eeID Identification Service API (1.1.0)

Download OpenAPI specification:

Introduction

This API provides endpoints for managing authentication tokens and handling identification requests. The authentication mechanism is based on OAuth2, using a token-based approach to secure access to the identification requests. Clients must obtain a token by providing valid credentials to access the protected resources.

The token has a limited lifespan and will expire after 120 seconds. Clients should handle token expiration and generate a new one as necessary.

Claims comparison

When an identification request is created with claims_required, eeID compares the authenticated user's identity against those claims. Authentication success is separate from claims match:

  • A request becomes completed when the end-user successfully authenticates, even if some claims do not match.
  • Check claims_matched, mismatched_claims, and claims_comparison_errors on completed requests to see the comparison outcome.
  • Your service is responsible for deciding how to handle mismatches (for example manual review, approval, or rejection).
  • Proof of identity (POI) is generated and the completion webhook is sent for all successfully authenticated requests, regardless of claim match.
  • After the first successful authentication, the identification link expires. The end-user cannot use the same link to retry; create a new request if another identification is needed.

Document-based identification result fields

For document-based identification, the result object may also include country, id_number, and document_number. These fields are not present for other authentication methods. The sub claim always comes from OIDC userinfo.

Access Token

Endpoint for obtaining authentication token.

Obtain an access token

This endpoint allows clients to authenticate and receive an access token.

Authorizations:
BasicAuth
header Parameters
Authorization
required
string
Example: Basic <Base64 encoded string>

Responses

Response samples

Content type
application/json
{
  • "access_token": "string",
  • "token_type": "Bearer",
  • "expires_in": 120
}

Identification Requests

Endpoints for managing identification requests.

Retrieve a list of identification requests

This endpoint retrieves a paginated list of identification requests for the authenticated service.

Authorizations:
BearerAuth
query Parameters
page
integer
Default: 1

The page number to retrieve.

page_size
integer
Default: 10

The number of items per page.

header Parameters
Authorization
required
string
Example: Bearer <TOKEN>

Responses

Response samples

Content type
application/json
{
  • "page": 0,
  • "page_size": 10,
  • "total": 1,
  • "items": [
    ]
}

Create an identification request

This endpoint creates a new identification request.

claims_required must always be present. In normal matching mode, provide expected claim values to compare against the authenticated user's data. In discovery mode, you may provide supported claim types with blank or omitted values.

Authorizations:
BearerAuth
header Parameters
Authorization
required
string
Example: Bearer <TOKEN>
Request Body schema: application/json
required
reference
string

A unique reference for the identification request.

required
Array of objects

A required array of supported claims for the identification request.

The array itself must be present and contain at least one supported claim object. In discovery mode, claim value may be blank or omitted. Blank-valued claims are treated as discovery hints and are not compared for mismatch.

reason
string

The reason for the identification request.

object

The translations of the reason for the identification request.

Responses

Request samples

Content type
application/json
{
  • "reference": "string",
  • "claims_required": [
    ],
  • "reason": "Test Reason",
  • "reason_translations": {
    }
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "link_expires_at": "2019-08-24T14:15:22Z",
  • "claims_required": [
    ],
  • "completed_at": null,
  • "status": "pending",
  • "created_at": "2019-08-24T14:15:22Z",
  • "result": { },
  • "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
  • "reference": "string",
  • "reason": "Test Reason",
  • "reason_translations": {
    },
  • "claims_matched": null,
  • "mismatched_claims": { },
  • "claims_comparison_errors": [ ]
}

Retrieve an identification request

Fetches the details of a specific identification request by its UUID.

For completed requests, check claims_matched to see whether the authenticated user's data matched the claims_required provided at creation time. Use mismatched_claims and claims_comparison_errors for details.

Authorizations:
BearerAuth
path Parameters
id
required
string

The UUID of the identification request to retrieve.

header Parameters
Authorization
required
string
Example: Bearer <TOKEN>

Responses

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "link_expires_at": "2019-08-24T14:15:22Z",
  • "claims_required": [
    ],
  • "completed_at": "2019-08-24T14:15:22Z",
  • "status": "completed",
  • "created_at": "2019-08-24T14:15:22Z",
  • "result": {
    },
  • "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
  • "reference": "string",
  • "reason": "Test Reason",
  • "reason_translations": {
    },
  • "claims_matched": true,
  • "mismatched_claims": {
    },
  • "claims_comparison_errors": [
    ]
}

Retrieve proof of identity

Returns the proof of identity document in PDF format for a specific identification request.

Authorizations:
BearerAuth
path Parameters
id
required
string

The unique identifier of the identification request.

header Parameters
Authorization
required
string
Example: Bearer <TOKEN>

Responses

Response samples

Content type
application/json
{
  • "error": "Unauthorized"
}

Webhook

A Webhook to receive notification about successful completion of created Identification Request. To be able to receive notification, this API needs to be implemented and deployed by the client. The webhook URL is configured by the client in the eeID manager when creating the identification service and must contain the path eeid/webhooks/identification_requests.

To ensure the integrity and authenticity of the request, an HMAC signature is included in the request header. Clients must verify this webhook request as follows:

Verifying the HMAC Signature:

  • Upon receiving the webhook, extract the X-HMAC-Signature from the request headers.
  • Recreate the HMAC signature with the received payload and your client_secret.
  • Compare the recreated signature with the signature from the header. If they match, the request is verified as authentic.
  • Example in Ruby:
    received_signature = request.headers['X-HMAC-Signature']
    expected_signature = OpenSSL::HMAC.hexdigest('SHA256', secret_key, request.raw_post)
    if received_signature != expected_signature
      raise "Invalid HMAC signature"
    end
    

The event is considered acknowledged if the endpoint responds with a successful status code (200, 201 or 204) within 10 seconds. Any other status code or a lack of response is treated as a delivery failure, leading to up to 3 retries. This may result in the same event being delivered multiple times in exceptional cases.

Identification request completed webhook Webhook

Webhook triggered when an identification request is completed after the end-user successfully authenticates.

This fires for both matched and mismatched claims. Retrieve the identification request to read claims_matched, mismatched_claims, and claims_comparison_errors, then compare result against your own records as needed.

Authorizations:
HMAC
Request Body schema: application/json
required

This is my test description

identification_request_id
required
string <uuid>

The unique identifier for the identification request.

client_id
required
string

The client ID associated with the request.

reference
string

A reference string for the identification request.

Responses

Request samples

Content type
application/json
{
  • "identification_request_id": "61f924a2-a9f2-4063-a5e6-fd6a929cbb7f",
  • "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
  • "reference": "123"
}