional | Immutable | An array of addresses |
address.value |
String | Required/Optional | Immutable | One address |
birth_date |
Object | Optional | Immutable | Object containing the birth date; can contain value or options , but not both |
birth_date.options |
String[] | Required/Optional | Immutable | An array of one birth date in YYYY-MM-DD format; more than one element is not supported. |
birth_date.value |
String | Required/Optional | Immutable | One birth date in YYYY-MM-DD format |
email |
Object | Optional | Immutable | Object containing an array of email addresses. |
email.options |
String[] | Required | Immutable | An array of email addresses to send email one-time password to. |
email.value |
String[] | Required | Immutable | One address to send email one-time password to. |
family_name |
Object | Optional | Immutable | Object containing the family name; can contain value or options , but not both |
family_name.options |
String[] | Required/Optional | Immutable | An array of family names |
family_name.value |
String | Required/Optional | Immutable | One family name |
given_name |
Object | Optional | Immutable | Object containing given names; can contain value or options , but not both |
given_name.options |
String[] | Required/Optional | Immutable | An array of given names |
given_name.value |
String | Required/Optional | Immutable | One given name |
name |
Object | Optional | Immutable | Object containing the full name (given name and family name); can contain value or options , but not both |
name.options |
String[] | Required/Optional | Immutable | An array of full names |
name.value |
String | Required/Optional | Immutable | One full name |
phone |
Object | Optional | Immutable | Object containing a mobile phone number. Refer to Note on phone property. |
phone.options |
String | Required | Immutable | An array of mobile phone numbers to send SMS text one-time password (OTP) to. |
phone.value |
String | Required | Immutable | Mobile phone number to send SMS text one-time password (OTP) to. |
referenceSelfie |
Object | Required/Optional | Immutable | Object containing a reference self image. Required when, in the verify policy referenced by verifyPolicy.id (or the default verify policy), facialComparison.verify is REQUIRED and governmentID.verify is DISABLED . Otherwise, referenceSelfie is ignored. |
referenceSelfie.value |
String | Required | Immutable | A base64-encoded reference self image. Image must be JPEG format. |
Note on phone property
When a phone number is needed, a valid phone number string must be provided in international format consisting of a leading plus sign, 1 to 3-digit country code, and 4 to 14-digit phone number, for example, +14155552671.
Always include the country code in the value you provide for the phone parameter. Phone formats across the globe are constantly expanding and changing. If the country code is not included, issues might occur with message delivery.
The following sample shows acceptable valid phone attribute formatting for the same number:
+1.5125201234
+15125201234
+1.512.520.1234
+1 (512) 520-1234
sendNotification object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
email |
String | Optional | Mutable | The email address to send email verification notifications to |
phone |
String | Optional | Mutable | The phone number to send SMS text verification notifications to. Refer to the note regarding phone numbers following the requirements object table. |
results |
Object[] | N/A | Read-only | Array of objects that contain the results of attempts to notify the user. Provided only in the response to Create Verify Transaction. |
results.error |
Object | N/A | Read-only | Contains information regarding why a notification failed to send. |
results.error.code |
String | N/A | Read-only | A short alphanumeric code identifying the error. |
results.error.details |
Object[] | N/A | Read-only | Array of objects that contain details of the error as provided by the source of the error. Exact format varies by source. |
results.error.id |
String | N/A | Read-only | Identifier (UUID) of the error message. |
results.error.message |
String | N/A | Read-only | A textual message explaining the error. |
results.method |
String | N/A | Read-only | Method used in the attempt to notify the user; can be EMAIL or SMS . |
results.notification.id |
String | N/A | Read-only | Identifier (UUID) of the notification that was sent. |
results.sent |
Boolean | N/A | Read-only | Whether the notification was successfully sent. |
transactionStatus object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
providerMessagesList |
Object | Optional | Immutable | Present when one or more verification types fail |
providerMessagesList.messages |
Object | Required | Immutable | Contains name-value pairs where name is the error code and value is a textual error description. Some error messages are listed in Verification error messages. |
providerMessagesList.providerId |
String | Required | Immutable | A generic descriptor of the provider; can be ID_VALIDATION , Mitek , Amazon , IdFace , or IdVoice |
providerMessagesList.verificationType |
String | Required | Immutable | Verification type to which the message applies; refer to Verification types |
status |
String | Required | Mutable | Status of the transaction, an enumerated list |
verificationStatus |
Object | Required | Immutable | Contains name-value pairs where name is a verification type and value is the status of the verification type, an enumerated list |
Transaction level status definitions
Status | Definition |
---|---|
APPROVED_MANUALLY | The administrator has decided to override the result of the verification. The service providers were unable to provide a positive response but the administrator was able to peruse the physical documents. |
APPROVED_NO_REQUEST | The administrator perused the physical documents of the user and approved the request without the need for third party verification. |
FAIL | All of the service providers have responded and some of the results are not positive. The transactionStatus object contains error messages. |
IN_PROGRESS | The user scanned the QR code and submitted the data. The service prepares to submit the data to third party providers. |
INITIATED | User has started collecting documents but has not sent them to the service to be processed. |
NOT_REQUIRED | The administrator has decided that this user does not require to be verified. |
PARTIAL | Some, but not all, service providers have responded. The service is waiting on responses from other providers. |
REQUESTED | The transaction is initiated but user has not scanned the QR code or submitted the data. |
SUCCESS | All of the service providers have responded and the result of the verification is positive from all providers. |
Verification types
Verification type | Definition |
---|---|
Verifies the user's email address by sending a one time password (OTP) and having the user send that to PingOne Verify. | |
FACIAL_COMPARISON_GOVERNMENT_ID | Accepts a new self-image (selfie) and compares it to the image on the government identity document. |
FACIAL_COMPARISON_REFERENCE_SELFIE | Accepts a new selfie and a reference selfie and compares the two selfies. |
GOVERNMENT_ID | Accepts a government-issued identity document, such as drivers license or passport, and verifies it with verification providers. |
IDENTITY_RECORD_MATCHING | Accepts biographic data and verifies it to identity document data. |
LIVENESS | Accepts a single selfie and checks it for liveness. |
PHONE | Verifies the user's phone number by sending an OTP and having the user send that to PingOne Verify. |
VOICE_ENROLLMENT | Performs voice enrollment with recordings provided by the user or by PingOne Verify's customer. |
VOICE_VERIFICATION | Performs voice verification with 1 recording provided by the end user or by PingOne Verify's customer. |
Verification type level status definitions
Status | Definition |
---|---|
DEPENDENCY_FAILED | Another verification type already failed and this verification type is not being processed. For example, Government ID will not be verified if the Facial Comparison or Liveness check failed. |
DOCUMENT_COLLECTED | Documents were collected but not processed. |
FAIL | The verification type completed and the result is not positive. The transactionStatus object contains error message. |
IN_PROGRESS | The user has submitted the data and the service will perform the verification type. |
MANUAL_INSPECTION | For government ID only: Verification submitted for manual inspection. |
OTP_RETRYABLE | One Time Passcode (OTP) was returned but did not match the code sent. Retries are permitted if the retry count is less than the maximum. |
OTP_SENT | One Time Passcode (OTP) was sent to the user. |
OTP_VERIFIED | One Time Passcode (OTP) was returned by the user and verified. |
REQUESTED | The verification type is requested but the user has not submitted the data. |
RETRYABLE | The verification type completed but the image submitted is unacceptable. Retries are permitted, the retry count is less than the maximum, and the transaction has not timed out. |
SUCCESS | The verification type completed and the result is positive. |
TRANSACTION_TIMED_OUT | Transaction was not completed within the timeout period. |
Verification error messages
Errors returned vary by vendor:
Mitek errors
API errors
If the transaction receives an error for reason code 144, DOCUMENT_IMAGES_MISMATCH - Document images do not match input type, you can ask the user to retry taking a document image.
Reason Code |
Error Code | Message |
---|---|---|
100 | INTERNAL_ERROR | Internal Error |
101 | NO_RECORD | No record found |
102 | VALIDATION_IN_PROGRESS | Validation process has already been started |
103 | MISSING_SHOCARD_ID | Shocard Id is missing |
104 | MISSING_PUBLIC_KEY | App public key is not set |
105 | MISSING_CLAIM | Claim is missing |
106 | LIMIT_EXCEEDED | Exceeded number of validation requests |
107 | INVALID_REQUEST | Invalid Request |
108 | MISSING_DATA | Missing Shared data in request |
109 | DECRYPTION_ERROR | Error in decrypting data |
110 | FACE_VALIDATION_ERROR | Face validation failed |
111 | DOCUMENT_VALIDATION_ERROR | Document validation failed |
112 | DOCUMENT_VALIDATION_MISSING_DATA_ERROR | Document validation missing data |
113 | DOCUMENT_VALIDATION_INTERNAL_ERROR | Document validation internal error |
114 | JSON_READ_ERROR | JSON read error |
115 | JSON_WRITE_ERROR | JSON write error |
116 | FAILED_GETTING_TRANS_STATUS | Failed getting transaction status |
117 | INVALID_TRANSACTION_STATE | Invalid transaction state |
118 | DOCUMENT_VALIDATION_PROVIDER_INTERNAL_ERROR | Document validation provider internal error |
119 | DOCUMENT_VALIDATION_PROCESSING_RESULT_ERROR | Document validation processing result error |
120 | VALIDATION_NOT_IN_REQUESTED_STATUS | Validation status not in the REQUESTED STATUS |
121 | ENVIRONMENT_COULD_NOT_BE_FOUND | Could not find Environment |
122 | VERIFICATION_CAPABILITIES_ERROR | Environment does not have verification capabilities |
123 | ORGANIZATION_COULD_NOT_BE_FOUND | Could not find Organization |
124 | ORGANIZATION_QUOTA_ERROR | No organization quota |
125 | ORGANIZATION_QUOTA_DATE_ERROR | Current date is out of quota dates range |
126 | MISSING_UNIQUE_TOKEN | Missing/invalid unique token |
127 | PUBLIC_KEY_NOT_EMPTY | App public key has already been set |
128 | VERIFY_STATUS_NOT_INITIATED | verifyStatus not initiated |
129 | VERIFY_STATUS_IS_DISABLED | verifyStatus is disabled |
130 | LIVENESS_VALIDATION_ERROR | Liveness validation failed |
139 | DUPLICATE_RECORD_ERROR | There is an existing record |
140 | VALIDATION_NOT_IN_THE_EXPECTED_STATUS | Validation status not in the Expected STATUS |
141 | DOCUMENT_AGENT_ASSIST_INTERNAL_ERROR | Document agent assist internal error |
142 | DOCUMENT_AGENT_ASSIST_RESULT_ERROR | Document agent assist processing result error |
143 | DOCUMENT_AGENT_ASSIST_REQUEST_ERROR | Document agent assist processing result error |
144 | DOCUMENT_IMAGES_MISMATCH | Document images do not match input type |
145 | DEPENDENCY_FAILED | Verification not performed because a dependency failed |
146 | TRANSACTION_TIMEOUT | Transaction timeout exceeded |
147 | DATA_COLLECTION_TIMEOUT | Data collection timeout exceeded |
148 | DATA_COLLECTION_ONLY_NOT_SUPPORTED | Data collection only not supported |
149 | EXPIRED_GOVERNMENT_ID | Government ID is expired |
150 | OTP_ATTEMPTS_EXCEEDED | OTP attempts exceeded |
151 | OTP_SESSION_EXPIRED | OTP session expired |
152 | OTP_DELIVERY_FAILED | Failed to deliver OTP |
153 | MISSING_VERIFY_CONFIG | VerifyPolicy could not be found |
154 | INVALID_PROVIDER_CREDENTIAL_KEY | Invalid Credential Key |
155 | VOICE_ENROLLMENT_FAILED | Voice Enrollment failed |
156 | VOICE_VERIFICATION_FAILED | Voice Verification failed |
157 | VOICE_ENROLLMENT_NOT_FOUND | User has not enrolled in Voice verification |
158 | VOICE_RECORDING_SPOOFED | Voice recording liveness check failed |
159 | VOICE_RECORDING_POOR_QUALITY | Voice recording quality too poor |
160 | VOICE_RECORDING_SPEECH_SHORT | Voice recording speech length is too short |
161 | VOICE_SAMPLES_DONT_MATCH | Voice enrollment samples do not match |
162 | VOICE_MATCH_SCORE_TOO_LOW | Voice match score too low |
163 | VOICE_RECORDING_CHANNEL_CONFLICT | Voice recording channel conflict |
164 | PHONE_VALIDATION_ERROR | Phone validation failed |
Processing reasons for document verification (automated)
If the transaction receives an error for reason codes marked Yes
in the Retry column, you can ask the user to retry taking a document image.
Reason Code |
Message | Description | Retry |
---|---|---|---|
200 | Image quality check failed. | The image has failed image quality check. | Yes |
201 | The image is not sharp. | The image is out of focus. | Yes |
202 | The image has glare. | Glare was found on the document preventing extraction or authentication. | Yes |
203 | The image is too dark. | The image is too dark. | Yes |
204 | The document on the image is too small. The amount of the image that the document takes up is too small. | Retake Image - Try changing from portrait to landscape mode or getting closer to the image. | Yes |
205 | The ID document could not be found. This can be caused by the image not showing all four corners of the document. | Retake Image - Ensure all four sides of the document are visible. | Yes |
206 | The type of ID document could not be determined. | The type of document could not be identified. This could be caused by a low quality image or it could be a document that is not supported. | Yes |
208 | Invalid Image Type The encoding of the image is incorrect. It is not in a format that Mitek is able to process. | Take a new image in a supported format. | Yes |
209 | Image is too small The input image had a width or height less than 400 pixels. | Take a larger image. | Yes |
210 | Image processing failed after resizing. The input image had a width or height greater than 2000 pixels and was resized. You will only receive this message if processing failed after resizing. | Take a smaller image. | Yes |
211 | The authenticator could not run because the input image was missing | The authenticator was not able to assess the document because the input image was missing. Ensure that at least one image of an identity document was captured and submitted in the service request. | Yes |
212 | The image quality of the authenticator input image was poor. | The authenticator was not able to assess the document because the image quality was too poor. Have the consumer capture a better quality image. | Yes |
500 | The barcode could not be found. | The document was classified as a type that contains a barcode but the barcode could not be found. | |
501 | The barcode could not be extracted. | The barcode was found but could not be read. | |
502 | The barcode could not be parsed. | The barcode was read but the resulting data was not in the expected format. | |
503 | The barcode could not be processed | A problem was encountered when trying to process barcode extraction and parsing. | |
510 | No data could be extracted for this document. | Data could not be extracted | |
511 | Data could not be extracted from the back of the document. | Data could not be extracted from the back of the document. | |
512 | The front of the ID document could not be extracted. | The front of the ID document could not be extracted. | |
513 | Document not supported for extraction | The document may or may not be classified but it is currently not supported for extraction. | |
520 | Data extraction was performed, but the system didn't accept the results. | The data was extracted, but did not pass our additional checks to ensure the extraction is accurate. | |
600 | The Enhanced Security Feature (ESF) was expected for this type of document and not found. The document should have contained an ESF feature but no ESF was found. | ||
601 | Only part of the Enhanced Security Feature (ESF) was found; the ID document may have been altered. | Only part of the Enhanced Security Feature (ESF) was found; the ID document may have been altered. | |
602 | Only part of the Enhanced Security Feature (ESF) was found; the ID document may have been altered. | Only part of the Enhanced Security Feature (ESF) was found; the ID document may have been altered. | |
603 | The Enhanced Security Feature (ESF) was found but shows evidence of tampering. | The Enhanced Security Feature (ESF) was found but shows evidence of tampering. | |
610 | The picture area could not be identified. | The portrait on the document could not be located. | |
611 | The picture image quality is too low. the portrait image quality is loo low. | Retake Image | |
612 | The picture image has poor exposure. The picture image has poor exposure. | Retake Image | |
620 | No MRZ was found on the document. | The document was expected to have an MRZ on it based on its classification but no MRZ could be found. | |
621 | The MRZ was detected but was not in the proper format. | The MRZ was detected but was not in the proper format. | |
630 | The MRZ check digits are invalid. | The MRZ check digits are invalid. | |
650 | The fields used to determine font consistency could not be extracted | The fields used to determine font consistency did not return any extraction results | |
660 | The document does not have enough fields to perform data comparison | Field comparison could not be performed because there were not enough fields on the document to perform a data comparison. | |
680 | The barcode could not be found or was only partially detected on the document. | The PDF417 barcode, typically found on USA or Canadian driving licenses or ID cards, could not be detected. | |
698 | The authenticator took too long to process. | The authenticator took longer to process than was allowed to ensure a quick Mobile Verify Auto response. | |
699 | The authenticator is not available for this document. | This message is returned when an authenticity test was not applied to a document because the document doesn't have the necessary features or some design features prevent evaluation | |
700 | Unavailable due to scheduled maintenance | AAMVA or the document's issuing jurisdiction is currently in a scheduled maintenance window. In order to avoid a billable event, this transaction was not submitted. | |
701 | Jurisdiction temporarily unavailable | The document's issuing jurisdiction is currently unable to process transactions. | |
702 | Jurisdiction system error | The document's issuing jurisdiction encountered an unknown error. | |
703 | Jurisdiction did not respond in a timely manner | The document's issuing jurisdiction did not respond in a timely manner. | |
801 | Document is too close to the camera | Document Liveness could not be performed, because the document is too close to the camera. | |
802 | Document is too close to the image border | Document Liveness could not be performed, because the distance between document and image border is too small. | |
803 | Part of the document is not present in the image | Document Liveness could not be performed, because a part of the document is not visible in the image. | |
804 | Document is not detected in the image | Document Liveness could not be performed, because the document could not be detected in the image. | |
805 | Document size in the image is too small | Document Liveness could not be performed, because the document size in the image is too small. | |
806 | Too many documents were detected in the image | Document Liveness could not be performed, because there are multiple documents in the image. | |
807 | Document Liveness temporarily unavailable | Document Liveness service did not respond in a timely manner. |
Selfie capture
If the transaction receives an error for error codes marked Yes
in the Retry column, you can ask the user to retry taking a selfie.
Error Code | Error Message | Meaning | Retry |
---|---|---|---|
FACE_ANGLE_TOO_LARGE | Facial out-of-plane rotation angle is extremely large | Facial out-of-plane rotation angle is extremely large | Yes |
FACE_CLOSE_TO_BORDER | Face is too close to one or more borders | Face is too close to one or more borders. May reduce the accuracy of spoofing detection because edges of face may not be seen | Yes |
FACE_CROPPED | Face is cropped | Face is cropped. May reduce the accuracy of spoofing detection because edges of face may not be seen | Yes |
FACE_IS_OCCLUDED | Face is occluded | There is occlusion of a face, which impacts the accuracy of liveness. This detection is designed to work with the medical masks that cover nose and mouth, other occlusions are not guaranteed. Occlusion detection has probabilistic nature and may have errors. The threshold setting for occlusion detection may be tuned by changing face_occlusion_threshold setting. Please refer to PAD Configuration in Docker section for more information. | Yes |
FACE_NOT_FOUND | Failed to detect face | Face detector can't find face on image. Face detection has probabilistic nature and may have errors. It also has some sensitivity level and very small faces may be ignored. | Yes |
FACE_TOO_CLOSE | Face is too close to the camera | A distance between face and image border is too small for preprocessing issues | Yes |
FACE_TOO_SMALL | Interpupillary distance is too small | Facial area is not big enough for analysis. Interpupillary distance in pixels is below the configured value | Yes |
Absolute face size is too small | Facial area is not big enough for analysis. Absolute face size in pixels is below the configured value | Yes | |
Relative face size is too small | Facial area is not big enough for analysis. The relative proportion of face size in the image is below the configured value | Yes | |
FAILED_TO_ALLOCATE | Current vm.max_map_count limit is too low |
Memory allocation error | |
FAILED_TO_PREDICT_LANDMARKS | Failed to predict landmarks | Landmarks prediction error | |
FAILED_TO_PREPROCESS_IMAGE_WHILE_DETECT | Face detection error | Face detection error | |
FAILED_TO_PREPROCESS_IMAGE_WHILE_PREDICT | Failed to preprocess image for *** | Liveness prediction error | |
FAILED_TO_READ_IMAGE | File decoding error | File decoding error | |
FAILED_TO_READ_MODEL | Failed to read model | Model deserializing error | |
FAILED_TO_WRITE_IMAGE | File encoding error | File encoding error | |
INVALID_CONFIG | Field *** not found in config | Configuration file deserializing error | |
INVALID_FUSE_MODE | Invalid fuse mode provided | Invalid fuse mode provided | |
INVALID_META | Invalid OS value provided in meta, should be one of: UNKNOWN, DESKTOP, ANDROID, IOS | Invalid facesdk::Meta value | |
LICENSE_ERROR | Some error occurred during license checking | Some error occurred during license checking | |
NO_SUCH_OBJECT_IN_BUILD | Object *** not found | Engine or backend is not supported by the build | |
NULLPTR | Empty image | Nullptr provided | |
TOO_MANY_FACES | Too many faces detected | Face detector found more than one face on image. Please, note, that very small faces may be ignored if they are below the sensitivity level. | |
UNKNOWN | JNI: unknown exception | Unhandled exception in the code |
Veriff errors
Reason Code |
Message | Retry |
---|---|---|
105 | Suspicious behavior | No |
204 | Poor image quality | No |
504 | Attempted deceit, device screen used | No |
505 | Attempted deceit, printout used | No |
507 | Presented document tampered, data cross reference | No |
508 | Presented document tampered, document similarity to specimen | No |
602 | Presented document type not supported | Yes |
608 | Document front missing | Yes |
614 | Document front not fully in frame | Yes |
619 | Document data not visible | Yes |
621 | Document annulled or damaged | Yes |
625 | Unable to collect surname | Yes |
627 | Unable to collect date of birth | Yes |
628 | Unable to collect issue date | Yes |
629 | Unable to collect expiry date | Yes |
630 | Unable to collect gender | Yes |
631 | Unable to collect document number | Yes |
632 | Unable to collect personal number | Yes |
633 | Unable to collect nationality | Yes |
634 | Unable to collect home address | Yes |
644 | Unable to collect Identificador de Ciudadano (INE) | Yes |
645 | Resubmit - Unable to collect OCR (IFE) | Yes |
647 | Document not recognized | Yes |
648 | Technical issues | Yes |
653 | Unable to collect residence permit type | Yes |
654 | Unable to collect driver's license number | Yes |
Create Verify Transaction
Read All Verify Transactions
Read One Verify Transaction
Update Verify Transaction
Delete Verify Transaction
Verify Identity Record Matching
With the Verify Identity Record Matching service, you can submit any of name, given name, family name, birth date, or address from an unverified source and corresponding values from one or more verified sources. The identityRecordMatching
endpoint, /environments/{{envID}}/users/{{userID}}/identityRecordMatching
, compares the unverified biographic data to the verified biographic data, and returns a raw score and confidence level of the match.
Verify identity record matching request data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
probe |
Object | Required | Mutable | Object containing the data submitted from the document to match. At least one property is required. |
probe.address |
String | Required/Optional | Mutable | Address of the identity submitted from the document to match |
probe.birth_date |
String | Required/Optional | Mutable | Birth date name of the identity submitted from the document to match |
probe.family_name |
String | Required/Optional | Mutable | Family name of the identity submitted from the document to match |
probe.given_name |
String | Required/Optional | Mutable | Given name of the identity submitted from the document to match |
probe.name |
String | Required/Optional | Mutable | Name of the identity submitted from the document to match |
gallery |
Object | Required | Mutable | Object containing the data submitted from source records to match. A property is required for each probe property submitted. |
gallery.address |
String | Required/Optional | Mutable | Address of the identity submitted from the document to match |
gallery.address.expression |
String | Required/Optional | Mutable | PingOne Expression Language (PEL) expression to retrieve the address value, such as supply a literal value, reformat the source value, or combine source attributes. For more information on PEL, refer to PingOne expression language. |
gallery.address.options |
String[] | Required/Optional | Mutable | Array of literal address values to match. |
gallery.address.value |
String | Required/Optional | Mutable | Literal address value to match. |
gallery.birth_date |
String | Required/Optional | Mutable | Birth date name of the identity submitted from the document to match |
gallery.birth_date.expression |
String | Required/Optional | Mutable | PingOne Expression Language (PEL) expression to retrieve the birth_date value, such as supply a literal value, reformat the source value, or combine source attributes. For more information on PEL, refer to PingOne expression language. |
gallery.birth_date.options |
String[] | Required/Optional | Mutable | Array of literal birth_date values to match. |
gallery.birth_date.value |
String | Required/Optional | Mutable | Literal birth_date value to match. |
gallery.family_name |
String | Required/Optional | Mutable | Family name of the identity submitted from the document to match |
gallery.family_name.expression |
String | Required/Optional | Mutable | PingOne Expression Language (PEL) expression to retrieve the family_name value, such as supply a literal value, reformat the source value, or combine source attributes. For more information on PEL, refer to PingOne expression language. |
gallery.family_name.options |
String[] | Required/Optional | Mutable | Array of literal family_name values to match. |
gallery.family_name.value |
String | Required/Optional | Mutable | Literal family_name value to match. |
gallery.given_name |
String | Required/Optional | Mutable | Given name of the identity submitted from the document to match |
gallery.given_name.expression |
String | Required/Optional | Mutable | PingOne Expression Language (PEL) expression to retrieve the given_name value, such as supply a literal value, reformat the source value, or combine source attributes. For more information on PEL, refer to PingOne expression language. |
gallery.given_name.options |
String[] | Required/Optional | Mutable | Array of literal given_name values to match. |
gallery.given_name.value |
String | Required/Optional | Mutable | Literal given_name value to match. |
gallery.name |
String | Required/Optional | Mutable | Name of the identity submitted from the document to match. |
gallery.name.expression |
String | Required/Optional | Mutable | PingOne Expression Language (PEL) expression to retrieve the name value to match, such as supply a literal value, reformat the source value, or combine source attributes. For more information on PEL, refer to PingOne expression language. |
gallery.name.options |
String[] | Required/Optional | Mutable | Array of literal name values to match. |
gallery.name.value |
String | Required/Optional | Mutable | Literal name value to match. |
Verify identity record matching response data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
detailedResults.address |
String | N/A | Read-only | Address of the identity. |
detailedResults.address. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service. Can be HIGH , MEDIUM , LOW , or NONE . |
detailedResults.address. probeValue |
String | N/A | Read-only | Value of address found on the government ID of the identity. |
detailedResults.address. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.address. galleryValue |
String | N/A | Read-only | Value of address on reference records provided by the requester. |
detailedResults.birth_date |
String | N/A | Read-only | Birth date of the identity in ISO 8601 YYYY-MM-DD format. |
detailedResults.birth_date. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service. Can be HIGH , MEDIUM , LOW , or NONE . |
detailedResults.birth_date. probeValue |
String | N/A | Read-only | Value of birth date found on the government ID of the identity. |
detailedResults.birth_date. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.birth_date. galleryValue |
String | N/A | Read-only | Value of birth date on reference records provided by the requester. |
detailedResults.family_name |
String | N/A | Read-only | Family name of the identity. |
detailedResults.family_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service. Can be HIGH , MEDIUM , LOW , or NONE . |
detailedResults.family_name. probeValue |
String | N/A | Read-only | Value of family name found on the government ID of the identity. |
detailedResults.family_name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.family_name. galleryValue |
String | N/A | Read-only | Value of family name on reference records provided by the requester. |
detailedResults.given_name |
String | N/A | Read-only | Given name of the identity. Can optionally include middle name. |
detailedResults.given_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service. Can be HIGH , MEDIUM , LOW , or NONE . |
detailedResults.given_name. probeValue |
String | N/A | Read-only | Value of given name found on the government ID of the identity. |
detailedResults.given_name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.given_name. galleryValue |
String | N/A | Read-only | Value of given name on reference records provided by the requester. |
detailedResults.name |
String | N/A | Read-only | Full name of the identity. |
detailedResults.name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service. Can be HIGH , MEDIUM , LOW , or NONE . |
detailedResults.name. probeValue |
String | N/A | Read-only | Value of name found on the government ID of the identity. |
detailedResults.name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.name. galleryValue |
String | N/A | Read-only | Value of name on reference records provided by the requester. |
overallWeightedResult |
String | N/A | Read-only | Weighted result of all reviewed fields. Can be HIGH , MEDIUM , LOW , or NONE . The lowest confidence value of non-zero rawScore results. |
overallWeightedScore |
Decimal | N/A | Read-only | Weighted score of all reviewed fields. A decimal number between 0 and 1. The average of all non-zero rawScore results. |
A confidence
of NONE
occurs when rawScore
is very low or when a governmentIdValue
value is missing but its corresponding requirementsValue
is valued.
Submit Identity Record Match
Verify Voice Phrases
The service stores reference data about the user that is later used in verify transactions. For voice verification, an enrollment transaction is necessary to store voice reference data. The voice reference data is then used during voice verification. Voice verification cannot be performed for a user if enrollment has not been performed.
Voice verification does not evaluate the spoken words and therefore is language-independent and can be text-independent when used with longer speech streams. For interactive voice enrollment or verification, between the service and a user's mobile device, the user reads aloud a voice phrase that is submitted to the service. Verify voice phrases are the phrases that the user reads aloud. For non-interactive voice enrollment and verification, longer voice recordings are submitted without specific phrases spoken.
Some phrases are pre-defined by the service. However, customers can define their own, custom phrases.
Voice phrases are a container with a name. The actual phrases to speak are in contents, where the content has a locale and the phrase to speak written in the language required by the locale. Pre-defined phrases have contents in the locales supported by PingOne in their products. Because they are only read by a native speaker, custom voice phrases can be any locale and written in any language or character set.
To define a custom voice phrase:
- Create a custom voice phrase container to hold the localized contents.
- Create a custom voice phrase content with the locale and content.
Verify voice phrase data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Voice phrase identifier. For customer-defined phrases, a UUID. For pre-defined phrases, a string derived from displayName . |
environment.id |
String | Required | Immutable | Ping environment identifier (UUID) for user |
displayName |
String | Required | Mutable | Suggested text to show for this voice phrase on a user interface. Must be unique within the environment identified by environment.id . |
createdAt |
DateTime | N/A | Read-only | This field records the date and time the verify phrase was created |
updatedAt |
DateTime | N/A | Read-only | This field records the date and time the verify phrase was updated; can be null |
Verify voice phrase contents data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Voice phrase identifier. For customer-defined phrases, a UUID. For pre-defined phrases, a string derived from displayName . |
environment.id |
String | Required | Immutable | Ping environment identifier (UUID) for user |
voicePhrase.id |
String | Required | Immutable | Identifier (UUID) for the voice phrase for which this is contents |
locale |
String | Required | Mutable | Locale for content |
content |
String | Required | Mutable | Phrase users must speak and write in the language specified by locale |
createdAt |
DateTime | N/A | Read-only | This field records the date and time the verify policy was created |
updatedAt |
DateTime | N/A | Read-only | This field records the date and time the verify policy was updated; can be null |
Create Custom Voice Phrase
Create Custom Voice Phrase Content
Read All Voice Phrases
Read All Voice Phrase Contents
Read One Voice Phrase
Read One Voice Phrase Content
Update Custom Voice Phrase
Update Custom Voice Phrase Content
Delete Custom Voice Phrase
Delete Custom Voice Phrase Content
Verify Reference Data
Verify reference data is any data submitted by the user, or by a PingOne customer on behalf of the user, to the verification service as reference material for later comparison during verification. Reference data are voice samples. Verify reference data is retained for an indefinite period of time, although it can be deleted.
Verify reference data data model
Note: The data
property can contain rather large base64-encoded data. To reduce message size, it is not returned by Read All Reference Data. Use that call to find the id
of a specific reference data and then use Read One Reference Data to retrieve it.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Reference data identifier (UUID or textual descriptor) |
environment.id |
String | Required | Immutable | Ping environment identifier (UUID) of the user |
user.id |
String | Required | Immutable | Identifier (UUID) for the user |
type |
String | Required | Immutable | The type of reference data represented; can be VOICE |
data |
Object | Required | Mutable | User's reference data: data object |
createdAt |
DateTime | N/A | Read-only | Date and time the reference data was created |
updatedAt |
DateTime | N/A | Read-only | Date and time the reference data was updated; can be null |
data object
Note: The data
object can contain rather large base64-encoded data and therefore is returned only with Read One Reference Data. To find the id
for specific reference data, use Read All Reference Data and find the 'id
of the reference data to retrieve.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
voiceRecordings |
Object[] | Optional | Mutable | Array of voice recording objects |
voiceRecordings.id |
String | N/A | Read-only | Voice recording identifier (UUID) |
voiceRecordings.recording |
String | Required | Mutable | Base64-encoded voice recording submitted |
voiceRecordings.channel |
String | Required | Mutable | Source of the voice recording submitted; can be MIC (from user's mobile device microphone) or TEL (from a recorded telephone call with the user) |
voiceRecordings.createdAt |
DateTime | N/A | Read-only | Date and time the voice recording was created |
voiceRecordings.updatedAt |
DateTime | N/A | Read-only | Date and time the voice recording was updated; can be null |
voiceTemplates |
Object[] | Required | Mutable | Array of voice template (created from the voice recordings) objects |
voiceTemplates.id |
String | N/A | Read-only | Voice template identifier (UUID) |
voiceTemplates.template |
String | Required | Mutable | Base64-encoded voice template extracted from a submitted recording |
voiceTemplates.mergedTemplate |
Boolean | Required | Mutable | Whether new templates should be merged into existing templates to adapt to the user's voice changes over time |
voiceTemplates.channel |
String | Required | Mutable | Source of the voice template submitted; can be MIC (from user's mobile device microphone) or TEL (from a recorded telephone call with the user) |
voiceTemplates. voiceSdkVersion |
Object | N/A | Read-only | Information regarding the SDK used to create the template |
voiceTemplates. voiceSdkVersion.version |
String | N/A | Read-only | Version of the SDK |
voiceTemplates. voiceSdkVersion.initializationDataId |
String | N/A | Read-only | Identifier of the initialization data |
voiceTemplates. voiceSdkVersion.algorithm |
String | N/A | Read-only | Algorithm used |
voiceTemplates.sourceTemplateIds |
String[] | Optional | Mutable | Array of voice template identifiers (UUIDs) of the voice templates merged into this template when voiceTemplates.mergedTemplate is true |
voiceTemplates.createdAt |
DateTime | N/A | Read-only | Date and time the voice template was created |
voiceTemplates.updatedAt |
DateTime | N/A | Read-only | Date and time the voice template was updated; can be null |
voicePhraseContent |
Object | N/A | Read-only | Voice phrase content used to create the reference data; refer to Verify voice phrase contents data model |
createdAt |
DateTime | N/A | Read-only | Date and time the voice recording was created |
updatedAt |
DateTime | N/A | Read-only | Date and time the voice recording was updated; can be null |
Read All Reference Data
Read One Reference Data
Delete All Reference Data
Delete One Reference Data
Verify Documents
For each verification transaction, you can read documents (such as the images of documents and images of the user, "selfies") submitted to the transaction for a short time. The documents
endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/documents
, receives all requests for documents associated with the verification transaction. This endpoint returns the data regardless of whether the transaction is ever submitted for verification.
Only those with an Identity Data Admin role are permitted to use the documents
endpoint.
Documents are retained for 30 minutes after creating or updating the document (submitted with the requests Create Verification Document or Update Verification Document or collected by the end user in the Universal Capture frontend) or until manually deleted with Delete Verification Document. Until removed, any number of GET or PUT requests to the documents endpoint can be successfully performed.
All verify documents data model
When all verify documents for a verification transaction are requested, the verify document for each verification type of the most recent retry appears in a documents
array in the response. The verify document data model for each verification type of earlier retries appear in a previousAttempts
array in the response.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
_embedded |
Object | N/A | Read-only | Container for returned data. |
documents |
Object[] | N/A | Read-only | Array of verifiedData objects for each verification type for the most recent verification attempt. |
previousAttempts |
Object[] | N/A | Read-only | Array of verifiedData objects for each verification type for unacceptable verification attempts. |
size |
Integer | N/A | Read-only | The number of objects returned in documents . |
Specific verify document data model
When specific verify document for a verification type within a verification transaction are requested, the verify document data model appears as the response, regardless of which retry attempt it is.
Verify document data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
id |
String | N/A | Read-only | Document identifier (UUID) |
retry.attempt |
Integer | N/A | Read-only | Number of the retry attempt when submitting images. |
source.provider |
String | Required | Immutable | Provider of the documents. Can be END_USER , AUTHENTICATED_CLIENT . |
status |
String | N/A | Read-only | Status of the document. Can be COLLECTED or PROCESSED . |
type |
String | Required | Immutable | Type of document in value . Refer to Document types and values. |
value |
String | Required | Immutable | Document, for the format of the document refer to Document types and values |
Document types and values
Document Type | Value |
---|---|
Document Back | Base64 encoded JPEG |
Document Front | Base64 encoded JPEG |
Driver License Back | Base64 encoded JPEG |
Driver License Code | decoded text from the PDF417 barcode |
Driver License Front | Base64 encoded JPEG |
textual email address | |
Passport Card Back | Base64 encoded JPEG |
Passport Card Front | Base64 encoded JPEG |
Passport Front | Base64 encoded JPEG |
Phone | textual phone number |
Selfie | Base64 encoded JPEG |
Voice Input | Base64 encoded LPCM WAV voice recording submitted for verification |
Voice Sample | Base64 encoded LPCM WAV voice recording submitted for enrollment |
Note: Voice recordings must be sampled at 16 KHz when submitted from reading voice phrases or at 8 KHz when submitted from longer, text-independent recordings.
Create Verification Document
Process Verification Documents
Complete Verification Documents
Read All Verification Documents
Read One Verification Document
Update Verification Document
Delete Verification Document
Verified Data
For each verification attempt, you can read data submitted in the transaction for a short time. The verifiedData
endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/verifiedData
, receives all requests for data associated with the verification attempt.
Only those with an Identity Data Admin role are permitted to use the verifiedData
endpoint.
User's verification data are retained for 30 minutes after a verification decision is made. Until removed, any number of requests to the verifiedData
endpoint can be successfully performed.
A note on extracted data
Identity document verification uses two methods to extract personally identifiable information (PII): barcodes and optical character recognition (OCR).
If the identity document has a barcode, PII is extracted from it. Barcodes are designed to enhance the reliability of data extraction and have error rates of fewer than 1 in a million. Barcodes are on all US driver licenses, but on few other identity documents.
OCR is most commonly used to extract PII. With OCR, the scanner attempts to recognize the individual characters and words on the image of the identity document and convert them to a digital representation of that character or word. With optimized sources, OCR can achieve error rates as low as 1 in 10,000. However, error rates with non-optimized images often exceed 1 in 100. Identity documents captured by smartphone cameras often suffer from poor focus, skew, low contrast, or too-low or too-high illumination that make effective OCR difficult.
It is important to note that, unless licensed for AAMVA checks for US driver licenses, PII extracted from identity document images is not checked against a system of record. That is, the verification service can show that the holder of the identity document matches the portrait on the identity document, but it does not show that the PII on the identity document is true or accurate.
All verified data data model
When all verified data for a verification transaction are requested, the verified data for each verification type of the most recent retry appears in a verifiedData
array in the response. The verified data data model for each verification type of earlier retries appear in a previousAttempts
array in the response.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
_embedded |
Object | N/A | Read-only | Container for returned data. |
verifiedData |
Object[] | N/A | Read-only | Array of verifiedData objects for each verification type for the most recent verification attempt. |
previousAttempts |
Object[] | N/A | Read-only | Array of verifiedData objects for each verification type for unacceptable verification attempts. |
size |
Integer | N/A | Read-only | The number of objects returned in verifiedData . |
Specific verified data data model
When specific verified data for a verification type within a verification transaction are requested, the verified data data model appears as the response, regardless of which retry attempt it is.
verified data data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
data |
Object | N/A | Read-only | Verification data for GOVERNMENT_ID, BARCODE, BIOGRAPHIC_MATCH, IDENTITY_RECORD_MATCHING, VOICE_SAMPLE, VOICE_INPUT, END_USER_CLIENT, and all other types |
id |
String | N/A | Read-only | Transaction identifier (UUID) |
retry.attempt |
Integer | N/A | Read-only | Number of the retry attempt when submitting images. |
type |
String | Required | Immutable | The type of personally identifiable information (PII) in the object. Can be GOVERNMENT_ID , BARCODE , FRONT_IMAGE , BACK_IMAGE , SELFIE , CROPPED_SIGNATURE , CROPPED_DOCUMENT , CROPPED_PORTRAIT , VOICE_SAMPLE , VOICE_INPUT , END_USER_CLIENT , AADHAAR_REFERENCE_SELFIE , BIOGRAPHIC_MATCH , or IDENTITY_RECORD_MATCHING . |
data object for type = GOVERNMENT_ID
Aadhaar verification results for birthDate
, fullName
, and gender
return in the corresponding properties in this object and the Aadhaar identity number returns in documentNumber
and idNumber
.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
addressCity |
String | N/A | Read-only | The city in the address |
addressFull |
String | N/A | Read-only | The complete address as discovered (Veriff only) |
addressHouseNumber |
String | N/A | Read-only | The street number in the address (Veriff only) |
addressState |
String | N/A | Read-only | The state or province in the address |
addressStreet |
String | N/A | Read-only | The street in the address |
addressZip |
String | N/A | Read-only | The postal code in the address |
birthDate |
String | N/A | Read-only | The birth date in YYYY-MM-DD format of the identity |
country |
String | N/A | Read-only | The country in the address (Mitek only) |
documentNumber |
String | N/A | Read-only | The identification number of the identity document (Veriff only) |
expirationDate |
String | N/A | Read-only | The expiration date in YYYY-MM-DD format of the identity document |
firstName |
String | N/A | Read-only | The first name of the identity. Can optionally include middle name. |
fullName |
String | N/A | Read-only | The full name of the identity. |
gender |
String | N/A | Read-only | The gender of the identity. Used only with agent assisted flows. |
idNumber |
String | N/A | Read-only | The identification number of the identity document |
idType |
String[] | Required | Immutable | Array of the types of personally identifiable information (PII) submitted, such as DriversLicenseFront or RESIDENCE_PERMIT |
issueDate |
String | N/A | Read-only | The issue date in YYYY-MM-DD format of the identity document |
issuingCountry |
String | N/A | Read-only | The country of the document issuer |
lastName |
String | N/A | Read-only | The last name of the identity |
nationality |
String | N/A | Read-only | The nationality of the identity. Used only with agent assisted flows. (Mitek only) |
weight |
String | N/A | Read-only | The confidence weight of the identity. Used only with agent assisted flows. (Mitek only) |
data object for type = BARCODE
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
PDF417 |
String | N/A | Read-only | The data parsed off the barcode of a drivers license |
data object for type = BIOGRAPHIC_MATCH
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
detailedResults.address |
String | N/A | Read-only | Address of the identity. |
detailedResults.address. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.address. governmentIdValue |
String | N/A | Read-only | Value of address found on the government ID of the identity. |
detailedResults.address. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.address. requirementsValue |
String | N/A | Read-only | Value of address on reference records provided by the requester. |
detailedResults.birth_date |
String | N/A | Read-only | Birth date of the identity in ISO 8601 YYYY-MM-DD format. |
detailedResults.birth_date. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.birth_date. governmentIdValue |
String | N/A | Read-only | Value of birth date found on the government ID of the identity. |
detailedResults.birth_date. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.birth_date. requirementsValue |
String | N/A | Read-only | Value of birth date on reference records provided by the requester. |
detailedResults.family_name |
String | N/A | Read-only | Family name of the identity. |
detailedResults.family_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.family_name. governmentIdValue |
String | N/A | Read-only | Value of family name found on the government ID of the identity. |
detailedResults.family_name. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.family_name. requirementsValue |
String | N/A | Read-only | Value of family name on reference records provided by the requester. |
detailedResults.given_name |
String | N/A | Read-only | Given name of the identity. Can optionally include middle name. |
detailedResults.given_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.given_name. governmentIdValue |
String | N/A | Read-only | Value of given name found on the government ID of the identity. |
detailedResults.given_name. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.given_name. requirementsValue |
String | N/A | Read-only | Value of given name on reference records provided by the requester. |
detailedResults.name |
String | N/A | Read-only | Full name of the identity. |
detailedResults.name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.name. governmentIdValue |
String | N/A | Read-only | Value of name found on the government ID of the identity. |
detailedResults.name. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.name. requirementsValue |
String | N/A | Read-only | Value of name on reference records provided by the requester. |
overallWeightedResult |
String | N/A | Read-only | Weighted result of all reviewed fields as described in Biographic match results match definitions. |
overallWeightedScore |
Decimal | N/A | Read-only | Weighted score of all reviewed fields. A decimal number between 0 and 1. |
Biographic match results match definitions
Value | Description |
---|---|
HIGH |
Based on a threshold, the quality of the match indicates that the match is an exact match or can be qualified as a near-exact match. |
MEDIUM |
Based on a threshold, the quality of the match is not exact but can be qualified as a partial match or an alternate spelling for the same value. |
LOW |
Based on a threshold, the quality of the match cannot be qualified as exact, near-exact, partial, or misspelled. |
NONE |
A raw score was so low that we have no confidence in a match. |
NOT_APPLICABLE |
A value was not found in the processed document for the given identifier. For example, the user is required to supply an address but the document supplied, such as a passport, does not have an address. |
<<<<<<< HEAD
data object for type = FRONT_IMAGE, BACK_IMAGE, SELFIE, AADHAAR_REFERENCE_SELFIE, CROPPED_SIGNATURE. CROPPED_DOCUMENT, and CROPPED_PORTRAIT
=======
data object for type = IDENTITY_RECORD_MATCHING
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
comparisons |
Object[] | N/A | Read-only | Array of objects with results of comparisons. |
comparisons.detailedResults.address |
String | N/A | Read-only | Address of the identity. |
comparisons.detailedResults.address. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.address. sourceValue |
String | N/A | Read-only | Value of address in the source (as submitted to the subprocessor). |
comparisons.detailedResults.address. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.address. targetValue |
String | N/A | Read-only | Value of address in the target (as submitted to the subprocessor). |
comparisons.detailedResults.birth_date |
String | N/A | Read-only | Birth date of the identity in ISO 8601 YYYY-MM-DD format. |
comparisons.detailedResults.birth_date. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.birth_date. sourceValue |
String | N/A | Read-only | Value of birth date in the source (as submitted to the subprocessor). |
comparisons.detailedResults.birth_date. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.birth_date. targetValue |
String | N/A | Read-only | Value of birth date in the target (as submitted to the subprocessor). |
comparisons.detailedResults.family_name |
String | N/A | Read-only | Family name of the identity. |
comparisons.detailedResults.family_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.family_name. sourceValue |
String | N/A | Read-only | Value of family name in the source (as submitted to the subprocessor). |
comparisons.detailedResults.family_name. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.family_name. targetValue |
String | N/A | Read-only | Value of family name in the target (as submitted to the subprocessor). |
comparisons.detailedResults.given_name |
String | N/A | Read-only | Given name of the identity. Can optionally include middle name. |
comparisons.detailedResults.given_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.given_name. sourceValue |
String | N/A | Read-only | Value of given name in the source (as submitted to the subprocessor). |
comparisons.detailedResults.given_name. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.given_name. targetValue |
String | N/A | Read-only | Value of given name in the target (as submitted to the subprocessor). |
comparisons.detailedResults.name |
String | N/A | Read-only | Full name of the identity. |
comparisons.detailedResults.name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.name. sourceValue |
String | N/A | Read-only | Value of name in the source (as submitted to the subprocessor). |
comparisons.detailedResults.name. rawScore |
Float | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.name. targetValue |
String | N/A | Read-only | Value of name in the target (as submitted to the subprocessor). |
overallWeightedResult |
String | N/A | Read-only | Weighted result of all reviewed fields as described in Biographic match results match definitions. |
overallWeightedScore |
Decimal | N/A | Read-only | Weighted score of all reviewed fields. A decimal number between 0 and 1. |
comparisons.source |
String | N/A | Read-only | The type of identity document to which submitted data is compared. Always GOVERNMENT_ID . |
comparisons.status |
String | N/A | Read-only | Status of the transaction. |
comparisons.target |
String | N/A | Read-only | How the submitted data was collected. Always REQUIREMENTS . |
Identity record match results match definitions
Value | Description |
---|---|
HIGH |
Based on a threshold, the quality of the match indicates that the match is an exact match or can be qualified as a near-exact match. |
MEDIUM |
Based on a threshold, the quality of the match is not exact but can be qualified as a partial match or an alternate spelling for the same value. |
LOW |
Based on a threshold, the quality of the match cannot be qualified as exact, near-exact, partial, or misspelled. |
NONE |
A raw score was so low that we have no confidence in a match. |
NOT_APPLICABLE |
A value was not found in the processed document for the given identifier. For example, the user is required to supply an address but the document supplied, such as a passport, does not have an address. |
data object for type = FRONT_IMAGE, BACK_IMAGE, SELFIE, CROPPED_SIGNATURE. CROPPED_DOCUMENT, and CROPPED_PORTRAIT
master
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
FORMAT |
String | N/A | Read-only | The format of the image, typically JPEG |
IMAGE |
String | N/A | Read-only | The Base64-encoded image |
data object for type = VOICE_SAMPLE
Available after voice enrollment.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
recordings |
Object[] | N/A | Read-only | Array of objects of voice enrollment samples |
recordings.channel |
String | N/A | Read-only | Channel through which the recording was submitted. Can be MIC or TEL . |
recordings.createdAt |
DateTime | N/A | Read-only | Date and time when the voice enrollment sample was submitted |
recordings.id |
String | N/A | Read-only | Identifier (UUID) of the voice enrollment sample |
recordings.recording |
String | N/A | Read-only | Base64 encoded LPCM WAV voice enrollment sample |
recordings.textDependent |
Boolean | N/A | Read-only | Whether or not the voice enrollment sample was read from a fixed phrase |
data object for type = VOICE_INPUT
Available after voice verification.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
recordings |
Object[] | N/A | Read-only | Array of objects of voice verification samples |
recordings.channel |
String | N/A | Read-only | Channel through which the recording was submitted. Can be MIC or TEL . |
recordings.createdAt |
DateTime | N/A | Read-only | Date and time when the voice verification sample was submitted |
recordings.id |
String | N/A | Read-only | Identifier (UUID) of the voice verification sample |
recordings.recording |
String | N/A | Read-only | Base64 encoded LPCM WAV voice verification sample |
recordings.textDependent |
Boolean | N/A | Read-only | Whether or not the voice verification sample was read from a fixed phrase |
data object for type = END_USER_CLIENT
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
ipAddress |
String | N/A | Read-only | The IP address, version 4 or 6, of the device that performs the verification |
userAgent |
String | N/A | Read-only | The HTTP user agent of the device that performs the verification |
Verified data portrait background data model
This data model applies to Update Verified Data Portrait Background to replace the background of a self portrait (selfie) with a background of a uniform color defined in the backgroundColor
object.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
backgroundColor |
Object | Required | Immutable | Color of the replacement background as an RGB color mode. |
red |
Integer | Required | Immutable | Value of RED in the range 0-255. |
green |
Integer | Required | Immutable | Value of GREEN in the range 0-255. |
blue |
Integer | Required | Immutable | Value of BLUE in the range 0-255. |
aspectRatio |
Object | Required | Immutable | An object that represents an aspect ratio between 1/30 and 30. Both integers are required. |
aspectHeight |
Integer | Required | Immutable | Value of the height in the aspect ratio in the range 1-1000. |
aspectWidth |
Integer | Required | Immutable | Value of the width in the aspect ratio in the range 1-1000. |
Read All User Verified Data
Read One User Verified Data
Update Verified Data Portrait Background
Delete All User Verified Data
Delete One User Verified Data
Verification Metadata
For each verification attempt, you can retrieve all scores in the transaction returned from verification services. The metaData
endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/metaData
, receives all requests for scores associated with the verification attempt and returned from verification services.
Only those with an Identity Data Admin role are permitted to use the metaData
endpoint.
All verification metaData data model
When all metadata for a verification transaction are requested, the verification metadata for each verification type of the most recent retry appears in a metaData
array in the response. The verification metaData data model for each verification type of earlier retries appear in a previousAttempts
array in the response.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
_embedded |
Object | N/A | Read-only | Container for returned data. |
metaData |
Object[] | N/A | Read-only | Array of verification metaData objects for each verification type for the most recent verification attempt. |
previousAttempts |
Object[] | N/A | Read-only | Array of verification metaData objects for each verification type for unacceptable verification attempts. |
size |
Integer | N/A | Read-only | The number of objects returned in metaData . |
Specific verification metaData data model
When specific metadata for a verification type within a verification transaction are requested, the verification metaData data model appears as the response, regardless of which retry attempt it is.
Verification metaData data model
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
data |
Object | N/A | Read-only | Data object data model. |
id |
String | N/A | Read-only | Identifier (UUID) of the transaction metadata. |
provider |
String | N/A | Read-only | The provider of metadata in the object. Can be: AMAZON , BABEL_STREET , BIOGRAPHIC_MATCHER , IDRND , MITEK , or VERIFF . |
retry.attempt |
Integer | N/A | Read-only | Number of the retry attempt when submitting images. |
status |
String | N/A | Read-only | Status of the check. Can be SUCCESS or FAIL . |
type |
String | N/A | Read-only | The type of metadata in the object. Can be: FACIAL_COMPARISON , BIOGRAPHIC_MATCH , IDENTITY_RECORD_MATCHING , INJECTION_DETECTION , LIVENESS , VOICE_ENROLLMENT , VOICE_VERIFICATION , DOCUMENT_AUTHENTICATION , DOCUMENT_MANUAL_AUTHENTICATION , AAMVA , or AADHAAR . |
data object data model
The data
object in verification metadata varies depending on the values of type
and provider
as seen in the table.
Type | Provider | Data model |
---|---|---|
FACIAL_COMPARISON | AMAZON | data model |
BIOGRAPHIC_MATCH | BABEL_STREET | data model |
BIOGRAPHIC_MATCH | BIOGRAPHIC_MATCHER | data model |
IDENTITY_RECORD_MATCHING | BABEL_STREET | data model |
INJECTION_DETECTION | IDRND | data model |
LIVENESS | IDRND | data model |
VOICE_ENROLLMENT | IDRND | data model |
VOICE_VERIFICATION | IDRND | data model |
DOCUMENT_AUTHENTICATION | MITEK | data model |
DOCUMENT_AUTHENTICATION | VERIFF | data model |
DOCUMENT_MANUAL_AUTHENTICATION | MITEK | data model |
AAMVA | MITEK | data model |
AADHAAR | VERIFF | data model |
data object for FACIAL_COMPARISON + AMAZON
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
confidence |
Double | N/A | Read-only | A float between 0 and 100 that represents the level of confidence that the image contains a face. |
quality. brightness |
Double | N/A | Read-only | A float between 0 and 100 that represents the brightness of the face. A higher value indicates a brighter face image. |
quality. sharpness |
Double | N/A | Read-only | A float between 0 and 100 that represents the sharpness of the face. A higher value indicates a sharper face image. |
similarity |
Double | N/A | Read-only | A float between 0 and 100 that represents the level of confidence that the faces match. |
data object for BIOGRAPHIC_MATCH + BABEL_STREET
While GOVERNMENT_ID configuration includes BIOGRAPHIC_MATCH in Verify Policies, results are returned separately in verification metadata.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
detailedResults.address |
String | N/A | Read-only | Address of the identity. |
detailedResults.address. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.address. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.birth_date |
String | N/A | Read-only | Birth date of the identity in ISO 8601 YYYY-MM-DD format. |
detailedResults.birth_date. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.birth_date. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.family_name |
String | N/A | Read-only | Family name of the identity. |
detailedResults.family_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.family_name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.given_name |
String | N/A | Read-only | Given name of the identity. Can optionally include middle name. |
detailedResults.given_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.given_name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
detailedResults.name |
String | N/A | Read-only | Full name of the identity. |
detailedResults.name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Biographic match results match definitions. |
detailedResults.name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
overallWeightedResult |
String | N/A | Read-only | Weighted result of all reviewed fields as described in Biographic match results match definitions. |
overallWeightedScore |
Decimal | N/A | Read-only | Weighted score of all reviewed fields. A decimal number between 0 and 1. |
Biographic match results match definitions
Value | Description |
---|---|
HIGH |
Based on a threshold, the quality of the match indicates that the match is an exact match or can be qualified as a near-exact match. |
MEDIUM |
Based on a threshold, the quality of the match is not exact but can be qualified as a partial match or an alternate spelling for the same value. |
LOW |
Based on a threshold, the quality of the match cannot be qualified as exact, near-exact, partial, or misspelled. |
NONE |
A raw score was so low that we have no confidence in a match. |
NOT_APPLICABLE |
A value was not found in the processed document for the given identifier. For example, the user is required to supply an address but the document supplied, such as a passport, does not have an address. |
data object for IDENTITY_RECORD_MATCHING + BABEL_STREET
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
comparisons |
Object[] | N/A | Read-only | Array of objects with results of comparisons. |
comparisons.detailedResults.address |
String | N/A | Read-only | Address of the identity. |
comparisons.detailedResults.address. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.address. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.birth_date |
String | N/A | Read-only | Birth date of the identity in ISO 8601 YYYY-MM-DD format. |
comparisons.detailedResults.birth_date. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.birth_date. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.family_name |
String | N/A | Read-only | Family name of the identity. |
comparisons.detailedResults.family_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.family_name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.given_name |
String | N/A | Read-only | Given name of the identity. Can optionally include middle name. |
comparisons.detailedResults.given_name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.given_name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.detailedResults.name |
String | N/A | Read-only | Full name of the identity. |
comparisons.detailedResults.name. confidence |
String | N/A | Read-only | Confidence level of the match returned by the service as described in Identity record match results match definitions. |
comparisons.detailedResults.name. rawScore |
String | N/A | Read-only | Raw numeric score returned by the service. Ranges from 0 to 1. |
comparisons.overallWeightedResult |
String | N/A | Read-only | Weighted result of all reviewed fields as described in Identity record match results match definitions. |
comparisons.overallWeightedScore |
Decimal | N/A | Read-only | Weighted score of all reviewed fields. A decimal number between 0 and 1. |
comparisons.source |
String | N/A | Read-only | The type of identity document to which submitted data is compared. Always GOVERNMENT_ID . |
comparisons.status |
String | N/A | Read-only | Status of the transaction. |
comparisons.target |
String | N/A | Read-only | How the submitted data was collected. Always REQUIREMENTS . |
Identity record match results match definitions
Value | Description |
---|---|
HIGH |
Based on a threshold, the quality of the match indicates that the match is an exact match or can be qualified as a near-exact match. |
MEDIUM |
Based on a threshold, the quality of the match is not exact but can be qualified as a partial match or an alternate spelling for the same value. |
LOW |
Based on a threshold, the quality of the match cannot be qualified as exact, near-exact, partial, or misspelled. |
NONE |
A raw score was so low that we have no confidence in a match. |
NOT_APPLICABLE |
A value was not found in the processed document for the given identifier. For example, the user is required to supply an address but the document supplied, such as a passport, does not have an address. |
data object for BIOGRAPHIC_MATCH + BIOGRAPHIC_MATCHER
While GOVERNMENT_ID configuration includes BIOGRAPHIC_MATCH in Verify Policies, results are returned separately in verification metadata.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
biographic_match_results |
Object[] | N/A | Read-only | Array of objects containing the results |
biographic_match_results. identifier |
String | N/A | Read-only | Attribute that was checked. Can be address , birth_date , family_name , given_name , or name . |
biographic_match_results. match |
String | N/A | Read-only | Relative indicator of success as described in Biographic match results match definitions |
data object for INJECTION_DETECTION + IDRND
While LIVENESS
configuration includes INJECTION_DETECTION
in Verify Policies, results are returned separately in verification metadata.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
probability |
Double | N/A | Read-only | A float, either 0.0 or 1.0, that represents the probability of no injection attacks in the image. |
data object for LIVENESS + IDRND
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
probability |
Double | N/A | Read-only | A float between 0 and 1 that represents the liveness probability of the image. |
quality |
Double | N/A | Read-only | A float between 0 and 1 that represents the quality of the image. |
score |
Double | N/A | Read-only | A float that represents the raw liveness score. A higher value means more alive. |
data object for VOICE_ENROLLMENT + IDRND
Available with voice enrollment.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
recordingComparisons |
Object[] | N/A | Read-only | Array of objects of voice enrollment comparisons between pairs of samples. |
recordingComparisons. probability |
Double | N/A | Read-only | A float between 0 and 1 that represents the comparison probability of the voice enrollment sample. |
recordingComparisons. score |
Double | N/A | Read-only | A float that represents a raw comparison score, intended to be used for evaluation and data calibration. A higher value means more closely matched voice enrollment samples. |
recordingComparisons. voiceTemplateIds |
String[] | N/A | Read-only | Array of identifiers (UUIDs) of the voice templates (a construct that contains the uniquely identifying biological characteristics of a person's voice) for the voice enrollment samples compared. |
recordings |
Object[] | N/A | Read-only | Array of objects of voice enrollment samples. |
recordings.antispoof.probability |
Double | N/A | Read-only | A float between 0 and 1 that represents the probability that the voice enrollment sample is not a spoofed recording. |
recordings.antispoof. score |
Double | N/A | Read-only | A float that represents a raw comparison score, intended to be used for evaluation and data calibration. A higher value means the voice enrollment sample is less likely a spoofed recording. |
recordings.antispoof. unsuitable_input_message |
Boolean | N/A | Read-only | Whether or not the voice enrollment sample is a suitable submission. |
recordings.quality. obtained_values.SNR |
Double | N/A | Read-only | A float that represents the signal-to-noise ratio of the submitted voice enrollment sample in deciBels (dB). |
recordings.quality. obtained_values.SpeechLength |
Double | N/A | Read-only | A float that represents duration of the voice enrollment sample in milliseconds. |
recordings.quality. threshold_values.SNR |
Double | N/A | Read-only | A float that represents the threshold for acceptable signal-to-noise ratio of the voice enrollment sample in deciBels (dB). |
recordings.quality. threshold_values.SpeechLength |
Double | N/A | Read-only | A float that represents the threshold for acceptable duration of the voice enrollment sample in milliseconds. |
recordings.recordingId |
String | N/A | Read-only | Identifier (UUID) of the voice enrollment sample. |
recordings.voiceTemplateIds |
String | N/A | Read-only | Identifier (UUID) of the voice template (a construct that contains the uniquely identifying biological characteristics of a person's voice) for this voice enrollment sample. |
data object for VOICE_VERIFICATION + IDRND
Available with voice verification.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
matchResult.probability |
Double | N/A | Read-only | A float between 0 and 1 that represents the match probability of the voice verification sample. |
matchResult.score |
Double | N/A | Read-only | A float that represents a raw comparison score, intended to be used for evaluation and data calibration. A higher value means more closely matched voice verification samples. |
matchResult.voiceTemplateIds |
String[] | N/A | Read-only | Array of identifiers (UUIDs) of the voice templates (a construct that contains the uniquely identifying biological characteristics of a person's voice) for the voice enrollment samples compared. |
recordingData.antispoof. score |
Double | N/A | Read-only | A float that represents a raw comparison score, intended to be used for evaluation and data calibration. A higher value means the voice verification sample is less likely a spoofed recording. |
recordingData.antispoof. unsuitable_input_message |
Boolean | N/A | Read-only | Whether or not the voice verification sample is a suitable submission. |
recordingData.quality. obtained_values.SNR |
Double | N/A | Read-only | A float that represents the signal-to-noise ratio of the submitted voice verification sample in deciBels (dB). |
recordingData.quality. obtained_values.SpeechLength |
Double | N/A | Read-only | A float that represents duration of the voice verification sample in milliseconds. |
recordingData.quality. threshold_values.SNR |
Double | N/A | Read-only | A float that represents the threshold for acceptable signal-to-noise ratio of the voice verification sample in deciBels (dB). |
recordingData.quality. threshold_values.SpeechLength |
Double | N/A | Read-only | A float that represents the threshold for acceptable duration of the voice verification sample in milliseconds. |
recordingData.recordingId |
String | N/A | Read-only | Identifier (UUID) of the voice verification sample. |
recordings.voiceTemplateIds |
String | N/A | Read-only | Identifier (UUID) of the voice template (a construct that contains the uniquely identifying biological characteristics of a person's voice) for this voice enrollment sample. |
data object for DOCUMENT_AUTHENTICATION + MITEK
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
backImageDocumentId |
String | N/A | Read-only | Identifier (UUID) that is referenced in mitekVerifications object to determine the image the verification ran on. |
documentEvidenceId |
String | N/A | Read-only | Identifier (UUID) that is referenced in mitekVerifications object to determine the image the verification ran on. |
frontImageDocumentId |
String | N/A | Read-only | Identifier (UUID) that is referenced in mitekVerifications object to determine the image the verification ran on. |
mitekVerifications |
Object | N/A | Read-only | Verification results object. |
mitekVerifications. documentId |
String | N/A | Read-only | Identifier (UUID) of the image the verification ran on. |
mitekVerifications. judgement |
String | N/A | Read-only | Overall determination of the authenticity of the dossier based on the evidence presented. Permitted values are: Authentic, Fraudulent, and Undetermined. |
mitekVerifications. name |
String | N/A | Read-only | Name of the authenticator (test). |
mitekVerifications. notifications |
Object | N/A | Read-only | An object of any number of name-value pairs, where the name is a notification code and the value is its description, in the event an authenticator was unable to run. |
mitekVerifications. probability |
Integer | N/A | Read-only | A number that represents the overall authenticity score used in determining the authenticity of the dossier. |
mitekVerifications. verificationType |
Integer | N/A | Read-only | A 3-digit number (code) that indicates the type of authenticator. |
mitekVerifications. version |
String | N/A | Read-only | Version of the individual authenticator. |
data object for DOCUMENT_AUTHENTICATION + VERIFF
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
veriffVerification |
Object | N/A | Read-only | Verification results object. |
veriffVerification.acceptanceTime |
DateTime | N/A | Read-only | Timestamp for acceptance of the document. |
veriffVerification.code |
String | N/A | Read-only | Vendor's verification result code. |
veriffVerification.decisionTime |
DateTime | N/A | Read-only | Timestamp of the decision on the document. |
veriffVerification.id |
String | N/A | Read-only | Unique identifier (UUID) for the results. |
veriffVerification.status |
String | N/A | Read-only | Vendor's status for the verification; can be approved , abandoned , declined , expired , resubmission_requested , review , started , or submitted . |
veriffVerification.vendorData |
String | N/A | Read-only | Vendor's unique identifier (UUID) for the results. |
veriffVerification.reason |
String | N/A | Read-only | Vendor's reason description for disapproval. |
veriffVerification.reasonCode |
String | N/A | Read-only | Vendor's reason code for disapproval. |
data object for DOCUMENT_MANUAL_AUTHENTICATION + MITEK
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
customerReferenceId |
String | N/A | Read-only | Identifier (UUID) of the customer. |
mitekVerifications |
Object | N/A | Read-only | Verification results object. |
mitekVerifications. authenticity.result.reasons |
String[] | N/A | Read-only | Array of strings with the reasons why the authenticity result is NOT_AUTHENTIC . |
mitekVerifications. authenticity.result |
String | N/A | Read-only | Whether the document authenticity is deemed AUTHENTIC or NOT_AUTHENTIC . |
mitekVerifications. notifications |
Object | N/A | Read-only | An object of any number of name-value pairs, where the name is a notification code and the value is its description, in the event an authenticator was unable to run. |
mitekVerifications. originality.result.reasons |
String[] | N/A | Read-only | Array of strings with the reasons why the originality result is NOT_ORIGINAL . |
mitekVerifications. originality.result |
String | N/A | Read-only | Whether the document originality is deemed ORIGINAL or NOT_ORIGINAL . |
mitekVerifications. validity.result.reasons |
String[] | N/A | Read-only | Array of strings with the reasons why the validity result is NOT_VALID . |
mitekVerifications. validity.result |
String | N/A | Read-only | Whether the document validity is deemed VALID or NOT_VALID . |
requestId |
String | N/A | Read-only | Identifier (UUID) of the request for manual authentication. |
data object for AAMVA + MITEK
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
matchResults.dateOfBirth |
Boolean | N/A | Read-only | Whether the data of birth on the submitted government identity document matches the date of birth in the system of record. |
matchResults.documentNumber |
Boolean | N/A | Read-only | Whether the document number on the submitted government identity document matches the document number in the system of record. |
requestId |
String | N/A | Read-only | Identifier (UUID) of the request for Mitek AAMVA verification. |
data object for AADHAAR + VERIFF
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
aadhaarVerification |
Object | N/A | Read-only | Object containing data returned by the vendor. |
aadhaarVerification.acceptanceTime |
DateTime | N/A | Read-only | Date and time the request was accepted. |
aadhaarVerification.code |
Integer | N/A | Read-only | Provider's code for the status returned by Veriff Aadhaar verification. |
aadhaarVerification.decisionTime |
DateTime | N/A | Read-only | Date and time the verification decision was rendered. |
aadhaarVerification.id |
String | N/A | Read-only | Identifier (UUID) of the request for Veriff Aadhaar verification. |
aadhaarVerification.reason |
String | N/A | Read-only | Description of the reason for a failed verification. |
aadhaarVerification.reasonCode |
String | N/A | Read-only | Provider's Aadhaaar session identifier. |
aadhaarVerification.status |
String | N/A | Read-only | Status of the verification returned by Veriff Aadhaar verification. |
aadhaarVerification.vendorData |
String | N/A | Read-only | Identifier (UUID) of the verify transaction for the Aadhaar verification. |
code |
status |
---|---|
9001 |
approved |
9102 |
declined |
9103 |
resubmission_requested |
9121 |
review |
reason |
---|
During generate OTP |
Invalid session Id |
Invalid attempt to resend the OTP |
OTP generation limit reached |
MFA already completed |
Internal server error |
Document number provided is not correct |
Document number does not match any actual Aadhaar entries |
Invalid phone number tied to document number |
Request to generate OTP was done within 60 seconds of the last OTP generation |
During verify OTP |
Invalid session Id |
The OTP entered is not valid, please ensure it is a 6-digit number |
An OTP was not generated for the Aadhaar identifier |
MFA already completed |
Internal server error |
The OTP entered is incorrect |
Maximum number of OTP attempt reached |
Read All Verification Metadata
Read One Verification Metadata
Delete All Verification Metadata
Delete One Verification Metadata
Verification Metrics
For each verification transaction, you can retrieve all application events for the transaction that were generated by the verification service. Use the appEvents
endpoint, /environments/{{envID}}/users/{{userID}}/verifyTransactions/{{transactionID}}/appEvents
to retrieve application events associated with the verification transaction.
Only those with an Identity Data Admin role are permitted to use the appEvents
endpoint.
Verification metrics object data model
When retrieving the collection of application events for a specified transaction, the application event objects described in these data model tables are contained in an appEvents
object array.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
collectionDate |
String | N/A | Read-only | Date that the application event was collected |
data |
Object | N/A | Read-only | Contains the application event objects where the key is the type of application event; refer to ADDITIONAL_INFORMATION, CAMERA, DATA_CAPTURE, DEVICE_METADATA, ERRORS, ID_CAPTURE, QR_SCANNER, or SELFIE_CAPTURE |
id |
String | N/A | Read-only | Identifier (UUID) of the application event |
ADDITIONAL_INFORMATION data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
custom_app_theme |
String | N/A | Read-only | Whether or not the SDK is using a custom AppTheme; can be TRUE or FALSE |
document_submission_complete |
String | N/A | Read-only | Epoch seconds of when submission completed |
sdk_initialization_type |
String | N/A | Read-only | How the SDK was initialized, from a QR code (qrScanner ) or a string from an already parsed QR code (qrString ) |
sdk_initialization |
String | N/A | Read-only | Epoch seconds of when SDK initialized |
sdk_resuming_flow |
String | N/A | Read-only | Whether or not the SDK dropped a previous session and is resuming from where it left off; can be TRUE or FALSE |
CAMERA data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
config_flash_enabled |
String | N/A | Read-only | Whether or not the camera's flash is enabled; can be TRUE or FALSE |
config_focus_mode |
String | N/A | Read-only | Camera focus mode; can be AUTO_FOCUS , CONTINUOUS_FOCUS , MANUAL_FOCUS |
config_resolution |
String | N/A | Read-only | Resolution of the camera preview |
permission_granted |
String | N/A | Read-only | Whether or not the user granted permission to use the camera; can be TRUE or FALSE |
DATA_CAPTURE data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
number_of_otps |
Integer | N/A | Read-only | Count of one time passwords (OTP) sent |
otp_canceled |
String | N/A | Read-only | Whether or not the user canceled a one time password (OTP) attempt; can be email_TRUE , email_FALSE , phone_TRUE , or phone_FALSE |
otp_result |
String | N/A | Read-only | Whether or not a one time password (OTP) attempt succeeded; can be email_TRUE , email_FALSE , phone_TRUE , or phone_FALSE |
otp_start |
String | N/A | Read-only | Epoch seconds of when one time password (OTP) collection started |
otp_stop |
String | N/A | Read-only | Epoch seconds of when one time password (OTP) collection ended |
otp_timeout |
String | N/A | Read-only | Whether or not a one time password (OTP) attempt timed out; can be email_TRUE , email_FALSE , phone_TRUE , or phone_FALSE |
otp_tries |
Integer | N/A | Read-only | Count of one time password (OTP) attempts |
requirements |
String | N/A | Read-only | Whether or not data capture was required; can be email_TRUE , email_FALSE , phone_TRUE , or phone_FALSE |
skipped |
String | N/A | Read-only | Whether or not the user skipped one time password (OTP) capture; can be email_TRUE , email_FALSE , phone_TRUE , or phone_FALSE |
start |
String | N/A | Read-only | Epoch seconds of when selection of email or SMS for a one time password (OTP) started |
stop |
String | N/A | Read-only | Epoch seconds of when selection of email or SMS for a one time password (OTP) ended |
DEVICE_METADATA data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
app_package |
String | N/A | Read-only | Bundle identifier or application package (URI) embedding the SDK |
browser |
String | N/A | Read-only | Name of the browser; can be Chrome , Firefox , Safari , Opera , Edge , or Other |
device_manufacturer |
String | N/A | Read-only | Manufacturer of the device used for the transaction, if applicable, such as Apple or Samsung |
device_model |
String | N/A | Read-only | Model of the device used for the transaction, if applicable, such as iPhone14 or GalaxyS22 |
device_type |
String | N/A | Read-only | Type of device used for the transaction; can be IOS , ANDROID , MOBILE_WEB , or DESKTOP_WEB |
os_version |
String | N/A | Read-only | Version of the operating system on the device used for the transaction, if applicable, such as 14.3 or 13 |
sdk_version |
String | N/A | Read-only | Version of the SDK |
user_agent |
String | N/A | Read-only | User-Agent HTTP header returned by the browser |
ERRORS data object
Capture flow errors
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
camera_permission_not_granted |
String | N/A | Read-only | Whether or not the user refused to grant permission to use the camera; always TRUE |
config_flash_enabled |
String | N/A | Read-only | Whether or not the camera's flash is enabled; can be TRUE or FALSE |
config_focus_mode |
String | N/A | Read-only | Camera focus mode; can be AUTO_FOCUS , CONTINUOUS_FOCUS , MANUAL_FOCUS |
config_resolution |
String | N/A | Read-only | Resolution of the camera preview |
data_mismatch_between_front_and_back |
Integer | N/A | Read-only | Count of occurrences of data mismatch between front and back |
id_capture_camera_start_error |
String | N/A | Read-only | Text of any camera start errors returned by the service during identity document capture |
id_flashlight_glare |
Integer | N/A | Read-only | Count of occurrences of glare from the camera flash on the identity document |
id_full_side_not_visible |
Integer | N/A | Read-only | Count of occurrences where the full side of the identity document was not visible |
id_too_far |
Integer | N/A | Read-only | Count of occurrences where the identity document was too far from the camera |
id_type_categorization_error |
String | N/A | Read-only | Text of any type categorization errors returned by the service |
id_type_unsupported |
String | N/A | Read-only | Whether or not the camera's flash is enabled; always TRUE |
selfie_camera_start_error |
String | N/A | Read-only | Text of any camera start errors returned by the service during selfie capture |
selfie_face_not_aligned_x_axis |
Integer | N/A | Read-only | Count of occurrences where the face was turned too far left or right |
selfie_face_not_aligned_y_axis |
Integer | N/A | Read-only | Count of occurrences where the face was turned too far up or down |
selfie_face_not_aligned_z_axis |
Integer | N/A | Read-only | Count of occurrences where the face was tipped too far clockwise or counterclockwise |
selfie_face_too_close |
Integer | N/A | Read-only | Count of occurrences where the face was too close to the camera |
selfie_face_too_far |
Integer | N/A | Read-only | Count of occurrences where the face was too far from the camera |
selfie_multiple_faces |
Integer | N/A | Read-only | Count of occurrences where multiple faces were discerned in the image |
selfie_no_face_present |
Integer | N/A | Read-only | Count of occurrences where no faces were discernible in the image |
Network errors
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
network_lost |
String | N/A | Read-only | Epoch seconds of when network was lost |
Other errors
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
sdk_error |
String | N/A | Read-only | Description of uncategorized errors from the SDK with the epoch seconds of when the error occurred |
app_event_error |
String | N/A | Read-only | Description of errors while initializing an app event object with the epoch seconds of when the error occurred |
ID_CAPTURE data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
barcode_captured |
String | N/A | Read-only | Epoch seconds of when capture of the barcode of the identity document ended |
camera_params |
String | N/A | Read-only | Camera parameters used for capture such as focus mode, resolution, and face detection service |
canceled |
String | N/A | Read-only | Whether or not the user canceled identity document capture; can be TRUE or FALSE |
classification |
String | N/A | Read-only | Classification of the identity document; can be Driver License or Passport |
image_#NUMBER_has_face |
String | N/A | Read-only | Whether or not the image (where #NUMBER is the page number of the image) has a face; can be TRUE or FALSE |
image_#NUMBER_score |
Double | N/A | Read-only | Identity document image (where #NUMBER is the page number of the image) quality score in the range of 0 to 1 |
image_#NUMBER_size |
String | N/A | Read-only | Resolution of the identity document image (where #NUMBER is the page number of the image) |
image_blurred |
String | N/A | Read-only | Whether or not the image is blurry; can be TRUE or FALSE |
mrz_captured |
String | N/A | Read-only | Epoch seconds of when capture of the machine readable zone (MRZ) of the identity document ended |
page_captured |
String | N/A | Read-only | Page number and epoch seconds, separated by an underscore, for when capture of an identity document image ended. Those with front and back images have pages 1 and 2, such as 1_1650507635 and 2_1650507657 . For passports, when capturing more than one page, page numbers are sequential until all pages are captured. |
skipped |
String | N/A | Read-only | Whether or not the user skipped identity document capture; can be TRUE or FALSE |
start |
String | N/A | Read-only | Epoch seconds of when identity document capture started |
stop |
String | N/A | Read-only | Epoch seconds of when identity document capture ended |
timeout |
String | N/A | Read-only | Epoch seconds of when identity document capture timed out |
total_images |
Integer | N/A | Read-only | Count of captured pages of the identity document |
vendor |
String | N/A | Read-only | Vendor used for capturing the identity document; can be MicroBlink , Mitek , or Ping |
QR_SCANNER data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
canceled |
String | N/A | Read-only | Whether or not QR scanning was canceled by the user; can be TRUE or FALSE |
result |
String | N/A | Read-only | Result of scanning a QR code; can be VALID OR INVALID |
start |
String | N/A | Read-only | Start time for scanning a QR code |
stop |
String | N/A | Read-only | Stop time for scanning a QR code |
SELFIE_CAPTURE data object
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
canceled |
String | N/A | Read-only | Whether or not the user canceled selfie capture; can be TRUE or FALSE |
face_detection_service |
String | N/A | Read-only | Service used for capturing the selfie; can be VisionKit , CoreImage , or FirebaseMLKit |
liveness_check_requested |
String | N/A | Read-only | Whether or not the SDK requested a liveness check; can be TRUE or FALSE |
number_of_selfies_captured |
Integer | N/A | Read-only | Count of captured selfies |
original_selfie_size |
String | N/A | Read-only | Resolution of the selfie image |
selfie_face_size |
String | N/A | Read-only | Percentage size of the face in the final captured selfie (includes the percent sign, %) |
selfie_pitch_angle |
Integer | N/A | Read-only | Pitch angle in degrees (rotation around x-axis) where the face was turned left or right |
selfie_roll_angle |
Integer | N/A | Read-only | Roll angle in degrees (rotation around y-axis) where the face was turned up or down |
selfie_score |
Double | N/A | Read-only | Selfie image quality score in the range of 0 to 1 |
selfie_yaw_angle |
Integer | N/A | Read-only | Yaw angle in degrees (rotation around z-axis) where the face was tipped clockwise or counterclockwise |
skipped |
String | N/A | Read-only | Whether or not the user skipped selfie capture; can be TRUE or FALSE |
start |
String | N/A | Read-only | Epoch seconds of when selfie capture started |
stop |
String | N/A | Read-only | Epoch seconds of when selfie capture ended |
timeout |
String | N/A | Read-only | Epoch seconds of when identity document capture timed out |
vendor |
String | N/A | Read-only | Vendor used for capturing the selfie; can be MicroBlink , Mitek , or Ping |
Read All Verify Transaction Metrics
Read One Verify Transaction Metric
Delete All Verify Transaction Metrics
Delete One Verify Transaction Metric
Verification Actions
Users are limited in the number of verifications transactions permitted per hour and per day. If a user exceeds either limit, the cooldown period is based on the limit exceeded. If the user exceeds the limit of transactions in an hour, they must wait until an hour after the first transaction. If the user exceeds the limit of transactions in a day, they must wait until a day after the first transaction. If a user cannot wait for the end of the cooldown period, an Identity Data Admin can reset the verification limits for that user with the Reset Verification request.
Reset Verification
Working with PingOne APIs
If you want to start building your own workflows with PingOne APIs, the Workflow Library provides step-by-step workflows with linked Postman collections to help you start using the PingOne APIs in your Postman environment. For information about how PingOne secures APIs, resources, and data, and what you can do to implement security measures for your PingOne deployment and applications, refer to Platform security.
If you're new to PingOne and have not set up your test environment, refer to PingOne for Developers Getting Started. This guide helps you get an admin access token, which is required to make API calls to Neo API resources.
PingOne API domains
This section discusses how PingOne API regional endpoints are entered in the domain name system (DNS). In DNS, and in our endpoints, the domain part of the uniform resource locator (URL) comprises three parts separated by periods, such as api.pingone.com
: one of our service-specific subdomains
, our PingOne domain name of pingone
, and one of our top level domains
.
We use Postman variables to manage this variety of domain parts in PingOne API endpoints. The later discussion is correct regarding the domain part that the variables evaluate to. However, to ease maintenance, the Postman environment template you get when you download a collection uses variables to isolate the TLD from the rest of the domain part and to isolate the domain part from the rest of the endpoint.
The environment template has a path variable for each subdomain. Each path variable uses another variable, {{tld}}
, for the top level domain (TLD). Such as https://api.pingone.{{tld}}/v1
for {{apiPath}}
. The tld
variable is first in the environment template that you downloaded.
The table below shows the top level domain value for each region. To change your region, simply change the default {{tld}}
value from com
to your region's TLD.
Region | Code | Top level domain |
---|---|---|
North America region (excluding Canada) | NA | com (default) |
Canada region | CA | ca |
European Union region | EU | eu |
Australia region | AU | com.au |
Singapore region | SG | sg |
Asia-Pacific region | AP | asia |
The PingOne API includes the following domains:
Domain | Postman path variable | Description |
---|---|---|
api.pingone.{{tld}} |
{{apiPath}} |
The primary domain for calling PingOne Management API resource server. |
auth.pingone.{{tld}} |
{{authPath}} |
The authorization and authentication server domain called to request the access token required to authenticate PingOne API requests. |
orchestrate-api.pingone.{{tld}} |
{{orchestratePath}} |
The primary domain for calling the PingOne DaVinci Management API resource server. |
scim-api.pingone.{{tld}} |
{{scimPath}} |
PingOne API service for Cross-domain Identity Management (SCIM). |
The {{...Path}}
variable in the sample requests stand for the PingOne service endpoint. Refer to Public endpoints in the PingOne for Developers Foundations guide for more information.
The Try a Request feature
Our documentation for the PingOne APIs includes an interactive Try a Request feature. Try a Request enables you to configure and send a PingOne API request and get a response from within the documentation. This is a quick way to interactively test a PingOne API request without needing to use either Postman or the command line.
Requests in Authentication and Authorization APIs do not have the Try a Request feature due to a Cross-Origin Resource Sharing (CORS) constraint.
Calling the PingOne APIs from the command line
Each PingOne API request in the documentation includes an example request and response. By default, the example request is displayed using cURL. However, a number of coding languages are available in the associated drop-down list. If you want to run a request from the command line, you can select the coding language and copy the displayed request. You'll need to replace any variables in the request with the appropriate values before running the request.
Using Postman collection-level authorization
Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the Authorization tab in Postman. Select an authorization Type on that tab and Postman offers a dialog to gather the information required by that Type. When you run a request, Postman uses the information from the Authorization tab to automatically add the necessary authorization header, body, or parameters to the request. Postman offers the Authorization tab on requests, folders, and collections.
In PingOne collections, the authorization method is defined at the collection level. Only those requests that require a specific authorization method have authorization defined on the request (roughly 10% of PingOne requests). This allows you to easily change the authorization used for most requests. Refer to Postman Collection-Level Authorization for more information.
Postman and the PingOne APIs
We use Postman to create our PingOne Neo API docs, and have supplied our Postman collections for you to download. There's also an accompanying Postman Environment template already populated with the variables used in the collections.
If you aren't currently using Postman, you can install the free version. Refer to Download Postman to install Postman, either locally, or in your browser.
Refer to The PingOne Neo API Postman collections for the collections you can download or fork.
For more information about our Postman environment variables, refer to The PingOne Postman environment template.
You'll also find all of the Postman collections for our documented PingOne use cases in our Workflow Library.
The PingOne Postman collections
You can get the PingOne Neo API Postman collection by following either of these methods for retrieving a Postman collection into your workspace:
-
Fork the collection into your workspace. Postman retains an association between the source and your fork. If we update the source collection, you can pull those changes into the fork in your workspace.
-
Import the collection into your workspace. This is a one-time transfer and retains no association to the source collection.
To retrieve a collection
Refer to The PingOne Neo API collections on this page.
-
Click the collection's Run In Postman button.
-
At the prompt, click Fork Collection at the bottom of the dialog or click import a copy near the bottom of the dialog.
-
Follow the on-screen instructions to fork or import the collection. You're prompted to select a Postman workspace for the retrieved collection.
When you fork a Postman collection, you create a copy of it in a selected workspace. Forking a collection creates a linked version that synchronizes with its source collection. This synchronization is apparent when you click the three dots icon on the forked collection - you'll see Pull changes on the context menu. When you click Pull changes, Postman compares the fork to the source collection. If changes are available, you can pull those changes into your fork. If you also elect to watch the collection, you'll receive notifications when the source changes.
If you import a collection, a copy is created in the selected workspace with no link back to the source. The collection is static. This may be desirable for some use cases. For example, if you intend to keep and use only some requests in a collection, a link back to the source is not needed.
You're not limited to choosing one method or the other. You can fork a copy to track the source and import a copy for experimentation, if you like.
The PingOne Neo API collections
These Postman collections include requests for all create, read, update, and delete (CRUD) operations for the PingOne Neo APIs.
For more information about the Postman environment variables included when you download or fork one of our Postman collections, refer to The PingOne Postman environment template.
The PingOne Postman environment template
Our Postman collections use variables in the request URLs to specify the UUIDs for PingOne resources. When you click the Run in Postman button for a collection, these environment variables are included in your download or fork. Use these environment variables as a template to assign your PingOne resource UUIDs with the common variables used in many of the requests.
For more information about using Postman environments, refer to the following topic in the Postman documentation: Environments in Postman.
POST requests in the PingOne Neo API Postman collections that create a resource and return a resource ID include a Postman script. This script automatically adds a resource variable to your active Postman environment, and uses the newly created ID as the value.
For example, the following request creates a new Neo variable. This request URL contains variables for the API path and environment ID:
POST {{apiPath}}/environments/{{envID}}/variables
To run this request, you must ensure the {{apiPath}}
in the Postman environment template has the regional top-level domain (TLD) associated with your organization. Refer to Variables you must value for more information.
Almost every request in PingOne requires an environment ID. If you are working primarily in one environment for testing purposes, you'll want to add your environment's UUID to your active Postman environment as the value for the {{envID}}
variable.
Requests to PingOne Management API endpoints require a valid access token to authenticate the request. In the PingOne Postman collections, the token value is represented in the Postman environment template as the variable {{accessToken}}
.
With the {{tld}}
and {{envID}}
variables defined in your Postman template, and with a valid token value defined in the {{accessToken}}
variable, you can run the request shown above:
POST {{apiPath}}/environments/{{envID}}/variables
If the request is successful, Postman adds a {{variableID}}
variable to the current Postman environment automatically, and associates the new user's id
property value (the UUID of the new user) with this variable.
Notes about environment variables and security
It's important to understand how Postman allows you to Store and reuse values using variables. Postman has two values for each environment variable: an Initial value and a Current value. You'll want to pay particular attention to differences between Initial and current values. Initial values are saved to Postman's cloud, and available to anyone who has access to the environment. Current values are saved only locally and available only to you. Postman uses only the current value in requests. If an environment variable has an initial value but no current value, Postman doesn't copy it to the current value or use the initial value in the request, the request simply fails. In this case, you need to manually copy the initial value to the current value.
When you create a new variable with an initial value and save the environment, Postman autofills the current value. However, that is the only time that Postman autofills the current value. If you subsequently delete the current value, the variable is no longer valued in a request.
Saving initial values to the Postman cloud impacts security. These initial values are available to anyone who has access to the workspace. If a workspace is public, you have a security issue.
Postman's recommended solution to exposing secrets is to Store secrets in your Postman Vault. Remember that Postman uses only current values in requests.
Variables you must value
When you download or fork a PingOne Postman collection, your workspace receives a set of Postman environment variables for you to use as a template. The variables that represent a resource in PingOne automatically receive a value when you create a new PingOne resource using Postman. Our script associated with the request (shown on the request's Scripts tab) inserts the identifier of the resource it creates as the value of the variable associated with that resource. However, some variables essential to using Postman with PingOne do not have their values inserted automatically. You must manually add the correct value to these variables before making any requests in Postman:
Postman variable | PingOne resource |
---|---|
adminAppID |
The Client ID of the Worker app you created Create an admin Worker app connection. |
adminAppSecret |
The Client Secret of the Worker app created. |
adminEnvID |
The ID for the environment in which your Worker app resides. |
envID |
The ID for the environment in which you are running your Postman API requests. |
orgID |
The ID for your organization. In the PingOne admin console, select Environment and click Properties to view your organization ID. |
tld |
The top-level domain to use for your environment. This is used in URLs containing apiPath , authPath , orchestratePath , and scimPath . |
apiPath |
The regional domain for the PingOne management server (https://api.pingone.{{tld}}/v1 ). |
authPath |
The regional domain for the PingOne authorization and authentication server (https://auth.pingone.{{tld}} ). |
orchestratePath |
The regional domain for the PingOne DaVinci management server (https://orchestrate-api.pingone.{{tld}}/v1 ). |
scimPath |
The regional domain for the PingOne SCIM management server (https://scim-api.pingone.{{tld}} ). |