How to integrate the App (V2)
Overview
Identity Proofing Application (IPA) is an application that verifies the Identity of your Users. It can be integrated in your own application in 2 possible ways :
- Standard IPA, where at the end of the process you get a Verified Identity of your User to proceed further with their on-boarding process.
- IPA with Microsoft ENTRA, where your User gets a Verifiable Credential with their Identity provisioned in their Microsoft Authenticator App, that they can share with you to complete their on-boarding process.
Standard IPA Integration
Creation of an IPA Application
First you must create an application in the Experience Portal. The configurator guides you through the necessary steps to adapt the application to your requirements. Once the application is created, some identifiers and secrets are generated and made available through the Experience portal. These identifiers enable your application to establish connectivity with IPA.
1. Create the IPA App
Go to 'Access -> Identity Proofing App' page and click 'Create new app'.
2. IPA Configuration
- Choose application name.
- Select environment.
- Select a country and document types.
- Choose one of the possible face capture options:
none- no face verificationPassive Video Liveness- Liveness verification with seamless User Experience (recommended)Active Liveness- Liveness verification with active User challenge (face movements requested, recommended for high security applications only as it may impact the average success rate of the process).
- Customize look & feel of your application.
- Confirm on summary screen.
3. Experience your IPA configuration
Once you have created your application, the following options are available to you :
Generate QR code - you can test your IPA configuration. Just scan the QR code with your smart phone's camera and experience the User's Journey by yourself. You can check the verification details of your tests in the Transactions History section of the Experience Portal
Display Endpoint details - get the necessary connectivity details to integrate your IPA configuration into your own Application
clientID
secretKey
Cognito URL
Create Session URL
Delete/Edit configured application.
Integrating IPA in your Application
Overview
Here is a flow diagram detailing each step of the process. It is divided in 5 Steps.
- Obtain an access token
- Create IPA Session
- User performs Identity Proofing Process
- Receive End of Process Notification
- Retrieve Verified Identity and redirect the User to the next step
The chapters below detail how to implement this sequence diagram.
Step 0: Engage User and gather consent
As a preliminary step, you need to engage with your End User through the method of your choice, and expose your Terms of Use of the service to gather User Consent. This part of the process is entirely between you and your User. When you create an IPA session, we assume that the End User consented to the agreed Terms of Use.
Step 1: Obtain application access token
First, your back end application must obtain an access token to the IPA application using the Cognito URL, secretKey and clientID.
Example request
Shell1curl -X POST --location '[COGNITO_URL]/oauth2/token' \2 --header 'Content-Type: application/x-www-form-urlencoded' \3 --data-urlencode 'grant_type=client_credentials' \4 --data-urlencode 'client_id=[CLIENT_ID]' \5 --data-urlencode 'client_secret=[SECRET_KEY]'6
Request Variables
Variable | Type | Mandatory/Optional | Description | Example Value |
|---|---|---|---|---|
COGNITO_URL | string | Mandatory | Cognito URL value from Endpoint details screen | https://devportal.auth.us-east-2.amazoncognito.com |
CLIENT_ID | string | Mandatory | clientID value from Endpoint details screen | 3mnh1qsn5hmtogpes1gqo3lto0 |
SECRET_KEY | string | Mandatory | secretKey value from Endpoint details screen | 1thkkchj0lnvaj9ivtgv4ne501r0vi38gpe3pp2fl7u |
Example Response
JSON1{2 "access_token": "[ACCESS_TOKEN]",3 "expires_in": 3600,4 "token_type": "Bearer"5}6
Response Variables
Variable | Description |
|---|---|
access_token | Access token value |
expires_in | Duration of your token in seconds (3600) |
token_type | Access token type, always Bearer |
Step 2: Create session
Then, with the access token received from the previous step, create an IPA application session.
This is where you define the callback endpoint to which your backend service is going to receive start and end of session notifications.
You may also define where your User will be redirected to, once the Identity Proofing session is over.
Once created, the session expires automatically after 30 minutes.
IPA Create Session URL
The URL to create a session is : https://rp-handler.did.idemia.io/api/v2/sessions
Example request
Shell1curl -X POST --location 'https://rp-handler.did.idemia.io/api/v2/sessions' \2 --header 'Content-Type: application/json' \3 --header 'Authorization: Bearer [ACCESS_TOKEN]' \4 --data '{5 "requestId": "[REQUEST_ID]",6 "callbackUrl" : "[CALLBACK_URL]",7 "callbackAccessToken" : "[CALLBACK_ACCESS_TOKEN]",8 "gotoUrl" : "[GOTO_URL]"9 }'10
Request Variables
Variable | Type | Mandatory/Optional | Description | Example Value |
|---|---|---|---|---|
ACCESS_TOKEN | string | Mandatory | Access token value from the previous request (Step 1) | |
REQUEST_ID | string | Optional | Unique Identifier that you can provide to help correlation with your business application and operations | A.PmvzQKgYek6SdkT5sWaqw.B |
CALLBACK_URL | string | Optional | URL to the endpoint exposed by your backend to receive start and end of session notifications (Steps 3 and 4). | https://mycompany.myservice.com/webhooks/idemia/ipa |
CALLBACK_ACCESS_TOKEN | string | Optional | Bearer token of your own to authorize access to your Callback endpoint. This token will be passed as a header of the start and end of session notifications requests (Steps 3 and 4). | Ekq87093dJYUEJkyfuyQK3xZd... |
GOTO_URL | string | Optional | URL where the End User will be redirected to at the end of the IPA session (Step 5). | https://mycompany.myservice.com/signup/confirm |
Note : Both callbackUrl and gotoUrl are optional parameters. If no callbackUrl and/or gotoUrl is provided, there will be no callback requests, or user redirection performed at the end of the process.
Response
The response payload contains the IPA Session Identifier as well as the URL that needs to be transmitted to your User to start the Identity Proofing process from their smartphone.
Example Response
JSON1{2 "sessionId": "[SESSION_ID]",3 "startUrl": "[START_URL]",4 "qrCode": "[BASE64_QRCODE_IMAGE]"5}6
Response Variables
Variable | type | Description | Example Value |
|---|---|---|---|
SESSION_ID | string | IPA sessionId. This same sessionId will be provided in the callbacks to correlate them with your application context | ba7ce9dc-c182-4907-875c-ce1942239099 |
START_URL | string | The URL to be transmitted with the channel of your choice to the End User so they can start the Identity proofing process from their smartphone | https://rp-handler.did.idemia.io/api/v2/ipa/start?session-id=ba7ce9dc-c182-4907-875c-ce1942239099 |
BASE64_QRCODE_IMAGE | string | The same START_URL encoded as a base64 QR code PNG image to present to the End User to scan with their smartphone's camera | base64ToBeDecodedAsPNG |
Step 3: User performs the Identity Proofing Process with IPA
Once you have received the IPA sessionId and Start URL from the previous step, record the SessionId and transmit the IPA session's URL to your user, so they can start the IPA from their own smartphone device.
This URL can be transmitted in multiple ways, like in the form a QR code to scan, a text message, or an email.
At the moment the User activates the link that you transmitted, they start the Identity Proofing Process.
When the User starts the Identity Proofing Process, you receive a "start session" notification to your backend's callback URL defined in step 2.
Your callback endpoint must be able to accept the following request :
Example request
Shell1curl -X POST --location [CALLBACK_URL] \2 --header 'Content-Type: application/json' \3 --header 'Authorization: Bearer [CALLBACK_ACCESS_TOKEN]' \4 --data '{5 "applicationId": "[APPLICATION_ID]",6 "sessionId": "[SESSION_ID]",7 "identityId" : "[IDENTITY_ID]"8 "status": "STARTED",9 "errorCode": "NO_ERROR",10 "requestId": "[REQUEST_ID]",11 "timestamp": [TIMESTAMP]12 }'13
Request Variables
Variable | Type | Mandatory/Optional | Description | Example |
|---|---|---|---|---|
CALLBACK_URL | string | Mandatory | Value of the callbackUrl you provided in step 2 | https://mycompany.myservice.com/webhooks/idemia/ipa |
CALLBACK_ACCESS_TOKEN | string | Optional | Value of the callbackAccessToken you provided in step 2. If no value was provided in step 2, this header does not appear. | Ekq87093dJYUEJkyfuyQK3xZd... |
APPLICATION_ID | string | Mandatory | ID of the IPA application configured from Experience Portal | 6359vkcps3v6oma5h5vherefcs |
IDENTITY_ID | string | Optional | ID of the Identity in the ID&V platform. This field may not appear if the Identity creation failed. | gips-2d4ac3d2-053c-4f9e-9ef0-c9a0f251c667 |
SESSION_ID | string (UUID) | Mandatory | IPA sessionId created during Step 2, to be used to correlate this request with your End User's session | ba7ce9dc-c182-4907-875c-ce1942239099 |
STATUS | string | Mandatory | The status value is always STARTED for the Start Session callback | STARTED |
ERROR_CODE | string | Optional | Error code. See the table below in the End of Process section (Step 4) for more details | NO_ERROR |
REQUEST_ID | string | Optional | Your requestId as provided in step 2 | A.PmvzQKgYek6SdkT5sWaqw.B |
TIMESTAMP | float (Unix Time EPOCH) | Mandatory | Timestamp of the callback request creation time | 1733294237.9188666 |
Response
It is expected that the callback's listener service returns an HTTP code 2XX with an empty response body to this request.
We recommend to miminize the time and processing before returning the HTTP code 2XX response to reduce performance impacts of activity peaks.
In case of unexpected HTTP response code received (different from 2XX), the IPA service will send up to 2 more attempts with a delay of 1 second.
Identity Proofing Process
The Identity Proofing process is then conducted autonomously by the User through their device's browser.
Note : The Identity Proofing Application automatically checks the device's configuration and informs the User if it does not meet the requirements. Refer to 'Device minimal requirements' for more details.
Step 4: Receive End of Process Notification
When the User has completed the Identity Proofing Process, you receive an "end of process notification" to your backend's callback URL defined in step 2.
Your callback endpoint must be able to accept the following request :
Example request
Shell1curl -X POST2 --location [CALLBACK_URL] \3 --header "Content-Type: application/json" \4 --header 'Authorization: Bearer [CALLBACK_ACCESS_TOKEN]' \5 --data '{6 "applicationId": "[APPLICATION_ID]",7 "identityId": "[IDENTITY_ID]",8 "sessionId": "[SESSION_ID]",9 "proofUrl": "[PROOF_URL]",10 "timestamp": TIMESTAMP,11 "status":"[STATUS]",12 "errorCode":" "[ERROR_CODE]",13 "loaReached": LOA_REACHED,14 "requestId":"[REQUEST_ID]"15 }'16
Request Variables
Variable | Type | Mandatory/Optional | Description | Example |
|---|---|---|---|---|
CALLBACK_URL | string | Mandatory | Value of the callbackUrl you provided in step 2 | https://mycompany.myservice.com/webhooks/idemia/ipa |
CALLBACK_ACCESS_TOKEN | string | Mandatory | Value of the callbackAccessToken you provided in step 2. If no value was provided in step 2, this header does not appear. | Ekq87093dJYUEJkyfuyQK3xZd... |
APPLICATION_ID | string | Mandatory | ID of the IPA application configured from Experience Portal | 1l5lv91ugi401pieqpcd77bc1l |
IDENTITY_ID | string | Optional | ID of the Identity in the ID&V platform. If the session was never started, this field does not appear. | gips-2d4ac3d2-053c-4f9e-9ef0-c9a0f251c667 |
SESSION_ID | string (UUID) | Mandatory | IPA sessionId created during Step 2, to be used to correlate this request with your End User's session | ba7ce9dc-c182-4907-875c-ce1942239099 |
PROOF_URL | string | Optional | URL to the ID&V platform to get the Identity proof file. If the session was never started, this field does not appear. | https://proofing.idemia.io/gips/v1/identities/gips-2d4ac3d2-053c-4f9e-9ef0-c9a0f251c667/proof |
TIMESTAMP | float (Unix Time EPOCH) | Mandatory | Timestamp of the callback request creation time | 1733294237.9188666 |
STATUS | string | Mandatory | Overall status of the session at the end of the process. Refer to the table below for more details | SUCCESS |
ERROR_CODE | string | Optional | Error code providing details regarding the outcome of the session. Refer to the table below for more details | NO_ERROR |
LOA_REACHED | boolean | Optional | true if the minimum configured target LOA has been reached, false otherwise. If the session was never started, this field does not appear. | true |
REQUEST_ID | string | Optional | Your requestId as provided in step 2 | A.PmvzQKgYek6SdkT5sWaqw.B |
Response
It is expected that the callback's listener service returns an HTTP code 2XX with an empty response body to this request.
We recommend to miminize the time and processing before returning the HTTP code 2XX response to reduce performance impacts of activity peaks.
In case of unexpected HTTP response code received (different from 2XX), the IPA service will send up to 2 more attempts with a delay of 10 seconds.
Status values
Here are the possible Status values and their meaning so you can adapt your post processing to the actual outcome of the Identity Proofing session.
Status Value | Description |
|---|---|
STARTED | Session has started. Only applicable to the Start Session callback (Step 3) |
SUCCESS | Session has been completed successfully and the user reached the minimum target LOA |
FAILURE | Session has not been completed successfully. Refer to the error codes table below for more details |
ERROR | The session encountered a technical error during the process. Refer to the error codes table below for more details |
HEARTBEAT_TIMEOUT | The session Timed out. Refer to the error codes table below for more details |
Error Codes
Error Code | Description |
|---|---|
NO_ERROR | No error encountered during the session |
SESSION_NOT_STARTED | The user did not start the session |
SESSION_TIMEOUT | The session timed out. (30 minutes) |
USER_TIMEOUT | The user dropped off. (5 minutes inactivity) |
UNSUPPORTED_CONFIGURATION | The user's device configuration is not supported ( OS, Browser, Camera Resolution) |
USER_ABORT | The user aborted the process |
LOA_NOT_REACHED | Minimum target LOA has not been reached. |
PROCESS_TERMINATION | The session ended by itself as the User reached the maximum number of attempts. |
VCI_ERROR | Technical error during Verifiable Credential Issuance |
TECHNICAL_ERROR | Technical error during the Identity Proofing Session |
GENERIC_ERROR | Unexpected error during the Identity Proofing Session |
Step 5: Retrieve Verified Identity and redirect the User to the next step
Retrieve User's verified Identity using the IdentityId or getProofURL received in the callback.
Use your ID&V REST API endpoint and GIPS-RS API key to do so.
In parallel, the User is redirected to the gotoURL defined in Step 2 to proceed with the rest of your User's on-boarding Journey, using the results of the Identity Proofing session.
Option 1 : Retrieving the Proof file
The proof file is a zip archive containing a comprehensive output of the Identity Proofing session.
It contains the Identity payload, the images captured by the user and a full audit trail of the verifications performed during the session.
For further details, refer to the 'Proof File specifications' and 'Identity Proofing API Documentation'.
Request Example
Shell1curl -X GET --location [PROOF_URL]2--header 'Content-Type: application/json' \3--header 'apikey: [GIPS-RS_API_KEY]' \4--output proof.tar.gz5
Request Variables
Variable | Description |
|---|---|
PROOF_URL | Location of the Identity proof file from step 4 |
GIPS-RS_API_KEY | Backend to backend (GIPS-RS) API key of your ID&V 'Environment' |
Response
In response you receive an Identity Proof file containing the Verified Identity of the User as well as all submitted evidence and verification methods detailed results.
Option 2 : Retrieving the Identity payload
The Identity payload contains the detailed results of the Identity proofing session such as :
- Level of Assurance (LOA)
- Identity Attributes (names, date of birth etc...) extracted from the Identity Documents
- Status and error codes of the different evidence captured during the proofing session For further details refer to the 'API Explorer section of the Identity Proofing & Verification API' and look for the GET /v1/identities/{id} endpoint.
Request Example
Shell1curl -X GET --location https://[IDV_URL]/gips/v1/identities/[IDENTITY_ID] \2--header 'Content-Type: application/json' \3--header 'apikey: [GIPS-RS_API_KEY]'4
Request Variables
Variable | Description |
|---|---|
IDV_URL | URL of the proofing platform corresponding to your 'Environment' |
IDENTITY_ID | ID of the Identity in the ID&V platform from step 4 |
GIPS-RS_API_KEY | Backend to backend (GIPS-RS) API key of your ID&V 'Environment' |
Response
In response you receive the Identity payload JSON file containing the Verified Identity of the User.
User Redirection
If you provided a a gotoUrl while creating the IPA session ( Step 2), your User is redirected to that URL.
We append to your gotoUrl some paremeters to help you present the right screen depending on the sesssion outcome, and reconciliate it with the rest of your onboarding journey.
The format of the final User redirect URL is as follows :
[GOTO_URL]?requestId=[REQUEST_ID]&status=[STATUS]&errorCode=[ERROR_CODE]
Variable | Description |
|---|---|
GOTO_URL | gotoUrl value provided in Step 2 |
REQUEST_ID | requestId value provided in Step 2 |
STATUS | Same status value as provided in the end of process notification (step4) |
ERROR_CODE | Same errorCode value as provided in the end of process notification (step4) |
Example : https://mycompany.myservice.com/signup/confirm?requestId=A.PmvzQKgYek6SdkT5sWaqw.B&status=SUCCESS&errorCode=NO_ERROR
Note : In case of technical issue during the end of process flow (Step 4), it might happen that the redirect URL misses some additional parameters. So the page corresponding to the redirect URL must be prepared for such scenario and interpret it as a technical error.
Integrate using Microsoft VC ENTRA Application
Azure configuration
In order to get your Identity Proofing Application integrated with Microsoft ENTRA Verified ID, you must have a valid tenant on your Azure Cloud account. We recommend you to follow the tutorial from Microsoft: Configure your tenant for Microsoft ENTRA Verified ID. You have to create the resources described below:
Azure Active Directory. Subscription.
Azure Key Vault (under Resource Group or directly under Subscription).
App Registration (under Azure Active Directory).
Access Policy allowing to trigger VC presentation request (under App Registration).
Verified ID Service (under Azure Active Directory). You need to get a unique set of OAuth2 Client ID and Client secret credentials from App Registration process which is used in "Client Credentials" flow to obtain an Access Token as explained on the following page: Request Service REST API. This access token allows to call VC presentation API: Configure Microsoft ENTRA Verified ID verifier. Moreover, your system needs have a valid domain registered that is verified by Azure Verified ID Service according to DID (Decentralized Identity) policy. Following descriptor files has to be exposed:
/.well-known/did.json
/.well-known/did-configuration.json These descriptors are obtained from Verified ID Service. After that setup, you have to select IDEMIA as provider of the trusted credentials which can be located using: {region}.did.idemia.io domain ({region}.did-{stage}.idemia.io for lower stages):
Please note that if you want to authenticate end users across multiple regions, it is required to trust multiple credentials. This is related to Microsoft ENTRA Verified ID service design that controls PII processing according to AD setup location. Microsoft provides the entire process including usage of the sample app in this tutorial: Configure Microsoft ENTRA Verified ID verifier.
Microsoft VC ENTRA Application flow diagram
Creation of IPA for ENTRA application
In order to use ENTRA, you must create an application in Experience Portal and obtain an integration endpoint details, which will be used to communicate with our servers. Those details are secret and should not be exposed by your Front End application.
1. Create the IPA App
Go to 'Access -> Microsoft VC ENTRA App' page and Click 'Create new app'.
2. Fill out the form
Choose application name.
Select environment.
Select a country and document types.
Choose one of the possible liveness options:
none- no face verificationPassive Video Liveness- Simple selfie capture (recommended)Active Liveness- face capture with active challenge (face movements requested, recommended for high security applications only).
Choose VC claims
- Add optional deep-link prefix in case the Microsoft Authenticator SDK is embedded into your own native application.
Customize look & feel of your application.
Confirm on summary screen.
3. Submit form
After form submission, an application will be created. Afterward you can:
- Generate test QR code - scan the QR code and test document verification yourself without any integration. (You can check the verification details later on the Transactions History page.)
- Display endpoint details - it will allow you to integrate your own application/system with your newly created ENTRA application.
- Delete/Edit configured application.
Integrate IPA for ENTRA in your application
Integrating IPA for ENTRA is identical to the Standard IPA, except for Step 5 where your End User gets a Verifiable Credential provisioned in their Microsoft Authenticator App at the end of the process.
Verifying Issued Verifiable Credentials
You can now ask your End User to share their Verified Credential with you through a Presentation Request to Microsoft ENTRA. Ref : https://learn.microsoft.com/en-us/entra/verified-id/presentation-request-api. Here are the information details related to the Issued VC to include in your presentation request :
JSON field | Value |
|---|---|
| registration.clientName | "Idemia DID" |
| authority (US platform) | "did:web:us.did.idemia.io" |
| authority (EU platform) | "did:web:eu.did.idemia.io" |
| requestedCredentials.type | "VerifiedIdentity" |