Download OpenAPI specification:
This API provides endpoints for managing authentication tokens and handling identification requests. The authentication mechanism is based on OAuth2, using a token-based approach to secure access to the identification requests. Clients must obtain a token by providing valid credentials to access the protected resources.
The token has a limited lifespan and will expire after 120 seconds. Clients should handle token expiration and generate a new one as necessary.
When an identification request is created with claims_required, eeID compares the authenticated user's identity against those claims. Authentication success is separate from claims match:
completed when the end-user successfully authenticates, even if some claims do not match.claims_matched, mismatched_claims, and claims_comparison_errors on completed requests to see the comparison outcome.For document-based identification, the result object may also include country, id_number, and
document_number. These fields are not present for other authentication methods. The sub claim
always comes from OIDC userinfo.
This endpoint allows clients to authenticate and receive an access token.
| Authorization required | string Example: Basic <Base64 encoded string> |
{- "access_token": "string",
- "token_type": "Bearer",
- "expires_in": 120
}This endpoint retrieves a paginated list of identification requests for the authenticated service.
| page | integer Default: 1 The page number to retrieve. |
| page_size | integer Default: 10 The number of items per page. |
| Authorization required | string Example: Bearer <TOKEN> |
{- "page": 0,
- "page_size": 10,
- "total": 1,
- "items": [
- {
- "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
- "link_expires_at": "2019-08-24T14:15:22Z",
- "claims_required": [
- {
- "type": "sub",
- "value": "EE30303039914"
}
], - "completed_at": "2019-08-24T14:15:22Z",
- "status": "completed",
- "created_at": "2019-08-24T14:15:22Z",
- "result": {
- "acr": "high",
- "sub": "EE30303039914",
- "auth_time": 1734432000,
- "given_name": "OK",
- "family_name": "TESTNUMBER",
- "date_of_birth": "2000-01-01",
- "expiration_time": 1734432000,
- "authentication_type": "ID_CARD",
- "country": "GB",
- "id_number": "12345678901",
- "document_number": "AB123456"
}, - "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
- "reference": "string",
- "reason": "Test Reason",
- "reason_translations": {
- "en": "string",
- "et": "string",
- "ru": "string"
}, - "claims_matched": true,
- "mismatched_claims": {
- "sub": {
- "expected": "EE12345678901",
- "actual": "EE30303039914"
}
}, - "claims_comparison_errors": [
- "Value mismatch for claim 'sub', expected 'EE12345678901', got 'EE30303039914'"
]
}
]
}This endpoint creates a new identification request.
claims_required must always be present. In normal matching mode, provide expected
claim values to compare against the authenticated user's data. In discovery mode,
you may provide supported claim types with blank or omitted values.
| Authorization required | string Example: Bearer <TOKEN> |
| reference | string A unique reference for the identification request. |
required | Array of objects A required array of supported claims for the identification request. The array itself must be present and contain at least one supported claim object.
In discovery mode, claim |
| reason | string The reason for the identification request. |
object The translations of the reason for the identification request. |
{- "reference": "string",
- "claims_required": [
- {
- "type": "sub",
- "value": "EE30303039914"
}
], - "reason": "Test Reason",
- "reason_translations": {
- "en": "string",
- "et": "string",
- "ru": "string"
}
}{- "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
- "link_expires_at": "2019-08-24T14:15:22Z",
- "claims_required": [
- {
- "type": "sub",
- "value": "EE30303039914"
}
], - "completed_at": null,
- "status": "pending",
- "created_at": "2019-08-24T14:15:22Z",
- "result": { },
- "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
- "reference": "string",
- "reason": "Test Reason",
- "reason_translations": {
- "en": "string",
- "et": "string",
- "ru": "string"
}, - "claims_matched": null,
- "mismatched_claims": { },
- "claims_comparison_errors": [ ]
}Fetches the details of a specific identification request by its UUID.
For completed requests, check claims_matched to see whether the authenticated user's data matched the
claims_required provided at creation time. Use mismatched_claims and claims_comparison_errors for details.
| id required | string The UUID of the identification request to retrieve. |
| Authorization required | string Example: Bearer <TOKEN> |
{- "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
- "link_expires_at": "2019-08-24T14:15:22Z",
- "claims_required": [
- {
- "type": "sub",
- "value": "EE30303039914"
}
], - "completed_at": "2019-08-24T14:15:22Z",
- "status": "completed",
- "created_at": "2019-08-24T14:15:22Z",
- "result": {
- "acr": "high",
- "sub": "EE30303039914",
- "auth_time": 1734432000,
- "given_name": "OK",
- "family_name": "TESTNUMBER",
- "date_of_birth": "2000-01-01",
- "expiration_time": 1734432000,
- "authentication_type": "ID_CARD",
- "country": "GB",
- "id_number": "12345678901",
- "document_number": "AB123456"
}, - "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
- "reference": "string",
- "reason": "Test Reason",
- "reason_translations": {
- "en": "string",
- "et": "string",
- "ru": "string"
}, - "claims_matched": true,
- "mismatched_claims": {
- "sub": {
- "expected": "EE12345678901",
- "actual": "EE30303039914"
}
}, - "claims_comparison_errors": [
- "Value mismatch for claim 'sub', expected 'EE12345678901', got 'EE30303039914'"
]
}Returns the proof of identity document in PDF format for a specific identification request.
| id required | string The unique identifier of the identification request. |
| Authorization required | string Example: Bearer <TOKEN> |
{- "error": "Unauthorized"
}A Webhook to receive notification about successful completion of created Identification Request.
To be able to receive notification, this API needs to be implemented and deployed by the client.
The webhook URL is configured by the client in the eeID manager when creating the identification service and must contain the path eeid/webhooks/identification_requests.
To ensure the integrity and authenticity of the request, an HMAC signature is included in the request header. Clients must verify this webhook request as follows:
Verifying the HMAC Signature:
X-HMAC-Signature from the request headers.client_secret.received_signature = request.headers['X-HMAC-Signature']
expected_signature = OpenSSL::HMAC.hexdigest('SHA256', secret_key, request.raw_post)
if received_signature != expected_signature
raise "Invalid HMAC signature"
end
The event is considered acknowledged if the endpoint responds with a successful status code (200, 201 or 204) within 10 seconds.
Any other status code or a lack of response is treated as a delivery failure, leading to up to 3 retries.
This may result in the same event being delivered multiple times in exceptional cases.
Webhook triggered when an identification request is completed after the end-user successfully authenticates.
This fires for both matched and mismatched claims. Retrieve the identification request to read claims_matched,
mismatched_claims, and claims_comparison_errors, then compare result against your own records as needed.
This is my test description
| identification_request_id required | string <uuid> The unique identifier for the identification request. |
| client_id required | string The client ID associated with the request. |
| reference | string A reference string for the identification request. |
{- "identification_request_id": "61f924a2-a9f2-4063-a5e6-fd6a929cbb7f",
- "client_id": "oidc-b8b8b8b8-c88f-1111-b11d-ecf190aa4982-72",
- "reference": "123"
}