Getting Started

This tutorial explains the Web SDK identity verification flow. It will give you a notion of how the data from the user's ID will get to your system.


In this tutorial we will not implement anything, but instead, we will go through the identification process and we will use curl to call the Authenteq API. We strongly recommend following this tutorial before you jump to the integration explained in the guide "How to integrate Web SDK?".

Before we start, please prepare your ID. It can be a passport, national identity document or driving license. You should also have clientId and secret provided by our support.

Direct User to Authenteq Identity Server

To start the Web SDK identity verification flow you direct the user to our identity verification website:<redirectUri>&client_id=<clientId>&state=randomrandom

Put your clientId in the URL and replace redirectUri with the address you provided during registration.

Open the above link in your browser.

User Performs Identification

Follow the steps of the identification (introduction, liveness check, document scan, redirect). Your user will go through the same process. Continue upon the successful redirect.

You should have been redirected to:


Getting the Code

Now the user was redirected back to your service. With that redirect, we send back the code in a parameter.

Go to the address bar of your browser and copy the value of the code parameter.

You may notice that it is not the only parameter. The other one is the state, which is the random string we sent earlier. You may wonder why to send the same value back and forth? It is to make sure, that it is your service that initiated the identification process. Once you generate state you should save its value in a session or a cookie. When your service receives redirect it should compare value received with the saved state and ignore the code if the values don't match. This check is optional but also highly recommended.

Exchanging Code for a Token

Once you have a code you can exchange it for a token, which you will use to authorize the request to retrieve the user details.

$ curl -XPOST \
-F 'grantType=authorization_code' \
-F 'code=<code>' \
-F 'redirectUri=<redirectUri>' \
-F 'clientId=<clientId>' \
-F 'clientSecret=<clientSecret>' \

Execute the command above with the code you got earlier and put values to clientId, clientSecret and redirectUri . Copy the token from the response.

Why do we need to exchange the code for the token? Couldn't we just use code to authorize future requests? The answer is: we could, but the exchange gives an extra layer of protection. It requires a secret that is only known by you. So even if an attacker would intercept the code, he won't be able to do anything with it. The secret must be kept secret, so the exchange must happen in the backend of your service.

Please, note that you can exchange the code only once! If you try again the endpoint will return an error.

Retrieving User Details

Now you have everything to retrieve user data. Let's call /details endpoint. We need to place the token in the Authorization header with a prefix Bearer.

$ curl -X GET -H 'Authorization: Bearer <token>'
croppedDocs: {
front: "<base64_encoded_JPEG_image>",
back: "<base64_encoded_JPEG_image>",
documentNumber: "8136431812",
issuingCountry: "DEU",
documentType: "FG617451",
givenNames: "ANNA MARIA",
surname: "SCHMIDT",
dateOfBirth: "1987-01-12",
nationality: "DEU",
dateOfIssue: "2017-01-30",
dateOfExpiry: "2027-01-30",
sex: "F"

Execute above curl with the proper token and we are done! User details reached your system.

Please, remember that we store the data only for 15 min.