Document Verification
Getting Started
To get started with an integration you’ll need to do the following.
- Sign up for an ID.me developer account.
- Register one organization for your company.
- Register an application for each website property that will need access to Document Verification data.
- Contact partnersupport@id.me to enable the appropriate policies assoicaited with verification and set up UAT/sandbox integrations.
- Place our ‘Verify with ID.me’ button on your site to allow users to begin authentication and verification.
- Once users complete verification at ID.me, the partner sends a request to ID.me’s API to retrieve user attributes.
By default, your application will be set up for OAuth. Upon registration, you will immediately have access to the application details page which will list the client_id and client_secret for your OAuth client.
Leveraging the ID.me IDP SAML service will vary depending on the product that is used to implement the federation relationship. Currently, we do not support creating SAML SP profiles automatically through the portal, please contact partnersupport@id.me for assistance in the process.
Client-Side (Implicit) Flow
If you are building an app that does not have a server component, you’ll notice that it’s impossible to complete step three above to receive your
access_token
without also having to ship your client secret. You should never ship your client secret onto devices you don’t control. Then how do you get an
access_token?
Well the smart folks in charge of the OAuth 2.0 spec anticipated this problem and created the Implicit Authentication Flow.
Step 1. Direct users to the authorization endpoint
The only difference from the server-side flow is that the response_type is
token.
The endpoint to be used for your app is available at the bottom of the app details page.
Endpoint
| Authorization Endpoint |
|---|
| https://api.id.me/oauth/authorize |
HTTP Request Method
GET
Parameters
| Name | Required | Description |
|---|---|---|
| client_id |
yes |
The client identifier received during app registration. It is automatically generated and located in your application dashboard. |
| redirect_uri |
yes |
Where the user gets redirected after an authorizing an app. Set by the developer within the application dashboard. |
| response_type |
yes |
|
| scope |
yes |
A parameter that defines the group affiliation you are requesting permission to access. Possible values:
Note: Your account must first be set up with policies to enable these scopes to be accepted.
Contact partnersupport@id.me if you are receiving errors regarding an invalid scope. |
| Example |
|---|
| https://api.id.me/oauth/authorize?client_id=[YOUR_CLIENT_ID]&redirect_uri=[YOUR_REDIRECT_URI]&response_type=token&scope=document |
Step 2. Receive the access token
Once the user has authenticated and authorized your app, we’ll redirect them to your
redirect_uri
with the
access_token
in the url fragment.
| Redirect URI with access token |
|---|
http://example.com/callback#access_token=da4ca0338450ae011a475bc105e0495c&token_type=bearer&expires_in=300
|
Simply grab the
access_token
off of the URL fragment and you’re good to go. If the user chooses not to grant access to your app, you will receive an error response.
See error examples here.
