Onfido LogoOnfido Logo

Developers

Overview

Get started (API v3.6)

Welcome to our new API v3.6 documentation. If you're migrating and are currently using api.onfido.com, please make sure you use api.eu.onfido.com with API v3.6.

You'll find migration guides in the API section.

The Onfido API is based on REST principles. It uses standard HTTP response codes and verbs, and token-based authentication.

If you're just getting started with our API, read our quick-start guides.

Request, response format

You should use a Content-Type: application/json header with all PUT and POST requests except when uploading documents or live photos. For these requests, use a Content-Type: multipart/form-data header.

Responses return JSON with a consistent structure, except downloads.

You must make all your requests to the API over HTTPS and TLS 1.2+, with Server Name Indication enabled. Any requests made over HTTP will fail.

Text fields support UTF-8, but do not allow certain special characters.

Token authentication

The Onfido API uses token-based authentication. API tokens must be included in the header of all requests made to the API.

You can generate new tokens and find your existing ones in your Onfido Dashboard.

You can make requests using sandbox tokens to test our API before you go live.

Token Authentication
1Authorization: Token token=<YOUR_API_TOKEN>

API tokens

You can use API tokens to authenticate any API action described in this documentation.

You can create and revoke API tokens, and see when they were last used, in your Onfido Dashboard.

You must never use API tokens in the frontend of your application or malicious users could discover them in your source code. You should only use them on your server.

If you do need to collect applicant data in the frontend of your application, we recommend that you use one of the Onfido Smart Capture SDKs.

You should limit live API token access to only the minimum number of people necessary, but you can use sandbox tokens to freely experiment with the sandbox Onfido API.

Note that there are some differences between the sandbox and live APIs.

You should not embed API tokens in your backend code—even if it’s not public—because this increases the risk that they will be discovered. Instead, you should store them in configuration files or environment variables. Please consider enabling GitHub's Secret Scanning and Push Protection feature when hosting your code on GitHub. This will help detect and safeguard Onfido API Tokens that could inadvertently be exposed in your repositories.

You should also periodically rotate your live API tokens (see next section).

API token rotation

We highly recommend that you rotate live API tokens when staff members with access to those tokens leave your organisation. Consider creating a leaver's process which covers this.

  1. In your Onfido Dashboard, create a new API token

  2. Wherever you use your old API token, replace it with the new one

  3. Confirm your old token isn't in use

  4. Revoke your old token

Your old API tokens will continue to work until you revoke them, so you can rotate your tokens without users experiencing any downtime.

SDK tokens

If you're using the Android SDK at lower than version 4.11.0 or the iOS SDK lower than 12.2.0, please update your integration to use a Mobile SDK version which supports SDK tokens.

All of the latest Onfido Smart Capture SDKs authenticate using SDK tokens. You cannot use an API token to authenticate the SDKs.

An SDK token is restricted to a workflow run, and can be found in the workflow run API payload.

If you are yet to migrate to Onfido Studio, please contact Client Support for instructions on how to manually generate SDK tokens.

Mobile tokens

Mobile tokens will no longer be supported from October 24th 2022. You will not be able to use Mobile tokens with any version of the Onfido SDKs from this date. Please upgrade your integration to use SDK tokens. We recommend you do this as soon as possible to also allow time to update your application.

If you are on version 4.11.0 or below for Android, or 12.2.0 or below for iOS, you must upgrade to the latest SDK version in order to use SDK tokens.

If you need to generate Mobile tokens please contact Onfido's Customer Support.

Sandbox testing

You should never upload confidential information, including personal data, to the sandbox.

Onfido has a sandbox environment for testing integrations before promoting them to production / live environments.

To use the sandbox, you'll need to generate a sandbox API token in your Onfido Dashboard.

All of the API endpoints available in the live environment can be requested and tested in the sandbox. Sandbox results have the same response structures as live requests. You can also be notified of resource status changes via your registered webhooks.

The sandbox enables you to test:

  • your system's network connectivity with the Onfido API
  • all webhooks are working correctly
  • you're posting all required data in the correct format to the Onfido API
  • you're handling Onfido API responses correctly

By default, sandbox API tokens start with api_sandbox. and live API tokens start with api_live.. This might vary if you're using a different region environment.

For sandbox requests, the rate limit is 30 requests per minute.

Sandbox and live differences

The key differences between the sandbox and live environments are:

  • sandbox request data is not processed by Onfido services or third parties, meaning that sandbox responses are faster than live responses
  • sandbox results are pre-determined
  • sandbox applicants are isolated from the live environment*
  • you won't be charged for sandbox test requests

* applicant notification emails still get sent out to sandbox applicants

Sample document and photo files

You can use the following sample files with the upload document endpoint for running test verification reports:

The sandbox API will always return pre-determined responses, regardless of what files are uploaded.

These files also work for testing the Onfido Smart Capture SDKs.

Simulating verification reports in the sandbox

To test your integration in the sandbox API, pre-determined responses can be generated for the following report types:

Pre-determined 'consider' results

Pre-determined responses can be generated by modifying the first_name and last_name parameters of the applicant object.

Using the Create Applicant API endpoint with a sandbox API token, set the last_name parameter to "Consider". Any verification report run against this applicant will return a consider response. For any other applicant last name, the response will be clear.

Next, create a workflow run for an active workflow using your sandbox token and the applicant_id for the applicant created using a modified last_name.

Lastly, copy the Smart Capture URL from the link object returned in the Workflow Run API payload, and paste it into your browser to complete the verification flow. Report results can be found in the status attribute returned by the Retrieve Workflow Run endpoint.

Create an applicant with last name of Consider
1POST /v3.6/applicants/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "Jane",
8 "last_name": "Consider"
9}

Simulating Document reports in the sandbox

The sandbox API supports additional functionality for testing Document reports. Pre-determined responses can be triggered for specific:

For Document reports, first_name and last_name must be provided when creating an applicant (even in the Sandbox).

Breakdowns and sub-breakdowns

You can trigger pre-determined responses for particular breakdowns and sub-breakdowns for sandbox Document reports. These responses show possible breakdown and sub-breakdown combinations that can be flagged for a consider report result.

To test Document report breakdown and sub-breakdown combinations, create an applicant and set the first_name parameter to the "breakdown - sub-breakdown" combination you intend to trigger.

The following combinations are supported:

  • "Image Integrity - Supported Document"
  • "Image Integrity - Image Quality"
  • "Visual Authenticity - Fonts"
  • "Visual Authenticity - Security Features"
  • "Visual Authenticity - Face Detection"
  • "Data Validation - Document Numbers"
  • "Data Consistency - Document Type"

Passing a first_name option to generate a Document report pre-determined response will override any conflicting option passed to the applicant's last_name.

You can also include a document type by specifying last_name as a supported sandbox document type during applicant creation (refer to the next section).

Trigger an Image Integrity - Supported Document breakdown combination for a Document report
1POST /v3.6/applicants/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "Image Integrity - Supported Document",
8 "last_name": "Smith"
9}

Document types

You can trigger responses for particular document types for sandbox Document reports, which include the specific properties for the associated document type.

To test different document types, create an applicant and set the last_name parameter to the document type you intend to test.

The sandbox supports the following document type options:

Sandbox optionSandbox option *Document type **
"CA DL 2018""CA DL 2018 front only"US drivers license for California state
"NY DL 2017""NY DL 2017 front only"US drivers license for New York state
"Ontario ID 2010"-Canadian national identity card for Ontario
"FRA ID 1994""FRA ID 1994 front only" and "FRA ID 1994 front only rejected"French identity card

* Specifying "front only" means only data contained on the front side of the document will be returned in the properties.

** The document type properties returned are specific to the document version supported in Sandbox.

You can also trigger a flagged "breakdown - sub-breakdown" combination by specifying first_name as a supported combination during applicant creation (refer to the previous section).

Trigger a Document report with US drivers license for California state
1POST /v3.6/applicants/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "Jane",
8 "last_name": "CA DL 2018"
9}

Sub-results

You can trigger responses for particular sub-results for sandbox Document reports, showing possible individual breakdown results which can lead to different sub-results.

To do this, create an applicant and set the last_name parameter to one of the following strings:

  • "clear"
  • "rejected"
  • "suspected"
  • "caution"

When testing sub-results, you cannot specify a document type.

After creating an applicant to test the specific functionalities of a Document report described above (breakdowns and sub-breakdowns, document types or sub-results), you can use the applicant_id to create a workflow run to generate a pre-determined response as described above.

Trigger a rejected sub-result for a Document report
1POST /v3.6/applicants/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "Jane",
8 "last_name": "rejected"
9}

Simulating Facial Similarity reports in the sandbox

The sandbox API supports additional functionality for testing breakdowns and sub-breakdowns for Facial Similarity Photo, Photo Fully Auto, Video and Motion reports.

For Facial Similarity reports, first_name and last_name must be provided when creating an applicant (even in the Sandbox).

Breakdowns and sub-breakdowns

You can trigger pre-determined responses for particular breakdowns and sub-breakdowns for sandbox Facial Similarity reports. These responses show possible breakdown and sub-breakdown combinations that can be flagged for a consider report result.

To test Facial Similarity report breakdown and sub-breakdown combinations, create an applicant and set the first_name parameter to the "breakdown - sub-breakdown" combination you intend to trigger.

The following combinations are supported:

  • "Visual Authenticity - Spoofing Detection"
  • "Face Comparison - Face Match"
  • "Image Integrity - Source Integrity"
  • "Image Integrity - Face Detected"

After creating an applicant, you can use the applicant_id to create a workflow run to generate a pre-determined response as described above.

Trigger an Visual Authenticity - Spoofing Detection breakdown combination for a Facial Similarity report
1POST /v3.6/applicants/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "Visual Authenticity - Spoofing Detection",
8 "last_name": "Smith"
9}

Applicant IDs returned in the response don't map to actual sandbox applicants, they are example uuids to represent the applicant ID field. As a result, there is no associated applicant data.

Pre-determined responses for Repeat Attempts

The sandbox API supports additional functionality for testing breakdowns and sub-breakdowns for Repeat Attempts.

To help you integrate with this service, you can generate pre-defined Repeat Attempts responses. Depending on the scenario you are trying to test, you can use one of four possible keywords as the report_uuid in the request URL:

  • match
  • mismatch
  • error
  • empty
Trigger a Repeat Attempts match
1$ curl -X POST https://api.eu.onfido.com/v3.6/repeat_attempts/match \
2 -H 'Authorization: Token token=<YOUR_API_TOKEN>' \

Below is a pre-determined response example for a Repeat Attempts match:

json
1{
2 "report_id": "00000000-0000-0000-0000-000000000000",
3 "repeat_attempts": [
4 {
5 "report_id": "00000000-0000-0000-0000-000000000001",
6 "applicant_id": "00000000-0000-0000-0000-000000000003",
7 "date_of_birth": "match",
8 "names": "match",
9 "result": "clear",
10 "created_at": "2022-01-06T14:46:43Z",
11 "completed_at": "2022-01-06T15:46:43Z"
12 },
13 {
14 "report_id": "00000000-0000-0000-0000-000000000002",
15 "applicant_id": "00000000-0000-0000-0000-000000000003",
16 "date_of_birth": "match",
17 "names": "match",
18 "result": "clear",
19 "created_at": "2022-02-18T03:09:34Z",
20 "completed_at": "2022-02-18T03:10:34Z"
21 }
22 ],
23 "attempts_count": 3,
24 "attempts_clear_rate": 1,
25 "unique_mismatches_count": 0
26}

Sandbox testing with Profile Data Capture tasks

Studio workflows that start with a Profile Data Capture task must be handled differently when sandbox testing. As all of the fields in a Profile Data Capture task have a limit of 32 characters, the number of report scenarios that can be simulated is restricted.

After building and activating a valid workflow starting with a Profile Data Capture task, click "Share Smart Capture Link" on the workflow versions page in your Dashboard, copy the Sandbox link and paste it into your browser and complete the journey.

The breakdown and sub-breakdown combinations that can be tested for Document reports using workflows starting with a Profile Data Capture task by modifying the first_name parameter of the applicant include:

  • "Image Integrity - Image Quality"
  • "Visual Authenticity - Fonts"
  • "Data Consistency - Document Type"

The breakdown and sub-breakdown combinations that can be tested for Facial Similarity reports using workflows starting with a Profile Data Capture task by modifying the first_name parameter of the applicant include:

  • "Face Comparison - Face Match"
  • "Image Integrity - Face Detected"

Sandbox testing for API generated reports

For those not integrating using Onfido Studio, and instead generating verification reports using Onfido’s checks and reports API endpoints, sandbox testing works slightly differently.

After creating an applicant with a sandbox token and modified first_name and last_name parameters to test the various scenarios outlined above, you can use the applicant_id to create a check for the desired report.

The pre-determined sandbox results can be retrieved by making a Retrieve report call to the Onfido API.

Pre-determined 'consider' and 'clear' results

To test multiple different sandbox report responses simultaneously, you can pass specific report types to the consider parameter (in an array) when making a Create check API call.

Only the reports specified in the consider array will return a consider report result. All other reports in the check will return a clear result.

Trigger multiple report results simultaneously
1POST /v3.6/checks/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "applicant_id": "<APPLICANT_ID>",
8 "report_names": [
9 "watchlist_standard",
10 "identity_enhanced"
11 ],
12 "consider": [
13 "watchlist_standard"
14 ]
15}

Postman collection

You can run the Onfido API version 3.6 collection in Postman:

Run in Postman

In your Postman environment, you will need to define the apiToken environment variable and configure the region variable for the baseUrl should you wish to designate a region other than the default eu. Please refer to our regions documentation for baseUrl options.

You can read more in Postman's documentation about managing environments.

Go live

Before you go live, you may find the introductory guides in our Getting Started section useful.

API client libraries

You can use our officially supported client libraries to integrate with the Onfido API.

LanguageLibraryNotes
Rubyonfido-ruby
Javaonfido-java
Node.jsonfido-nodeAlso supports TypeScript.
Pythononfido-python
PHPapi-php-clientMade with OpenAPI generator.

Refer to our API versioning guide for details on client library versioning.

Please email Onfido's Customer Support if you write your own library and want us to link to it.

OpenAPI specification

We use an OpenAPI specification to generate our PHP library, which we also host publicly.

For any custom libraries you generate yourself with this specification, we can only provide support on a best-effort basis.

Rate limits

Onfido's API enforces a maximum volume of requests per second for all clients. Unless contractually agreed otherwise, the maximum rate is 400 requests per minute (up to 7 requests per second with a burst of 14 requests).

For sandbox requests, the rate limit is 120 requests per minute (up to 2 requests per second with a burst of 4 requests).

Onfido uses the token bucket algorithm to handle usage.

Any request over the limit will return a 429 Too Many Requests error.

Rate limit reached error object
1HTTP/1.1 429 Too Many Requests
2Content-Type: application/json
3
4{
5 "error": {
6 "type": "rate_limit",
7 "message": "Rate limit exceeded. Please try again later."
8 }
9}

Regions

There is no default region in API v3.6. If you were previously using api.onfido.com, you should use api.eu.onfido.com with v3.6.

Initialization with region EU
1require onfido
2
3Onfido.configure do |config|
4 config.api_token = '<YOUR_API_TOKEN>'
5 config.region = config.region[:EU]
6end
7
8onfido = Onfido::DefaultApi.new

Onfido offers region-specific environments: EU, US, and Canada. You can use these to store the data in your Onfido account at rest within a specific geographic region.

Initialization with region US
1require onfido
2
3Onfido.configure do |config|
4 config.api_token = '<YOUR_API_TOKEN>'
5 config.region = config.region[:US]
6end
7
8onfido = Onfido::DefaultApi.new

Regions have unique base URLs and API token formats for both live and sandbox environments.

Initialization with region CA
1require onfido
2
3Onfido.configure do |config|
4 config.api_token = '<YOUR_API_TOKEN>'
5 config.region = config.region[:CA]
6end
7
8onfido = Onfido::DefaultApi.new
RegionNotesAPI base URLAPI token format
EUReplaces api.onfido.com for EU region in v3.1, v3.2, v3.3, v3.4, v3.5 and v3.6https://api.eu.onfido.com/Tokens are prepended with api_live. and api_sandbox.
UShttps://api.us.onfido.com/Tokens are prepended with api_live_us. and api_sandbox_us.
CAhttps://api.ca.onfido.com/Tokens are prepended with api_live_ca. and api_sandbox_ca.

Unless specified, all examples in the documentation refer to the https://api.eu.onfido.com/ base URL and token format.

For the EU region, data is physically stored in the Republic of Ireland, with backup storage in Germany.

If you're using one of the officially supported API client libraries, follow that library's GitHub documentation to change the region.

Versioning policy

Refer to our API versioning guide for details on Onfido's versioning policy.

Changelog

DateDescription
2023-01-24General release of API version 3.6. Please see our release notes.

Upcoming maintenance

There's currently no scheduled maintenance.

Errors

All errors are returned with the same structure:

json
1{
2 "error": {
3 "type": <TYPE>,
4 "message": <MESSAGE>,
5 "fields": <FIELDS - NOT ALWAYS PRESENT>
6 }
7}

Example error object

AttributeDescription
typestring
The type of error returned.
messagestring
A human-readable message giving more details about the error.
fieldsobject
The invalid fields and their associated errors. Only applies to validation errors.
Example validation error object
1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5 "error": {
6 "type": "validation_error",
7 "message": "",
8 "fields": {
9 "email": [
10 "invalid format"
11 ]
12 "name": [
13 "can't be blank"
14 ]
15 }
16 }
17}

Error codes and what to do

StatusAction
400 bad_requestMake sure your request is formatted correctly.
400 incorrect_base_urlPlease use api.eu.onfido.com for API v3.1 onwards if you were previously using api.onfido.com.
401 authorization_errorMake sure you've entered your API token correctly.
The Onfido Smart Capture SDKs use SDK tokens for authentication, not API tokens. If you're receiving a 401 error on one of our SDKs, check you've entered a valid application ID when generating the SDK token.
401 user_authorization_errorContact an administrator about user permissions.
401 bad_referrerCheck the referrer used to generate the SDK token.
401 expired_tokenRequest a new SDK token.
403 account_disabledPlease contact client-support@onfido.com.
403 trial_limits_reachedPlease contact client-support@onfido.com.
403 disabled_endpointThe API endpoint is disabled for your account. Please contact client-support@onfido.com.
404 resource_not_foundMake sure you've formatted the URI correctly.
410 goneThe resource has been deleted or is scheduled for deletion.
422 validation_errorCheck the fields property for a specific error message.
422 missing_billing_infoMake sure you've provided your billing information before starting a check.
422 missing_documentsMake sure you've uploaded the required documents before starting a check.
422 missing_applicant_locationMake sure you've provided the applicant's location before starting a check
422 missing_applicant_provided_consentsMake sure you've provided the required consents
422 invalid_reports_namesMake sure you've entered the report name(s) in the correct format (string).
422 missing_id_numbersMake sure you've supplied all required ID numbers.
422 report_names_blankMake sure you've specified report_names in your request.
422 report_names_formatreport_names must be an array of strings, not an array of objects.
422 deprecated_reportsThe requested reports have been deprecated.
422 check_type_deprecatedtype is not used in this version of the API. Please read about the applicant_provides_data feature.
422 document_ids_with_unsupported_reportYou should only specify the optional document_ids argument when creating a check containing a Document report or a Facial Similarity report, or both.
422 facial_similarity_photo_without_documentFor applicant_provides_data checks, Facial Similarity reports must be paired with a Document report.
422 facial_similarity_video_not_supportedThe Facial Similarity Video report is not supported for checks where applicant_provides_data is true.
422 failed_check_requirementsCheck that all required information has been provided and correctly specified.
422 incomplete_checksThere are other ongoing checks associated with this applicant.
422 disabled_reportsThere are reports disabled in your account. Please contact client-support@onfido.com.
422 too_many_checksYou have exceeded the limit of 1000 checks for the given applicant.
429 rate_limitThe rate limit has been reached. Please try again later.
500 internal_server_errorThe server encountered an error. If this persists, please contact client-support@onfido.com.

Core Resources

Applicants

An applicant represents an individual who will be the subject of a check. An applicant must exist before a check can be initiated.

Different report types have different minimum requirements for applicant data, and different recommended data. For each report, this information is noted in under the relevant section of this documentation. For example, for Document reports.

If you're requesting multiple checks for the same individual, you should reuse the id returned in the initial applicant response object in the applicant_id field when creating a check.

Applicants with Sanctioned Documents

If an applicant uploads a document which is issued by a country subject to comprehensive US sanctions (list of countries here), any reports run with that applicant will return a withdrawn status unless otherwise specified in the report documentation. Current exceptions to this are the Document and Facial Similarity reports, which will still run but return a result indicating the presence of a sanctioned document.

Applicant object

AttributeDescription
idstring
The unique identifier for the applicant.
created_atdatetime
The date and time when this applicant was created.
delete_atdatetime
The date and time when this applicant is scheduled to be deleted, or null if the applicant is not scheduled to be deleted.
hrefstring
The URI of this resource.
first_namestring
The applicant's first name.
last_namestring
The applicant's surname.
emailstring
The applicant's email address.
dobdate
The applicant's date of birth in YYYY-MM-DD format.
id_numbersarray of id number objects
A collection of identification numbers belonging to this applicant.
addressaddress object
The address of the applicant.
sandboxBoolean
Indicates whether the object was created in the sandbox or not.
locationlocation object
The location/country of residence of the applicant.
phone_numberstring
The applicant's phone number with country code.

ID number object

The ID number array of objects is nested inside the applicant object.

AttributeDescription
typestring
Type of ID number. Valid values are ssn, social_insurance (e.g. UK National Insurance), tax_id, identity_card, driving_licence, share_code, voter_id, passport and other (e.g. AUS Foreign Passport).
valuestring
Value of ID number. ssn supports both the full SSN or the last 4 digits. If the full SSN is provided then it must be in the format xxx-xx-xxxx.
state_codestring
Two letter code of issuing state (state-issued driving licences only).

Address object

The applicant address object is nested inside the applicant object.

AttributeDescription
flat_numberstring
The flat number.
building_numberstring
The building number.
building_namestring
The building name.
streetstring
The street of the applicant's address. There is a 32-character limit on this field for UK addresses.
sub_streetstring
The sub-street.
townstring
The town.
statestring
The address state. US states must use the USPS abbreviation (see also ISO 3166-2:US), for example AK, CA, or TX.
postcodestring
The postcode (ZIP code) of the applicant's address. For UK postcodes, specify the value in the following format: SW4 6EH.
countrystring
The 3 character ISO country code of this address. For example, GBR is the country code for the United Kingdom.
line1string
Line 1 of the address.
line2string
Line 2 of the address.
line3string
Line 3 of the address.

postcode and country are required fields if an address is provided for an applicant. For US addresses, state is also a required field.

Most addresses will contain information such as flat_number. Make sure they are supplied as separate fields, and do not try and fit them all into the street field. Doing so is likely to affect check performance.

Alternatively, you can provide addresses in the form line1, line2 and line3 if you're creating a check with an Identity Enhanced report. If you provide address data in this form, Onfido uses a third-party subprocessor for address cleansing.

Location object

The location object is nested inside the applicant object.

AttributeDescription
ip_addressstring
The IP address of the applicant.
country_of_residencestring
The 3 character ISO country code of the country where the applicant resides.

If country_of_residence is not provided in the request, it will be inferred from the IP address which may result in an incorrect value.

If you submitted location during document upload, it will not be returned here.

Note: location refers to the applicant's country of residence, not their nationality or place of birth.

Forbidden characters

For addresses the following characters are forbidden:

!$%^*=<>

For names the following characters are forbidden:

^!#$%*=<>;{}"

Example applicant object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<APPLICANT_ID>",
6 "created_at": "2019-10-09T16:52:42Z",
7 "sandbox": true,
8 "first_name": "Jane",
9 "last_name": "Doe",
10 "email": null,
11 "dob": "1990-01-01",
12 "delete_at": null,
13 "href": "/v3.6/applicants/<APPLICANT_ID>",
14 "id_numbers": [],
15 "phone_number": "+44 7911 123456",
16 "address": {
17 "flat_number": null,
18 "building_number": null,
19 "building_name": null,
20 "street": "Second Street",
21 "sub_street": null,
22 "town": "London",
23 "state": null,
24 "postcode": "S2 2DF",
25 "country": "GBR",
26 "line1": null,
27 "line2": null,
28 "line3": null
29 },
30 "location": {
31 "ip_address": "127.0.0.1",
32 "country_of_residence": "GBR"
33 }
34}

Create applicant

POST
/v3.6/applicants/

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Creates a single applicant. Returns an applicant object.

When you create an applicant, some characters are forbidden. You should remove any duplicate whitespaces before creating an applicant, otherwise this may result in a data comparison failure.

The minimum required (and recommended) applicant data depends on the type of report requested. For example, for Document reports.

Request body parameters

ParameterDescription
first_namerequired
The applicant's forename.
last_namerequired
The applicant's surname.
emailrequired only if creating a check where applicant_provides_data is true
The applicant's email address.
doboptional
The applicant's date of birth in YYYY-MM-DD format.
id_numbersoptional
A collection of identification numbers belonging to this applicant.
addressoptional
The address of the applicant.
phone_numberoptional
The applicant's phone number with country code.
locationoptional
An object that contains the location/country of residence of the applicant.
consentsoptional
An array of objects indicating whether consent has been given by the applicant.

location

You must provide location for every applicant. If you do not, all checks with a Facial Similarity report will fail with a validation error.

You must provide location information for each end user as this determines the necessary consent required in order to process a verification.

You can specify either or both the IP address and the country of residence (3 character ISO country code) of the applicant in the location object.

bash
1...
2"location": {
3 "ip_address": "127.0.0.1",
4 "country_of_residence": "GBR"
5 }
6...

You can also provide location information during document upload.

If you submit location information in multiple requests, the document upload location will take precedence.

If you use the Onfido SDK, location is provided directly by the SDK. You do not need to manually submit the location parameter in this case.

consents

Where required, you must collect end user consent before creating a check with Onfido. If you do not, Onfido is unable to process an applicant's data and complete a verification.

Exact consent requirements are linked to the location of the end user and the report type. You must specify an applicant's location in the location parameter when creating an applicant or uploading a document.

  • privacy_notices_read

End users located in the United States, must read the Privacy Notices and Terms of Service before giving consent for Onfido.

granted should be set to true after gaining the necessary consent from the applicant. If it's set to false, or the parameter is not provided, all check creation requests will fail with a validation error.

For more information on the requirements and implementation options for collecting US end user consent, please see our Onfido privacy notices and consent guide.

  • ssn_verification

End users must give consent to process their Social Security Number (SSN) before you can submit an Identity Enhanced report.

granted should be set to true after gaining the necessary consent from the applicant. If it's set to false, or the parameter is not provided, SSN reports will fail with a validation error.

bash
1...
2"consents": [
3 {
4 "name": "privacy_notices_read",
5 "granted": true
6 },
7 {
8 "name": "ssn_verification",
9 "granted": true
10 }
11 ]
12...

You can also provide consents when updating an applicant.

If you use the Onfido SDK, consent is collected directly by the SDK. The SDK contains a mandatory consent screen which the end user must accept in order to proceed. You do not need to manually provide the consents parameter in this case.

Create an applicant
1POST /v3.6/applicants/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "Jane",
8 "last_name": "Doe",
9 "dob": "1990-01-31",
10 "address": {
11 "building_number": "100",
12 "street": "Main Street",
13 "town": "London",
14 "postcode": "SW4 6EH",
15 "country": "GBR"
16 }
17}

Retrieve applicant

GET
/v3.6/applicants/{applicant_id}

Retrieves a single applicant. Returns an applicant object.

Retrieve an applicant
1GET /v3.6/applicants/<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Update applicant

PUT
/v3.6/applicants/{applicant_id}

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Updates an applicant's information. Returns the updated applicant object.

  • Partial updates are valid
  • Addresses and ID numbers present will replace existing ones
  • Takes the same request body parameters as creating an applicant
  • Applicant details can be updated between check creations
Update an applicant
1PUT /v3.6/applicants/<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "first_name": "New",
8 "last_name": "Name"
9}

Delete applicant

DELETE
/v3.6/applicants/{applicant_id}

Deletes a single applicant. If successful, returns a 204 No Content response.

Sending a deletion request adds the applicant object and all associated documents, photos, videos, checks, reports and analytics data to our deletion queue. The objects will be permanently deleted from Onfido's production object storage and relational database system after a deletion delay which can be configured by emailing our client support team. After deletion, applicant details cannot be recovered or queried, and Onfido will not be able to troubleshoot. Within the delay period, the applicant can be restored. For more information about Onfido's deletion service, see our Data Deletion FAQ.

Once deleted, Onfido will not be able to carry out any troubleshooting or investigate any queries raised by the client. It is for this reason we recommend a longer deletion period, for example, a minimum of thirty days.

Delete an applicant
1DELETE /v3.6/applicants/<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Restore applicant

POST
/v3.6/applicants/{applicant_id}/restore

Restores a single applicant scheduled for deletion. If successful, returns a 204 No Content response.

A restore request will also restore all associated documents, photos, videos, checks, reports and analytics data.

Applicants that have been permanently deleted cannot be restored.

Restore an applicant
1POST /v3.6/applicants/<APPLICANT_ID>/restore HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List applicants

GET
/v3.6/applicants/

Lists all applicants you've created, sorted by creation date in descending order. Returns data in the form: {"applicants": [<LIST_OF_APPLICANT_OBJECTS>]}.

Requests to this endpoint will be paginated to 20 items by default.

Query string parameters

include_deleted=true (optional): include applicants scheduled for deletion.

per_page (optional): set the number of results per page (500 at maximum). Defaults to 20.

page (optional): return specific pages. Defaults to 1.

The Link header contains pagination information. For example:

Link: [https://api.eu.onfido.com/v3.5/applicants?page=3059](https://api.eu.onfido.com/v3.5/applicants?page=3059); rel="last", [https://api.eu.onfido.com/v3.5/applicants?page=2](https://api.eu.onfido.com/v3.5/applicants?page=2); rel="next"

Possible rel values are:

NameLink relation (description)
nextNext page of results.
lastLast page of results.
firstFirst page of results.
prevPrevious page of results.

The custom X-Total-Count header gives the total resource count.

Return all applicants youve created
1GET /v3.6/applicants?page=1&per_page=5 HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Documents

Some reports require uploaded identity documents in order to be processed successfully.

Depending on the type of the document, we may require both sides of the image to be uploaded. See the full list of documents we support.

Documents belong to a single applicant, so they must be uploaded after an applicant has been created.

The API uses the British English spelling driving_licence.

Document object

AttributeDescription
idstring
The unique identifier of the document.
created_atdatetime
The date and time at which the document was uploaded.
hrefstring
The URI of this resource.
download_hrefstring
The URI that can be used to download the document.
file_namestring
The name of the uploaded file.
file_typestring
The file type of the uploaded file.
file_sizeinteger
The size of the file in bytes.
typestring
The type of document.
sidestring
The side of the document, if applicable. The possible values are front and back.
issuing_countrystring
The issuing country of the document, in 3-letter ISO code, specified when uploading it.
applicant_idstring
The id of the applicant to whom the document belongs.
Example document object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<DOCUMENT_ID>",
6 "created_at": "2019-02-11T13:49:20Z",
7 "file_name": "sample_driving_licence.png",
8 "file_type": "png",
9 "file_size": 490408,
10 "type": "driving_licence",
11 "side": "front",
12 "issuing_country": null,
13 "applicant_id": "<APPLICANT_ID>",
14 "href": "/v3.6/documents/<DOCUMENT_ID>",
15 "download_href": "/v3.6/documents/<DOCUMENT_ID>/download"
16}

Document types

Identity documents

The following is a partial list of document types (i.e. type when uploading a document):

Type
national_identity_card
driving_licence
passport
voter_id
work_permit

This list is not exhaustive.

If you're unsure of the type of document you want to verify, you can submit documents with type unknown. In this case, we will attempt to classify and recognize the document type when processing a Document report.

Upload document

POST
/v3.6/documents/

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Uploads a single document as part of a multipart request. Returns a document object.

We provide a sample document to test this endpoint.

Valid file formats for documents are jpg, png and pdf. The file size must be between 32KB and 10MB. Maximum supported resolution is 64MPx.

Supply side when uploading documents for optimal results.

Request body parameters

ParameterDescription
applicant_idrequired
The ID of the applicant who owns the document.
filerequired
The file to be uploaded.
typerequired
The type of document. For example, passport.
sideoptional (required for documents which have multiple sides)
Either the front or back of the document.
issuing_countryoptional (required for Proof of Address reports)
The issuing country of the document in 3-letter ISO code.
locationoptional
An object that contains the location/country of residence of the applicant.
validate_image_qualityoptional
A Boolean. Defaults to false. When true the submitted image will undergo an image quality validation which may take up to 5 seconds.

location

You must provide location for every applicant. If you do not, all checks will fail with a validation error.

You must provide location information for each end user as this determines the necessary consent required in order to process a verification.

You can specify either or both the IP address and the country of residence (3 character ISO country code) of the applicant in the location object.

bash
1...
2-F 'location[ip_address]=127.0.0.1' \
3-F 'location[country_of_residence]=GBR'
4...

You can also provide location information during applicant creation.

If you submit location information in multiple requests, the document upload location will take precedence.

If you submit location information during document upload, this will not be returned in the applicant object.

If you use the Onfido SDK, location is provided directly by the SDK. You do not need to manually submit the location parameter in this case.

Image quality

You can request image quality validation when uploading a document. It is conducted synchronously and you'll receive the result as a response to your request.

When the image passes validation, returns a document object.

When the image fails validation, returns a 422 validation_error. There can be one or more failed image quality validations for a request. The list of reasons is provided in the fields property.

If the image fails validation, you should ask the end user to retake the photo of their document.

FieldMessage
detect_blurblur detected in image
detect_cutoffcutoff document detected in image
document_detectionno document in image

Sample images to trigger various error responses can be provided.

Upload passport.png
1POST /v3.6/documents/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: multipart/form-data

Retrieve document

GET
/v3.6/documents/{document_id}

Retrieves a single document. Returns a document object.

1GET /v3.6/documents/<DOCUMENT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List documents

GET
/v3.6/documents?applicant_id={applicant_id}

Lists all documents belonging to an applicant, and includes any associated media (document photos and videos when these are retrieved by UUID).

Returns data in the form: {"documents": [<LIST_OF_DOCUMENT_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant ID whose documents you want to list.

List all documents for a specific applicant
1GET /v3.6/documents?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download document

GET
/v3.6/documents/{document_id}/download

Downloads specific documents belonging to an applicant. If successful, the response will be the binary data representing the image.

Path parameters

document_id (required): the unique identifier (UUID) of the document.

Download a document associated with an applicant
1GET /v3.6/documents/<DOCUMENT_ID>/download HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download NFC face

GET
/v3.6/documents/{document_id}/nfc_face

Downloads digital photos extracted from specific documents belonging to an applicant. If successful, the response will be the binary data representing the image.

Download the face extracted from an NFC document associated with an applicant
1GET /v3.6/documents/<DOCUMENT_ID>/nfc_face HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download document video

GET
/v3.6/documents/{document_id}/video/download

Downloads a document video. If successful, the response will be the binary data representing the video.

Path parameters

document_id (required): the unique identifier (UUID) of the document.

Download a document video
1GET /v3.6/documents/<DOCUMENT_ID>/video/download HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Live photos

Live photos are images of the applicant's face, typically taken at the same time as documents are provided. Some reports require uploaded live photos in order to be processed successfully.

Live photo object

AttributeDescription
idstring
The unique identifier of the live photo.
created_atdatetime
The date and time at which the live photo was uploaded.
hrefstring
The URI of this resource.
download_hrefstring
The URI that can be used to download the live photo.
file_namestring
The name of the uploaded file.
file_typestring
The file type of the uploaded file.
file_sizeinteger
The size of the file in bytes.
Example live photo object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<LIVE_PHOTO_ID>",
6 "created_at": "2019-10-09T16:59:06Z",
7 "file_name": "<FILE_NAME>.png",
8 "file_type": "image/png",
9 "file_size": 536630,
10 "href": "/v3.6/live_photos/<LIVE_PHOTO_ID>",
11 "download_href": "/v3.6/live_photos/<LIVE_PHOTO_ID>/download"
12}

Upload live photo

POST
/v3.6/live_photos/

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Uploads a live photo as part of a multipart request. Returns a live photo object.

We provide a sample photo to test this endpoint.

Valid file formats for live photos are jpg, jpeg and png. The file size must be between 32KB and 10MB. Live photos are validated at the point of upload to check that they contain exactly one face. This validation can be disabled by setting the advanced_validation argument to false.

Request body parameters

ParameterDescription
filerequired
The file to be uploaded.
applicant_idrequired
The applicant_id to associate the live photo with.
advanced_validationoptional
A Boolean which defaults to true
Validates that the live photo contains exactly one face.
Upload sample_photo.png
1POST /v3.6/live_photos/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: multipart/form-data

Retrieve live photo

GET
/v3.6/live_photos/{live_photo_id}

Retrieves a single live photo. Returns a live photo object.

Retrieve a single live photos object
1GET /v3.6/live_photos/<LIVE_PHOTO_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List live photos

GET
/v3.6/live_photos/?applicant_id={applicant_id}

Lists the live photos that belong to an applicant. Returns data in the form: {"live_photos": [<LIST_OF_LIVE_PHOTO_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose live photos you want to list.

List all live photo (objects) for a specific applicant
1GET /v3.6/live_photos/live_photos?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download live photo

GET
/v3.6/live_photos/{live_photo_id}/download

Downloads a live photo. If successful, the response will be the binary data representing the image.

Download a live photo
1GET /v3.6/live_photos/<LIVE_PHOTO_ID>/download HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Live videos

Live videos are footage of the applicant's face, recorded and uploaded by the Onfido Smart Capture SDKs (iOS, Android or Web), at the same time as the document image is captured—also by the SDKs. These videos are used for Facial Similarity Video reports.

Live video object

During the video recording end users are asked to perform randomly generated actions, represented in challenge. Challenges always have 2 parts recite and movement, but the order in which these happen can vary. The order of the challenges is maintained in the live video object. recite asks the user to say 3 randomly generated digits, whereas movement asks the user to look over their right or left shoulder.

AttributeDescription
idstring
The unique identifier of the live video.
created_atdatetime
The date and time at which the live video was uploaded.
hrefstring
The URI of this resource.
download_hrefstring
The URI that can be used to download the live video.
file_namestring
The name of the uploaded file.
file_typestring
The file type of the uploaded file.
file_sizeinteger
The size of the file in bytes.
challengearray of objects
Challenge the end user was asked to perform during the video recording.
Example live video object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<LIVE_VIDEO_ID>",
6 "created_at": "2018-05-14T16:44:53Z",
7 "href": "/v3.6/live_videos/<LIVE_VIDEO_ID>",
8 "download_href": "/v3.6/live_videos/<LIVE_VIDEO_ID>/download",
9 "file_name": "<FILE_NAME>.mp4",
10 "file_type": "video/mp4",
11 "file_size": 1431121,
12 "challenge": [
13 {
14 "type": "recite",
15 "query": [
16 1,
17 2,
18 3
19 ]
20 },
21 {
22 "type": "movement",
23 "query": "turnRight"
24 }
25 ]
26}

Upload live video

Live videos can only be uploaded via one of Onfido's input-capture SDKs, not via the API directly.

As a result, Onfido does not provide an upload live video endpoint.

To upload live videos for Facial Similarity Video reports, integrate with one of our Smart Capture SDKs (iOS, Android or Web).

Retrieve live video

GET
/v3.6/live_videos/{live_video_id}

Retrieves a single live video. Returns the corresponding live video object.

Retrieve a single live videos object
1GET /v3.6/live_videos/<LIVE_VIDEO_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List live videos

GET
/v3.6/live_videos?applicant_id={applicant_id}

Lists all the live videos that belong to an applicant.

Returns data in the form: {"live_videos": [<LIST_OF_LIVE_VIDEO_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose live videos you want to list.

List all live videos for a specific applicant
1GET /v3.6/live_videos?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download live video

GET
/v3.6/live_videos/{live_video_id}/download

Downloads a live video. Returns the binary data representing the video.

Download the data representing a live video
1GET /v3.6/live_videos/<LIVE_VIDEO_ID>/download HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download live video frame

GET
/v3.6/live_videos/{live_video_id}/frame

Instead of the whole video, a single frame can be downloaded using this endpoint. Returns the binary data representing the frame.

This will be the frame extracted from the video where the end user is facing the camera. If no face can be detected, it will fallback to the first frame of the video.

Download the data representing a live video frame
1GET /v3.6/live_videos/<LIVE_VIDEO_ID>/frame HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Unsuccessful frame extraction

Frame extraction failed

If a frame cannot be extracted from the live video, a frame_extraction_failed response will be returned.

Unsuccessful frame extraction response: failure
1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5 "error": {
6 "type": "frame_extraction_failed",
7 "message": "<Reason>"
8 }
9}

Frame extraction unavailable

If the extraction feature is temporarily unavailable, a frame_extraction_unavailable response will be returned instead.

Unsuccessful frame extraction response: temporarily unavailable
1HTTP/1.1 503 Service Unavailable
2Content-Type: application/json
3
4{
5 "error": {
6 "type": "frame_extraction_unavailable",
7 "message": "Frame extraction is temporarily unavailable"
8 }
9}

Workflow Runs

Workflows are the container for how the end user will be verified using interactive and non-interactive tasks as configured using the Studio via the Onfido Dashboard. Workflow Runs are individual instances of the Workflow, and each Workflow Run requires data in order for it to execute.

The required Workflow Run data will be based on how the Workflow is configured in Onfido Studio. Data can either be provided through the Applicant Object and/or through the Custom Input Data Object.

Workflow Run Versions

Workflows are version controlled, meaning everytime a Workflow is edited and saved a new version is created. The active version of the Workflow will be used during the creation of a Workflow Run. Workflow Runs can only be created against the active version of the Workflow. The active version of a workflow can be designated in Studio via the Onfido Dashboard.

Workflow Run Status

Workflow Runs are transitioned through statuses as the Applicant progresses through the tasks. These statuses are visible on the Dashboard and available via the Retrieve Workflow Run endpoint.

Workflow StatusDescription
awaiting_inputWhen the Workflow is waiting for an Applicant to complete a Smart Capture SDK interactive task.
Note: If your Workflow has parallel tasks, awaiting_input will take precedence over processing.
processingWhen the Workflow is processing non-interactive tasks.
abandonedWhen an interactive task times out, the Workflow will be abandoned. Time outs can be configured per task in the Studio via Onfido Dashboard.
errorThe Workflow ended due to a technical issue during run time.
approvedThe Workflow Run reached an end task of ‘Approve Applicant’ based on the Workflow configuration.
reviewThe Workflow Run reached an end task of ‘Review Applicant’ based on the Workflow configuration.
declinedThe Workflow Run reached an end task of ‘Decline Applicant’ based on the Workflow configuration.

Workflow Run object

AttributeDescription
idstring (UUID)
The unique identifier for the Workflow Run.
applicant_idstring (UUID)
The unique identifier for the Applicant.
workflow_idstring (UUID)
The unique identifier for the Workflow.
workflow_version_idint
The identifier for the Workflow Version.
dashboard_urlstring
The URL for viewing the workflow run results on your Onfido Dashboard.
statusstring (enum)
The status of the Workflow Run. Possible values are: processing, awaiting_input, approved, declined, review, abandoned and error.
tagsarray of strings
A list of tags associated with the Workflow Run.
customer_user_idstring
A customer-provided user identifier.
outputoutput object
Output object contains all of the properties configured on the workflow version.
reasonsarray (string)
The reasons the Workflow Run outcome was reached. Configurable when creating the Workflow Version.
errorerror object
Error object. Only set when the Workflow Run status is error.
sdk_tokenstring
Client token to use when initiating this workflow run in the Onfido SDK.
linklink object
Link object.
created_atdatetime (ISO-8601)
The date and time when the Workflow Run was created.
updated_atdatetime (ISO-8601)
The date and time when the Workflow Run was last updated.

Output object

Workflow output data is a configurable set of properties which allows you to add any specific data attribute contained within a Workflow. Workflow Output information must be first created as a property in Studio using the Workflow input and output configuration tab. Once the properties are created then these need to be mapped on the end tasks. This gives full flexibility to add as little or as much detailed information to the Retrieve Workflow Run endpoint.

This is the recommended method to integrate with our API to get information into your systems.

Reasons

Workflow reasons are set during Workflow creation in Studio. Each end task can have one or more reasons configured by the user. This provides the flexibility to capture more information about why an end user reached a specific end state.

For example, if a workflow contains multiple approval end tasks, the reasons field can be used to clearly identify which path the end user completed.

Error object

Error object that details why a Workflow Run is in Error status.

AttributeDescription
typestring
The type of the error.
messagestring
A textual description of the error.

Object for the configuration of the Workflow Run link.

AttributeDescription
urlstring
Link to access the Workflow Run without the need to integrate with Onfido's SDKs.
completed_redirect_urlstring
When the interactive section of the Workflow Run has completed successfully, the user will be redirected to this URL instead of seeing the default Onfido "thank you" page.
expired_redirect_urlstring
When the Link has expired, the user will be immediately redirected to this URL instead of seeing the default Onfido error message.
expires_atstring (ISO-8601)
Date and time when the link will expire. Additional details.
languagestring (enum)
The code for the language when the Workflow Run is acessed using the link.
Example Workflow Run object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<WORKFLOW_RUN_ID>",
6 "applicant_id": "<APPLICANT_ID>",
7 "workflow_id": "<WORKFLOW_ID>",
8 "workflow_version_id": 11,
9 "status": "approved",
10 "dashboard_url":"https://dashboard.onfido.com/results/<WORKFLOW_RUN_ID>"
11 "output": {"prop1": "val_1", "prop2": 10},
12 "reasons": ["reason_1", "reason_2"],
13 "tags": [],
14 "error": null,
15 "sdk_token": "<SDK_TOKEN>",
16 "created_at": "2022-06-28T15:39:42Z",
17 "updated_at": "2022-07-28T15:40:42Z",
18 "link": {
19 "completed_redirect_url": "https://example.onfido.com",
20 "expired_redirect_url": "https://example.onfido.com",
21 "expires_at": "2022-10-17T14:40:50Z",
22 "language": "en_US",
23 "url": "https://eu.onfido.app/l/<WORKFLOW_RUN_ID>"
24 },
25}

Create Workflow Run

POST
/v3.6/workflow_runs/

Creates and starts a Workflow Run. Returns a Workflow Run object.
A Workflow must exist and be activated before you can create a Workflow Run. You can create and activate your Workflow in your Studio via Onfido Dashboard. An Applicant ID is mandatory for creating a Workflow Run.
Any data that you want to provide to be used in the Workflow Run can be passed in two ways at its creation:

You must request a Workflow Run before you initialise the SDK.

Request body parameters

ParameterDescription
workflow_idrequired string (UUID)
The unique identifier for the Workflow.
applicant_idrequired string (UUID)
The unique identifier for the Applicant.
tagsoptional array of strings
Array of tags being assigned to the Workflow Run.
custom_dataoptional custom data object
Object with Custom Input Data to be used in the Workflow Run.
linkoptional link object
Link object to configure the Workflow Run link.
customer_user_idoptional string
A customer-provided user identifier.

Applicant Data

The Workflow Run requires an Applicant ID, meaning that the Workflow is able to access information stored in the Applicant.

Before being able to use that data within the Workflow Run, you must specify which Applicant fields you intend to use by configuring the Input Data via Studio. The additional Applicant fields you decide to use become mandatory and the Workflow Run create endpoint will validate if they are present before creating the Workflow Run. You can manage the Applicant using the create and update endpoints.

Custom Input Data

If you have business-specific data that you want to use during your workflow, you can configure Custom Input Data using the Studio via the Onfido Dashboard.

If Custom Input Data is configured, then it becomes mandatory when creating a Workflow Run.

Object for the configuration of the Workflow Run link.

AttributeDescription
completed_redirect_urloptional string
When the interactive section of the Workflow Run has completed successfully, the user will be redirected to this URL instead of seeing the default Onfido "thank you" page.
expired_redirect_urloptional string
When the Link has expired, the user will be immediately redirected to this URL instead of seeing the default Onfido error message.
expires_atoptional string (ISO-8601)
Date and time when the link will expire. Additional details.
languageoptional string (enum)
The code for the language when the Workflow Run is accessed using the link. Defaults to en_US if not specified.

Supported languages

You can customize the language attribute of the link object for when the Workflow Run is accessed using the link by including the corresponding country code (fr for French, for example).

You can find a complete list of Onfido's 44 supported languages and their relevant codes in our SDK customisation guide.

When the link expires, the Applicant won't be able to use it anymore to access the Workflow Run journey. If no expiration date and time is set, the link will be acessible until the Workflow Run reaches an end state (abandoned, error, approved, review and declined).

Create Workflow Run
1POST /v3.6/workflow_runs HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "workflow_id": "<WORKFLOW_ID>",
8 "applicant_id": "<APPLICANT_ID"
9}

List Workflow Runs

GET
/v3.6/workflow_runs

Retrieves the Workflow Runs of the client. Returns a list of Workflow Run objects. The page size is 20 objects.

Query String parameters

page (optional): The number of the page to be retrieved. If not specified, defaults to 1.
status (optional): a list of comma separated status values to filter the results.
tags (optional): a list of comma separated tags to filter the results.
created_at_gt (optional): a ISO-8601 date to filter results with a created date greater than (after) the one provided.
created_at_lt (optional): a ISO-8601 date to filter results with a created date less than (before) the one provided.
sort (optional): a string with the value desc or asc that allows to sort the returned list by the completed datetime either descending or ascending, respectively. If not specified, defaults to desc.
applicant_id (optional): the unique identifier (UUID) of applicant.

List Workflow Runs
1GET /v3.6/workflow_runs HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve Workflow Run

GET
/v3.6/workflow_runs/{workflow_run_id}

Retrieves a Workflow Run. Returns a Workflow Run object.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run you want to retrieve.

Retrieve Workflow Run
1GET /v3.6/workflow_runs/<WORKFLOW_RUN_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve Workflow Run Evidence Folder

GET
/v3.6/workflow_runs/{workflow_run_id}/evidence_folder

Retrieves the evidence folder for the designated Workflow Run.

After a successful call, a 302 Found HTTP status is returned with a pre-signed URL to download the folder (in the ZIP file format) in the Location header.

The evidence folder is available a few seconds after the Workflow Run has been completed. Please also ensure that evidence folder generation is enabled for your account. See the ETSI Certified IDV product guide for more information.

Note: If you invoke this endpoint for Sandbox workflow runs, a mock evidence folder will be returned.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run for which you want to retrieve the evidence folder.

Note: The Evidence Folder may contain sensitive personal identifiable information (PII). The pre-signed URLs allow downloading the Evidence Folder and should be handled carefully.

Retrieve Workflow Run Evidence Folder
1GET /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/evidence_folder HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Tasks

Tasks are the individual steps that make up a Workflow Run. Tasks may require Task input data in order to execute, and will return Task output data on completion. Task input data can be managed by selecting a Task and configuring it in the input tab in Studio. The Task endpoints are designed to enable auditability and transparency of Workflow Runs by providing Task input and output.

Tasks are versioned using unique Task Definitions so that each time enhancements, new features or bugs are released, the functioning of these Tasks remains unchanged, preserving the integrity of the previous version of the Workflow. Task inputs and outputs may change between Task versions.

The Task input and output information is accessible directly in Studio and should be used to configure an applicant's verification journey using the condition tasks. For example, Tasks output data can be used to decide the next Tasks to perform, or the end state of the Applicant verification journey directly within Studio.

Despite this data being available and accessible through these endpoints, it also comes with some drawbacks. If changes are made to the Workflow, or individual Tasks are updated (new features, bug fixing, for example), the schemas may change, which could break previous integrations.

As such, Task endpoints are not recommended to be used as an integration method to retrieve data, please use the Output object in Workflow Run.

Task object

AttributeDescription
idstring
The identifier for the Task.
task_def_idstring
The identifier for the Task Definition.
task_def_versionstring
The version for the Task Definition.
workflow_run_idstring (UUID)
The identifier for the Workflow Run to which the task belongs.
inputobject
Input object with the fields used by the Task to execute.
outputobject
Output object with the fields produced by the Task execution.
created_atdatetime (ISO-8601)
The date and time when the Task was created.
updated_atdatetime (ISO-8601)
The date and time when the Task was last updated.
Example Task object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<TASK_ID>",
6 "task_def_id": "<TASK_DEF_ID>",
7 "task_def_version": "<TASK_DEF_VERSION>",
8 "workflow_run_id": "<WORKFLOW_RUN_ID>",
9 "input": {"document_ids":["dd1a606c-787f-4203-8e71-7d4c9adb090d"]},
10 "output": {"extracted_data": {"first_name": "Jane", "last_name": "Doe"}},
11 "created_at": "2022-06-28T15:39:42Z",
12 "updated_at": "2022-07-28T15:40:42Z",
13}

List Tasks

GET
/v3.6/workflow_runs/{workflow_run_id}/tasks

Retrieves the Tasks of a Workflow Run. Returns a subset of the Task object.

The response contains only Tasks that were already started or completed, ordered by the created_at field, in ascending order.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run to which the Tasks belong.

Example response

json
1[
2 {
3 "id": "<TASK_ID>",
4 "task_def_id": "<TASK_DEF_ID>",
5 "workflow_run_id": "<WORKFLOW_RUN_ID>",
6 "created_at": "2022-06-28T15:39:42Z",
7 "updated_at": "2022-07-28T15:39:52Z",
8 },
9 {
10 "id": "<TASK_ID>",
11 "task_def_id": "<TASK_DEF_ID>",
12 "workflow_run_id": "<WORKFLOW_RUN_ID>",
13 "created_at": "2022-06-28T15:40:42Z",
14 "updated_at": "2022-07-28T15:40:52Z",
15 }
16 ...
17]
List Tasks
1GET /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/tasks HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve Task

GET
/v3.6/workflow_runs/{workflow_run_id}/tasks/{task_id}

Retrieves a Task. Returns a Task object.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run to which the Task belongs.
task_id (required): the identifier of the Task you want to retrieve.

Note: The output property of the returned task object can be null, under the following circumstances:

  • the task is still ongoing
  • the task completes but does not require any output
  • the task failed, or the workflow run was cancelled before it completed
Retrieve Task
1GET /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/tasks/<TASK_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Complete Task

POST
/v3.6/workflow_runs/{workflow_run_id}/tasks/{task_id}/complete

Completes a Send / Receive Data Task.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run to which the Task belongs.
task_id (required): the identifier of the Task you want to complete.

Request body parameters

ParameterDescription
datarequired object
The Task completion payload. More details below.

Send / Receive Data Tasks

Send / Receive Data Tasks are a special type of Task that allow you to create custom actions that can be executed anywhere in a workflow. You can send data out of the system mid workflow and pass data back in to be used in more logic tasks.

You can configure a Send / Receive Data Task in the Workflow Builder, while defining your Workflow. When configuring a Send / Receive Data Task, you should define the input and output data it expects. The logic necessary to process the inputs and produce the outputs is up to the service being called.

The recommended way of integrating a Send / Receive Data Task is configuring a workflow_task.started Webhook, so you can be notified when the task is ready to execute. The payload of this Webhook contains all the inputs you have defined for your Task.

Once notified by our Webhook, your system can asynchronously run any custom action you want to produce the desired outputs. Once ready, you should invoke the Complete Task endpoint, providing as data parameter an object with the outputs you have defined. Our system will validate the provided data against the output schema you have defined when configuring the Send / Receive Data Task and return an HTTP 422 error if they don't match.

If the submission of the data is successful, the Send / Receive Data Task will be completed and the Workflow will proceed. All data received back into the Workflow Run will be able to be used in our condition logic tasks.

You can configure as many Send / Receive Data Tasks as you want in your Workflow.

Complete Task
1POST /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/tasks/<TASK_ID>/complete HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "data":{
8 "field_1": "value_1",
9 "field_2": "value_2"
10 }
11}

Motion captures

Motion captures are representations of an applicant's face, recorded and uploaded by the Onfido Smart Capture SDKs (iOS, Android or Web), at the same time as the document image is captured—also by the SDKs. These captures are used for Facial Similarity Motion reports.

Motion capture object

AttributeDescription
idstring
The unique identifier of the motion capture.
created_atdatetime (ISO-8601)
The date and time at which the motion capture was uploaded.
hrefstring
The URI of this resource.
download_hrefstring
The URI that can be used to download a motion capture.
file_namestring
The name of the uploaded file.
file_typestring
The file type of the uploaded file.
file_sizeinteger
The size of the file in bytes.
Example motion capture object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<MOTION_CAPTURE_ID>",
6 "created_at": "2022-11-12T17:12:44Z",
7 "href": "/v3.6/motion_captures/<MOTION_CAPTURE_ID>",
8 "download_href": "/v3.6/motion_captures/<MOTION_CAPTURE_ID>/download",
9 "file_name": "<FILE_NAME>.mp4",
10 "file_type": "video/mp4",
11 "file_size": 1431121
12}

Upload motion capture

Motion captures can only be uploaded via one of Onfido's input-capture SDKs, not via the API directly.

As a result, Onfido does not provide an upload motion capture endpoint.

To upload motion captures for Facial Similarity Motion reports, integrate with one of our Smart Capture SDKs (iOS, Android or Web).

Retrieve motion capture

GET
https://api.onfido.com/v3.6/motion_captures/{motion_capture_id}

Retrieves a single motion capture. Returns the corresponding motion capture object.

Retrieve a single motion capture object
1GET /v3.6/motion_captures/<MOTION_CAPTURE_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List motion captures

GET
https://api.onfido.com/v3.6/motion_captures?applicant_id={applicant_id}

Lists all the motion captures that belong to an applicant.

Returns data in the form: {"motion_captures": [<LIST_OF_MOTION_CAPTURE_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose motion captures you want to list.

List all motion captures for a specific applicant
1GET /v3.6/motion_captures?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download motion capture

GET
https://api.onfido.com/v3.6/motion_captures/{motion_capture_id}/download

Downloads a motion capture. Returns the binary data representing the motion capture.

Download the data representing a motion capture
1GET /v3.6/motion_captures/<MOTION_CAPTURE_ID>/download HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download motion capture frame

GET
https://api.onfido.com/v3.6/motion_captures/{motion_capture_id}/frame

Instead of the whole motion capture data, a single frame can be downloaded using this endpoint. Returns the binary data representing the frame.

Download the data representing a motion capture frame
1GET /v3.6/motion_captures/<MOTION_CAPTURE_ID>/frame HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Unsuccessful frame extraction

Frame extraction failed

If a frame cannot be extracted from the motion capture, a frame_extraction_failed response will be returned.

Unsuccessful frame extraction response: failure
1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5 "error": {
6 "type": "frame_extraction_failed",
7 "message": "<Reason>"
8 }
9}

Frame extraction unavailable

If the extraction feature is temporarily unavailable, a frame_extraction_unavailable response will be returned instead.

Unsuccessful frame extraction response: temporarily unavailable
1HTTP/1.1 503 Service Unavailable
2Content-Type: application/json
3
4{
5 "error": {
6 "type": "frame_extraction_unavailable",
7 "message": "Frame extraction is temporarily unavailable"
8 }
9}

Monitors

Monitors are used for Ongoing Monitoring of an applicant and must be used together with Watchlist Reports. They listen for changes to Watchlist reports and when an update is detected, a new Check and corresponding Watchlist Report are created. Learn more about this feature here.

If you are interested in using this feature, it must first be enabled for your account. Please reach out to your CSM or email our Client Support team.

Monitor object

AttributeDescription
idstring
The unique identifier for the monitor.
created_atdatetime
The date and time at which the monitor was created.
deleted_atdatetime
The date and time at which the monitor was deleted. If the monitor is still active, this field will be null.
applicant_idstring
The ID for the applicant associated with the monitor.
report_namestring
The name of the report type the monitor creates. Can be either "watchlist_standard" or "watchlist_aml".
tagsarray of strings
A list of tags associated with this monitor. These tags will be applied to each check this monitor creates.
sandboxboolean
Indicates whether the object was created in the sandbox or not.
Example monitor object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": “<MONITOR_ID>”,
6 "applicant_id": "<APPLICANT_ID>",
7 "report_name": "watchlist_standard",
8 "created_at": "2022-09-01T15:01:36.921Z",
9 "deleted_at": null,
10 "sandbox": false,
11 "tags": []
12}

Create monitor

POST
/v3.6/watchlist_monitors/

Creates a new monitor for the applicant.

Once created, the monitor will create an initial Watchlist report under the given applicant.

Only one active monitor can be created per applicant.

Request body parameters

ParameterDescription
applicant_idrequired
The ID for the applicant associated with the monitor.
report_namerequired
The name of the report type the monitor creates. Can be either "watchlist_standard" or "watchlist_aml".
tagsoptional
A list of tags associated with this monitor. These tags will be applied to each check this monitor creates.
Create a monitor
1POST /v3.6/watchlist_monitors/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "applicant_id": "<APPLICANT_ID>",
8 "report_name": "watchlist_aml"
9}

Retrieve monitor

GET
/v3.6/watchlist_monitors/{monitor_id}

Retrieves a single monitor. Returns a monitor object.

Retrieve a single monitor
1GET /v3.6/watchlist_monitors/<MONITOR_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List monitors

GET
/v3.6/watchlist_monitors?applicant_id={applicant_id}

Returns all available monitors for an applicant. Returns data in the form: {"monitors": [<LIST_OF_MONITOR_OBJECTS>]}.

Query string parameters

ParameterDescription
applicant_idoptional
The ID of the applicant whose monitors you want to list. If omitted, all monitors for the account will be listed.
include_deletedoptional
If this option is included, deleted (inactive) monitors will also be included in the list.
List all monitors associated with an applicant
1GET /v3.6/watchlist_monitors?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Delete monitor

DELETE
/v3.6/watchlist_monitors/{monitor_id}

Deactivates the given monitor. No further updates will be given on this monitor, and all search information for this monitor will be deleted. Reports that have already been generated by the monitor will still exist.

Once a monitor is deleted, it cannot be re-activated.

If a monitor on an applicant was deleted in error, a new monitor will need to be created.

Delete a monitor
1DELETE /v3.6/watchlist_monitors/<MONITOR_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List matches (BETA)

GET
/v3.6/watchlist_monitors/<MONITOR_ID>/matches

Gets a list of match IDs on this monitor, as well as their enabled/disabled status.

Match IDs are also visible in the report properties of monitored watchlist reports.

This will NOT return details about each match. (Such as name, media links, match type, etc.) This will only return the IDs and enabled/disabled status.

Match details are only viewable on reports generated by the monitor.

bash
1HTTP/1.1 200 Success
2Content-Type: application/json
3
4{
5 "matches": [
6 {
7 "id": <MATCH_ID>,
8 "enabled": true
9 },
10 {
11 "id": <MATCH_ID>,
12 "enabled": false
13 },
14 ...
15 ]
16}
List match IDs associated with a monitor
1GET /v3.6/watchlist_monitors/<MONITOR_ID>/matches HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Set match status (BETA)

PATCH
/v3.6/watchlist_monitors/<MONITOR_ID>/matches

Update the enabled status of the given matches.

Matches that are disabled will no longer contribute to overall results in future reports generated by this monitor.

Additionally, any updates to disabled matches will no longer trigger a new report to be generated.

Request body parameters

ParameterDescription
enableoptional
Array of match IDs to set to enable: true.
disableoptional
Array of match IDs to set to enable: false.

If no match IDs are provided, a 204 No Content response is returned.

If the same ID is provided to both the “enable” and “disable” lists, a 422 validation_error is returned. The “fields” messages in this case will be the list of IDs that are duplicated.

If any of the IDs in either the “enable” or “disable” lists are invalid (or pertain to matches that are not on the given monitor), a 422 validation_error is returned. The “fields” messages in this case will be the list of IDs that are invalid.

Disable matches for a monitor
1PATCH /v3.6/watchlist_monitors/<MONITOR_ID>/matches HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "disable": ["<MATCH_ID>", "<MATCH_ID>"]
8}

Force new report creation (BETA)

POST
/v3.6/watchlist_monitors/<MONITOR_ID>/new_report

Triggers a new check with an updated report to be generated by the monitor, as if the monitor had received an update.

The report generated will not have any new information (as it is pulling from the same information as the previous report), but if matches have been newly enabled or disabled, the overall results may be different. For example, if all matches have been disabled, this will generate a “clear” report.

This endpoint has no request body.

If a new report is successfully generated, it will return a 201 Created response with no response body.

A link to the newly generated report will be listed in the “Location” header of the response.

bash
1HTTP/1.1 201 Created
2Content-Type: application/json
3Location: "/api/v3.5/checks/<CHECK_ID>"
Force an updated report to be created on a monitor
1POST /v3.6/watchlist_monitors/<MONITOR_ID>/new_report HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

ID photos

ID photos are government ID images of the applicant's face, typically provided by a trustworthy party (e.g., Government digital agency). These ID photos are used for all Facial Similarity reports.

ID photo object

AttributeDescription
idstring
The unique identifier of the ID photo.
created_atdatetime
The date and time at which the ID photo was uploaded.
hrefstring
The URI of this resource.
download_hrefstring
The URI that can be used to download the ID photo.
file_namestring
The name of the uploaded file.
file_typestring
The file type of the uploaded file.
file_sizeinteger
The size of the file in bytes.
Example ID photo object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "id": "<ID_PHOTO_ID>",
6 "created_at": "2019-10-09T16:59:06Z",
7 "file_name": "<FILE_NAME>.png",
8 "file_type": "image/png",
9 "file_size": 536630,
10 "href": "/v3.6/id_photos/<ID_PHOTO_ID>",
11 "download_href": "/v3.6/id_photos/<ID_PHOTO_ID>/download"
12}

By default, if both an ID photo and a document are provided, this is the ID photo that is used for the facial similarity check, even if the document is more recent. The rationale is that ID photos are supposed to be more trustworthy than document live captures.

If you prefer to use the document photo for the Facial Similarity report, you need to set "document_ids": ["<DOCUMENT_ID>"] at check creation (see Facial Similarity reports).

For Studio integration, refer to Integrating ID Photos with Onfido Studio

Upload ID photo

POST
/v3.6/id_photos/

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Uploads a ID photo as part of a multipart request. Returns a ID photo object.

We provide a sample photo to test this endpoint.

Valid file formats for ID photos are jpg, jpeg and png. The file size must be between 32KB and 10MB.

Request body parameters

ParameterDescription
filerequired
The file to be uploaded.
applicant_idrequired
The applicant_id to associate the ID photo with.
Upload sample_photo.png
1POST /v3.6/id_photos/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: multipart/form-data

Retrieve ID photo

GET
/v3.6/id_photos/{id_photo_id}

Retrieves a single ID photo. Returns a ID photo object.

Retrieve a single ID photos object
1GET /v3.6/id_photos/<ID_PHOTO_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List ID photos

GET
/v3.6/id_photos/?applicant_id={applicant_id}

Lists the ID photos that belong to an applicant. Returns data in the form: {"id_photos": [<LIST_OF_ID_PHOTO_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose ID photos you want to list.

List all ID photo (objects) for a specific applicant
1GET /v3.6/id_photos?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download ID photo

GET
/v3.6/id_photos/{id_photo_id}/download

Downloads an ID photo. If successful, the response will be the binary data representing the image.

Download an ID photo
1GET /v3.6/id_photos/<ID_PHOTO_ID>/download HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Integrating ID Photos with Onfido Studio

To integrate ID photos with Studio workflows, you must add the ID Photos object in the custom data field of the create workflow run call.

The structure of the custom data field object must be:

bash
1"custom_data": { "id_photo_ids": [{"id": "<YOUR_ID_PHOTO_ID>", "type": "id_photo"}] }

Custom input data for workflows must first be configured in the Onfido Dashboard (refer to our Studio documentation). If not, the data will not be considered during the workflow run creation.

You will also need to update the workflow task (e.g. Facial Similarity report) to read the input from the custom input data.

Qualified Electronic Signature

Retrieve Workflow Run Signed Document

GET
/v3.6/qualified_electronic_signature/documents?workflow_run_id={workflow_run_id}&file_id={file_id}

Retrieves the signed document or application form depending on the file_id provided.

After a successful call, a 302 Found HTTP status is returned with a pre-signed URL to download the file in the Location header.

Note: If you invoke this endpoint for Sandbox workflow runs, a mock signed document will be returned.

Query string parameters

workflow_run_id (required): the unique identifier of the Workflow Run for which you want to retrieve the signed document.

file_id (required): the unique identifier of the file which you want to retrieve.

Note: To retrieve file_id, you can obtain Qualified Electronic Signatures task details using the Retrieve Task endpoint:

/v3.6/workflow_runs/{workflow_run_id}/tasks/{task_id}

Retrieve a signed QES document
1GET /v3.6/qualified_electronic_signature/documents?workflow_run_id=<WORKFLOW_RUN_ID>&file_id=<FILE_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Timeline Files

A Timeline File is an audit trail of the end-to-end IDV process performed on an Applicant through a Workflow Run, provided in PDF format.

It includes all the Workflow Tasks performed in chronological order, alongside some additional information. You can find more details about the Timeline File in the Studio product guide.

The Timeline File for a Workflow Run is generated on demand by invoking the Create Timeline File endpoint.

Since the generation of the Timeline File can take between a few seconds and a few minutes (depending on the number of Tasks the Workflow Run has), the process is executed asynchronously.

As such, as soon as file generation begins, the Create Timeline File endpoint will immediately return a 202 Accepted HTTP response.

The recommended way to be notified when the generation finishes and the Timeline File is available is to subscribe to the workflow_timeline_file.created webhook event. The payload of this webhook contains a pre-signed URL to download the file directly from Onfido's storage.

Alternatively, you may poll the Retrieve Timeline File endpoint until the file is made available. To do so, you use the Timeline File unique identifier returned by the Create Timeline File endpoint.

While the file is under generation, the Retrieve Timeline File endpoint will return a 404 Not Found HTTP response because the resource is not yet created. When the file becomes available, the endpoint returns a 302 Found HTTP status with a pre-signed URL to download the file in the Location header.

Note: For security reasons, the pre-signed URLs provided in both the Webhook and the Retrieve Timeline File endpoint have an expiration interval of 7 days. If you fail to download the file within this timeframe, you may call the Retrieve Timeline File again and a refreshed pre-signed URL will be returned in the Location header.

As an alternative to using Onfido's API, the Timeline File can also be downloaded from the Onfido Dashboard, on the Workflow Run results page.

The Timeline File is not signed, and must not be mistaken for the Evidence File contained in the Evidence Folder. If you are looking to implement an ETSI certified Workflow solution, please read the documentation about the Evidence Folder in our product guide.

Note: The Timeline File may contain sensitive personal identifiable information (PII). The pre-signed URLs allow downloading the Timeline File and should be handled carefully.

Create Timeline File for Workflow Run

POST
/v3.6/workflow_runs/{workflow_run_id}/timeline_file

Triggers the generation of the Timeline File for the designated Workflow Run.

The Timeline File can only be generated if the Workflow Run is in a terminal status:

  • Abandoned
  • Error
  • Approved
  • Review
  • Declined

Given that the generation of the Timeline File takes some time, the process is executed asynchronously in the background. As such, this endpoint will return a 202 Accepted HTTP response as soon as the file generation begins. The response includes the unique identifier of the file that will be generated.

The recommended way to be notified of the completion of the file generation is by subscribing to the workflow_timeline_file.created webhook event.

Alternatively, you may poll the Retrieve Timeline File endpoint.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run for which you want to start the generation of the Timeline File.

Create Timeline File for Workflow Run
1POST /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/timeline_file HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve Timeline File for Workflow Run

GET
/v3.6/workflow_runs/{workflow_run_id}/timeline_file/{timeline_file_id}

Retrieves the Timeline File for the designated Workflow Run.

After a successful call, a 302 Found HTTP status is returned with a pre-signed URL to download the Timeline File in the Location header.

The Timeline File should be available some time after its generation was triggered by calling the Create Timeline File endpoint. However, the generation time varies depending on the size of the Workflow Run, with Workflows Runs having more tasks and media captured taking more time to generate the file.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run for which you want to retrieve a Timeline File.

timeline_file_id (required): the unique identifier of the Timeline File.

Note: The Timeline File may contain sensitive personal identifiable information (PII). The pre-signed URLs allow downloading the Timeline File and should be handled carefully.

Retrieve Timeline File for Workflow Run
1GET /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/timeline_file/<TIMELINE_FILE_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Biometric tokens

Biometric tokens are securely encrypted data that contain media embeddings (such as motion captures) along with relevant identifiers. These tokens are symmetrically encrypted by Onfido to ensure the security and privacy of the biometric information. Please refer to the Studio guide for generating biometric tokens.

Biometric token object

AttributeDescription
uuidstring
The unique identifier of the biometric token.
inserted_atdatetime (ISO-8601)
The date and time at which the biometric token was created.
media_typestring
The biometric media type.
statusstring
The status of the biometric token (e.g. approved, declined ...).
Example biometric token object
1HTTP/1.1 200 Created
2Content-Type: application/json
3
4{
5 "biometric_token": {
6 "data": {
7 "inserted_at": "2024-08-19T17:50:50.130998Z",
8 "media_type": "motion_capture",
9 "status": "approved"
10 },
11 "uuid": "<BIOMETRIC_TOKEN_UUID>"
12 }
13}

List biometric tokens

GET
/v3.6/biometric_tokens/{customer_user_id}

Lists all the biometric token identifiers that belong to a customer_user_id. A customer_user_id is an identifier that uniquely identifies the customer's end-user, regardless of Onfido's applicant.

Note: The customer user ID will default to the applicant ID if not specified at workflow creation.

Returns data in the form: [<LIST_OF_TOKEN_IDENTIFIERS>].

Query string parameters

customer_user_id (required): A free-form unique string that identifies a user, passed at workflow run creation.

List all biometric tokens for a specific applicant
1GET /v3.6/biometric_tokens/<CUSTOMER_USER_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve biometric token details

GET
/v3.6/biometric_tokens/{customer_user_id}/{biometric_token_uuid}

Retrieves a single biometric token. Returns the corresponding biometric token object.

Retrieve a single biometric token object
1GET /v3.6/biometric_tokens/<CUSTOMER_USER_ID>/<BIOMETRIC_TOKEN_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Invalidate all biometric tokens

DELETE
/v3.6/biometric_tokens/{customer_user_id}

Invalidates all biometric tokens for a given customer_user_id. If successful, returns a 200 OK response.

Invalidates all biometric tokens
1DELETE /v3.6/biometric_tokens/<CUSTOMER_USER_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Invalidate a single biometric token

DELETE
/v3.6/biometric_tokens/{customer_user_id}/{biometric_token_uuid}

Invalidates a single biometric token for a given customer_user_id. If successful, returns a 200 OK response.

Invalidates a single biometric token
1DELETE /v3.6/biometric_tokens/<CUSTOMER_USER_ID>/<BIOMETRIC_TOKEN_UUID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Update a single biometric token status

PUT
/v3.6/biometric_tokens/{customer_user_id}/{biometric_token_uuid}

Updates a biometric token's status. Returns the updated biometric token object.

This endpoint can be used to manually approve a biometric token

Update a single biometric token
1PUT /v3.6/biometric_tokens/<CUSTOMER_USER_ID>/<BIOMETRIC_TOKEN_UUID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "status": "approved"
8}

Report Types

Document report

This API documentation offers detailed information about the structure of a Document report, including an example of the report's result and its breakdowns.

For a more general introduction to the Document report, you can read our product documentation.

After you've familiarised yourself with the information here, you can read our guide on suggested client actions for different result scenarios.

There are 6 different types of Document reports:

Request body in APINotes
"report_names": ["document"]Primary Document report
"report_names": ["document_video"]Document Video report
"report_names": ["document_with_address_information"]In beta
"report_names": ["document_video_with_address_information"]In beta
"report_names": ["document_with_driving_licence_information"]Will soon be deprecated
"report_names": ["document_with_driver_verification"]In beta

Document with Address Information, Document Video with Address Information and Document with Driver Verification Document are in beta, while Document with Driving Licence Information will soon be deprecated. They are supersets of the Document report which add functionality for specific use cases. Contact your account manager for more information about the features in these reports.

By default, the most recently uploaded document will be used.

To specify which uploaded document to run the Document report against in the API, or specify document IDs extracted from the Onfido SDK callback, use the document_ids field. This takes an array of up to 3 strings (3 document IDs):

"document_ids": ["<DOCUMENT_ID>"]

The Document report is composed of data integrity, visual authenticity and police record checks. It checks the internal and external consistency of the document provided by the applicant to identify potential discrepancies.

In addition, any data extracted from the document is returned in the properties attribute.

The Document report combines software and an expert team to maximise fraud detection. The majority of documents will be processed instantly. However, when document analysis falls back to expert review, the report status will be delivered asynchronously via webhook notifications.

Expert review is required when we encounter images that use sophisticated counterfeiting techniques, or the image is of poor quality (blurred, low resolution, obscured, cropped, or held at an unreadable angle).

Supported Documents

In your Onfido Dashboard, you can configure which documents you want to accept in your verification workflow, filtering according to issuing country and document type.

When an applicant submits a restricted document (i.e. a document not included in your supported documents), the Supported document breakdown of the Document Report will flag as consider, producing a sub-result of reject.

Near Field Communication (NFC)

If available, the Document report uses NFC to validate the document's chip in order to verify the document. In this case, the visual authentication, image integrity and data consistency checks will not be performed.

NFC is only available via the Onfido mobile SDKs. Please read our NFC for Document report guide for details on how to integrate and use NFC for Document reports.

You can view the full list of supported documents for NFC.

Repeat attempts

You can also use our repeat attempts endpoint to request a list of repeat attempt matches for Document reports. A repeat attempt is any previous Document report that was submitted using a document that matches other previously onboarded documents in your Onfido database. This can indicate instances of repeat fraud where users submit multiple requests using the same document but with different personal data.

Required applicant data

For Document reports, first_name and last_name must be provided but can be sample values if you don't know an applicant's name.

Document type and issuing country

If you’re creating a check containing a Document report, we do not validate that the properties type and issuing_country in the uploaded document match extracted values (which are returned in the Document report object).

Document report: Object

Our newly expanded OpenAPI specification is also a resource for understanding the Document report response object structure.

We host a separate page which contains a detailed description of the Document report object values from an API user's perspective.

Results

The result field indicates the overall report result. Possible values for Document reports are clear and consider:

Report resultDescription
clearIf all underlying verifications pass, the overall result will be clear.
considerIf the report has returned information that needs to be evaluated, the overall result will be consider.

Sub-results

The sub_result field indicates a more detailed result, and is unique to Document reports. Possible values of sub_result are as follows:

Sub-resultDescription
clearIf all underlying verifications pass, the overall sub result will be clear. There are no indications the document is fraudulent.
cautionWe can't successfully complete all verifications, but this doesn’t necessarily point to a suspected document (for example, expired document).
suspectedDocument shows signs of suspect fraud.
rejectedWe can't process the document image, or the document isn't supported by Onfido for processing. Another reason is if the age of the applicant is too low (the standard threshold is 16 years old but you can write to your Onfido contact to have this changed).

Document report: Breakdowns

Breakdowns can have the values clear, consider and null.

A breakdown will have the result consider when at least one sub-breakdown contains a consider or unidentified result. For example, a consider result for the mrz sub-breakdown will produce a consider result for the data_validation breakdown. This will then also set the report sub_result value to suspected.

A breakdown will have the result null when it has not been completed, or is not available. For example, issuing_authority will return null if NFC is not available or inconclusive.

Some breakdowns contain sub-breakdowns. For example, the image_integrity breakdown comprises the sub-breakdowns supported_document, image_quality, colour_picture and conclusive_document_quality.

The possible values for sub-breakdowns are clear, consider, null and unidentified.

Breakdown order priority

Breakdown sub-results have the following order of priority:

rejected->suspected->caution->clear

For example, a caution sub-result will only ever be asserted when the following conditions are met:

  • no individual breakdown has caused a rejected or suspected sub-result
  • a breakdown which maps to a caution sub-result has been flagged

Breakdown mapping

Breakdowns and sub-breakdowns are mapped to particular sub-results. Certain mappings can be changed, where possible, depending on your configuration.

Diagram showing the possible breakdowns and sub-breakdowns for a Document report.

Note: Some breakdowns have sub-breakdowns that are mapped to different sub-results. For example, in the Data Validation breakdown, gender, document_numbers, expiry_date, date_of_birth, mrz and barcode map to suspected whereas document_expiration maps to caution. Note: When a sub-breakdown mapped to a rejected sub-result is flagged, all other breakdowns and the document properties will be omitted from the response object.

Breakdown descriptions and logic

data_comparison:

Establishes whether the data provided by the applicant matches the data extracted from the document. This breakdown is only returned if Comparison Checks are enabled for your account. Otherwise, the breakdown and its sub-breakdowns are returned as null and will not affect the final report result. To enable Comparison Checks, please contact Client Support.

We compare the following fields:

  • first_name
  • last_name
  • date_of_birth
  • gender

first_name and last_name can be configured to use a fuzzy or exact mechanism for the comparison. We take into account all available names for comparison, including spouse, widow or alias names.

date_of_birth and gender will always be compared using an exact mechanism.

Fuzzy comparison

Fuzzy comparison allows for greater flexibility during comparison, catering for discrepancies which may occur, for example, when an applicant uses their middle or spouse name, or there's been an extraction error.

Note:

  • When an applicant hasn’t provided data the sub-breakdown result is null for the missing field
  • When an applicant has provided names but names have not been extracted from the document, the sub-breakdown result is consider
  • When an applicant has provided date of birth and/or gender, but these fields have not been extracted from the document, the sub-breakdown result is null

Any other sub-breakdowns present under data_comparison in the document report object exist only for legacy reasons.

data_validation:

Asserts whether the format and length of the fields are correct for that document type. Uses the following sub-breakdowns:

  • gender
  • date_of_birth
  • document_numbers
  • document_expiration 1
  • expiry_date 2
  • mrz
  • barcode
  1. If this is flagged, the document has expired. Onfido uses UTC as a fixed reference point for the current date and time when the dates are compared.
  2. If this is flagged, the expiration date has the incorrect format or the date is in the past.

age_validation:

Asserts whether the age calculated from the document’s date of birth data point is greater than or equal to the minimum accepted age set at account level. The default minimum accepted age is 16 years. Configurable to set a different minimum age value. Onfido uses UTC as a fixed reference point for the current date and time when the applicant's age is calculated.

Uses the following sub-breakdown:

  • minimum_accepted_age

image_integrity:

Asserts whether the document was of sufficient quality to verify. Uses the following sub-breakdowns:

  • image_quality:

    Asserts whether the quality of the image was sufficient for processing.

  • conclusive_document_quality:

    A result of clear for this sub-breakdown will assert if the document was of enough quality to be able to perform a fraud inspection. A result of consider will mean that even if sub breakdowns of visual_authenticity fail, we cannot positively say the document is fraudulent or not (in cases such as parts of the document are not visible).

  • supported_document:

    Asserts whether the submitted document is supported. Takes value of clear or unidentified.

  • colour_picture:

    Asserts whether the image was a colour one. A black and white picture will map to a caution Document report sub-result. Configurable to map to rejected.

visual_authenticity:

Asserts whether visual (non-textual) elements are correct given the document type. Uses the following sub-breakdowns:

  • fonts:

    Fonts in the document don’t match the expected ones.

  • picture_face_integrity:

The pictures of the person identified on the document show signs of tampering or alteration. In most cases this will focus on the primary picture yet it may also apply to the secondary and tertiary pictures when documents contain them.

  • template:

    The document doesn’t match the expected template for the document type and country it is from.

  • security_features:

    Security features expected on the document are missing or wrong.

  • original_document_present:

    The document was not present when the photo was taken. For example, a photo of a photo of a document or a photo of a computer screen. Configurable to map to caution instead of suspected.

  • digital_tampering:

    Indication of digital tampering in the image (for example, name altered).

  • other:

    This sub-breakdown is returned for backward compatibility reasons. Its value will be consider when at least one of the other breakdowns is consider, and clear when all the other breakdowns are clear.

  • face_detection:

    No face was detected on the document.

data_consistency:

Asserts whether data represented in multiple places on the document is consistent. For example, between MRZ lines and OCR extracted text on passports. Uses the following sub-breakdowns:

  • multiple_data_sources_present1
  • document_type
  • gender
  • date_of_expiry
  • nationality
  • issuing_country
  • document_numbers
  • date_of_birth
  • last_name
  • first_name
  1. multiple_data_sources_present is for cases where we don’t obtain a US barcode because it wasn’t extracted, wasn’t decoded, or wasn’t there at all (e.g. if the back of the document wasn’t available). It acts as a validation for the data_consistency breakdown: if 2 sources are present, then data consistency is possible and the other sub-breakdowns are enabled. multiple_data_sources_present can be disabled if needed. In this case, it will be returned as null and have no impact on the sub-result.

police_record:

Asserts whether the document has been identified as lost, stolen or otherwise compromised. Applies to all documents that have been reported as stolen or fraudulent to the UK Metropolitan Police.

This breakdown is only returned if Police Record Checks are enabled for your account. Otherwise, the breakdown and its sub-breakdowns are returned as null and will not affect the final report result. To enable Police Record Checks, please contact Client Support.

compromised_document:

Asserts whether the image of the document has been found in our internal database.

  • document_database:

    Asserts whether the document is publicly available as compromised.

  • repeat_attempts:

    Asserts whether the document has been reused in a suspicious way.

issuing_authority:

Asserts whether data on the document matches the issuing authority data. Uses the following sub-breakdowns:

  • nfc_active_authentication:

    Asserts whether the document NFC chip is original or cloned.

  • nfc_passive_authentication:

    Asserts whether the document NFC chip data was tampered with.

If NFC is completed, the visual authentication, image integrity and data consistency checks will not be performed and the breakdowns will be null.1

  1. You can configure your account to always trigger Visual Document Verification if nfc_active_authentication is returned as null (even if nfc_passive_authentication is clear). In this case, the visual authentication, image integrity and data consistency checks will be performed and the results returned in the breakdowns.

Document report: Breakdown reasoning

We will return a reason whenever a report flags for one of the following breakdowns:

  • visual_authenticity : original_document_present

  • image_integrity : conclusive_document_quality

  • image_integrity : image_quality

  • image_integrity : supported_document

This works by returning the contributing reason and corresponding fail result (a consider result) in the breakdown properties.

There can be more than one reason per breakdown, as they aren’t mutually exclusive.

All other signals and potential reasons will be omitted.

The following diagram illustrates this logic:

Diagram showing the possible reasons for a Document report to be flagged.

Original Document Present reasons:

photo_of_screen - When we can see that the applicant's document is on a physical screen or device, e.g. when the device is visible, software applications are seen, a computer cursor is present, or the pixels on the image appearing to have a different texture than expected

screenshot - When the applicant has used their mobile phone, tablet, or computer to take a photo within the device, e.g. when software applications are seen, the time and mobile provider are visible, or any digitally added component that wouldn't be seen on a physical document, such as an upload icon

document_on_printed_paper - when the applicant has previously captured an image of the document, printed it out, and has now taken a photo of this print out to upload, e.g. when the edges of the paper are visible, when there are fold creases on the paper, or the document's edges blending into the background and appearing flat

scan - When the document has clearly been captured using a scanner and there are visible indicators of this, e.g. unusual shadows on the edges of the document, or written text around the document

Conclusive Document Quality reasons:

obscured_data_points - This refers to when data points are obscured to the point that we cannot confirm if the fonts match the expected ones

obscured_security_features - This refers to whenever a critical security feature is obscured. This can also refer to when the holder's wet signature, necessary for the document to be valid, is not present

abnormal_document_features - This refers to when something other than obscuration of data points and security features makes the document insufficient to be assessed (i.e. poor image resolution, poor lighting, distortions due to capturing devices, misalignment due to cracks, visual alterations due to cases/laminates, some stickers etc.)

watermarks_digital_text_overlay - Any digital text or electronic watermarks on the document

corner_removed - If the corner has been physically cut off. This can be found on some documents that are no longer valid

punctured_document - A punched hole is present. This can be found on DLs that are no longer valid, for example

missing_back - When the back of a document is needed for processing (e.g. for key data points to extract), but is not available (e.g. if the same front was uploaded twice)

digital_document - When a document has been published digitally, there aren’t enough security features to review so we cannot perform a full fraud assessment

Image Quality reasons:

dark_photo - When an image of the document is too dark to be able to see data points

glare_on_photo - When there is light reflecting on the document causing glare to obstruct data points

blurred_photo - When data points are blurred and no reference can be made elsewhere in the document or if the data points are too blurry and 'they could be something else' (e.g. "I" could be "1", "B" could be "8")

covered_photo - When data points have been covered either by the applicant or by another object such as a sticker

other_photo_issue - Any other reason not listed, such as when holograms are obscuring data points

damaged_document - When a document is damaged and we are unable to make out data points

incorrect_side - When the incorrect side of a document has been uploaded, and we have not received the front

cut_off_document - When data points are not included in the image due to the document being cut off (i.e. out of the frame of the image)

no_document_in_image - If no document has been uploaded or there is a blank image

two_documents_uploaded - When 2 different documents are submitted in the same check

Supported Document reasons:

onfido_supported_document - When the Onfido product doesn't support the requested document

custom_supported_document - When the client's configured custom rules don't support the requested document

sanctioned_issuing_country - When a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The breakdown will return consider and a sub-result of rejected for the document report, as well as a property indicating that the document is not a supported document due to sanctions

Example Document report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "breakdown": {
6 "age_validation": {
7 "breakdown": {
8 "minimum_accepted_age": {
9 "properties": {},
10 "result": "clear"
11 }
12 },
13 "result": "clear"
14 },
15 "compromised_document": {
16 "breakdown": {
17 "document_database": {
18 "properties": {},
19 "result": "clear"
20 },
21 "repeat_attempts": {
22 "properties": {},
23 "result": "clear"
24 }
25 },
26 "result": "clear"
27 },
28 "data_comparison": {
29 "breakdown": {
30 "date_of_birth": {
31 "properties": {},
32 "result": "clear"
33 },
34 "date_of_expiry": {
35 "properties": {},
36 "result": null
37 },
38 "document_numbers": {
39 "properties": {},
40 "result": null
41 },
42 "document_type": {
43 "properties": {},
44 "result": null
45 },
46 "first_name": {
47 "properties": {},
48 "result": "clear"
49 },
50 "gender": {
51 "properties": {},
52 "result": null
53 },
54 "issuing_country": {
55 "properties": {},
56 "result": null
57 },
58 "last_name": {
59 "properties": {},
60 "result": "clear"
61 }
62 },
63 "result": "clear"
64 },
65 "data_consistency": {
66 "breakdown": {
67 "date_of_birth": {
68 "properties": {},
69 "result": "clear"
70 },
71 "date_of_expiry": {
72 "properties": {},
73 "result": "clear"
74 },
75 "document_numbers": {
76 "properties": {},
77 "result": "clear"
78 },
79 "document_type": {
80 "properties": {},
81 "result": "clear"
82 },
83 "first_name": {
84 "properties": {},
85 "result": "clear"
86 },
87 "gender": {
88 "properties": {},
89 "result": "clear"
90 },
91 "issuing_country": {
92 "properties": {},
93 "result": "clear"
94 },
95 "last_name": {
96 "properties": {},
97 "result": "clear"
98 },
99 "multiple_data_sources_present": {
100 "properties": {},
101 "result": "clear"
102 },
103 "nationality": {
104 "properties": {},
105 "result": "clear"
106 }
107 },
108 "result": "clear"
109 },
110 "data_validation": {
111 "breakdown": {
112 "date_of_birth": {
113 "properties": {},
114 "result": "clear"
115 },
116 "document_expiration": {
117 "properties": {},
118 "result": "clear"
119 },
120 "document_numbers": {
121 "properties": {},
122 "result": "clear"
123 },
124 "expiry_date": {
125 "properties": {},
126 "result": "clear"
127 },
128 "gender": {
129 "properties": {},
130 "result": "clear"
131 },
132 "mrz": {
133 "properties": {},
134 "result": "clear"
135 },
136 "barcode": {
137 "properties": {},
138 "result": "clear"
139 }
140 },
141 "result": "clear"
142 },
143 "image_integrity": {
144 "breakdown": {
145 "colour_picture": {
146 "properties": {},
147 "result": "clear"
148 },
149 "conclusive_document_quality": {
150 "properties": {},
151 "result": "clear"
152 },
153 "image_quality": {
154 "properties": {},
155 "result": "clear"
156 },
157 "supported_document": {
158 "properties": {},
159 "result": "clear"
160 }
161 },
162 "result": "clear"
163 },
164 "police_record": {
165 "result": "clear"
166 },
167 "visual_authenticity": {
168 "breakdown": {
169 "digital_tampering": {
170 "properties": {},
171 "result": "clear"
172 },
173 "face_detection": {
174 "properties": {},
175 "result": "clear"
176 },
177 "fonts": {
178 "properties": {},
179 "result": "clear"
180 },
181 "original_document_present": {
182 "properties": {},
183 "result": "clear"
184 },
185 "other": {
186 "properties": {},
187 "result": "clear"
188 },
189 "picture_face_integrity": {
190 "properties": {},
191 "result": "clear"
192 },
193 "security_features": {
194 "properties": {},
195 "result": "clear"
196 },
197 "template": {
198 "properties": {},
199 "result": "clear"
200 }
201 },
202 "result": "clear"
203 },
204 "issuing_authority": {
205 "breakdown": {
206 "nfc_active_authentication": {
207 "properties": {},
208 "result": null
209 },
210 "nfc_passive_authentication": {
211 "properties": {},
212 "result": null
213 }
214 },
215 "result": null
216 }
217 },
218 "check_id": "<CHECK_ID>",
219 "created_at": "2021-03-22T17:13:12Z",
220 "documents": [
221 {
222 "id": "<DOCUMENT_ID>"
223 }
224 ],
225 "href": "/v3.6/reports/<REPORT_ID>",
226 "id": "<REPORT_ID>",
227 "name": "document",
228 "properties": {
229 "date_of_birth": "1990-01-01",
230 "date_of_expiry": "2030-01-01",
231 "document_numbers": [
232 {
233 "type": "document_number",
234 "value": "999999999"
235 }
236 ],
237 "document_type": "passport",
238 "first_name": "Jane",
239 "gender": "",
240 "issuing_country": "GBR",
241 "last_name": "Doe",
242 "nationality": ""
243 },
244 "result": "clear",
245 "status": "complete",
246 "sub_result": "clear"
247}

Document video report

For a general introduction to the Document Video Report, you can read our product documentation.

To request a Document Video Report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["document_video"]

Note: When creating checks with the API, document_ids is a required parameter for Document Video Report.

Document video report: Breakdown reasoning

The image_integrity breakdown of the Document Video Report response includes a video_document_presence sub-breakdown, which has the results clear and unidentified.

video_document_presence also has a property, called invalid_signature. If the media signature of a recorded video is not valid, the property will return consider, and the sub-breakdown will return unidentified. In this case, the Document Video Report will be rejected.

With a clear report result, the following snippet is an example showing what is added to the Document report response object:

json
1"image_integrity": {
2 "breakdown": {
3 "video_document_presence": {
4 "properties": {},
5 "result": "clear"
6 }
7 },
8 "result": "clear"
9 },

BETA Document report options

Document with Address Information

This report is in beta. Contact your account manager for more information about the features in this report.

To request a Document with Address Information report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["document_with_address_information"]

By default, the most recently uploaded document will be used.

If you use this report, Onfido will use a third-party subprocessor for address cleansing after the address has been extracted.

To specify which uploaded document to run the Document with Address Information report against in the API, use the document_ids field. This takes an array of up to 2 strings (2 document IDs):

"document_ids": ["<DOCUMENT_ID>"]

For a clear result, the following snippet is an example showing what is added to the Document report response object:

json
1...
2 "address_lines": {
3 "city": "EDINBURGH",
4 "country": "United Kingdom (UK)",
5 "postal_code": "EH1 9GP",
6 "state": "",
7 "street_address": "122 BURNS CRESCENT",
8 "country_code": "GBR"
9 },
10 "address": "<ADDRESS_STRING>",
11...

Contact your account manager for more information about the features in the Document with Address Information report.

Document Video Report with Address Information

This report is in beta. Contact your account manager for more information about the features in this report.

To request a Document Video with Address Information report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["document_video_with_address_information"]

By default, the most recently uploaded document will be used.

If you use this report, Onfido will use a third-party subprocessor for address cleansing after the address has been extracted.

To specify which uploaded document to run the Document Video with Address Information report against in the API, use the document_ids field. This takes an array of up to 2 strings (2 document IDs):

"document_ids": ["<DOCUMENT_ID>"]

For a clear result, the following snippet is an example showing what is added to the Document report response object:

json
1...
2 "address_lines": {
3 "city": "EDINBURGH",
4 "country": "United Kingdom (UK)",
5 "postal_code": "EH1 9GP",
6 "state": "",
7 "street_address": "122 BURNS CRESCENT",
8 "country_code": "GBR"
9 },
10 "address": "<ADDRESS_STRING>",
11...

Contact your account manager for more information about the features in the Document Video with Address Information report.

Document with Driving Licence Information

This report will soon be deprecated. We recommend that you use the Document with Driver Verification report instead.

To request a Document with Driving Licence Information report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["document_with_driving_licence_information"]

By default, the most recently uploaded document will be used.

To specify which uploaded document to run the Document with Driving Licence Information report against in the API, use the document_ids field. This takes an array of up to 2 strings (2 document IDs):

"document_ids": ["<DOCUMENT_ID>"]

For a clear result, the following snippet is an example showing what is added to the Document report response object:

json
1...
2"driving_licence_information": [
3 {
4 "category": "A",
5 "codes": "79.03,79.04",
6 "expiry_date": "<YYYY-MM-DD>",
7 "obtainment_date": "<YYYY-MM-DD>"
8 },
9 {
10 "category": "A1",
11 "codes": "79.03,79.04",
12 "expiry_date": "<YYYY-MM-DD>",
13 "obtainment_date": "<YYYY-MM-DD>"
14 },
15 {
16 "category": "AM",
17 "codes": "",
18 "expiry_date": "<YYYY-MM-DD>",
19 "obtainment_date": "<YYYY-MM-DD>"
20 },
21 {
22 "category": "B",
23 "codes": "",
24 "expiry_date": "<YYYY-MM-DD>",
25 "obtainment_date": "<YYYY-MM-DD>"
26 }
27 ],
28...

The report must be completed using a manual only review process to guarantee the driving license data is extracted.

Contact your account manager for more information about the features in the Document with Driving Licence Information report.

[Document with Driver Verification]

This report is in beta. Contact your account manager for more information about the features in this report.

To request a Document with Driver Verification report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["document_with_driver_verification"]

By default, the most recently uploaded document will be used.

To specify which uploaded document to run the Document with Driver Verification report against in the API, use the document_ids field. This takes an array of up to 2 strings (2 document IDs):

"document_ids": ["<DOCUMENT_ID>"]

For a clear result, the following table is an example showing what properties are added to the Document report response object:

PropertyDescriptionValue type
"drivers_licence"True when determined to be a non-restricted driving licence (applicant older than 18 years, and no restricted categories detected in the licence title)Boolean
"restricted_licence"True for limited/restricted driving licences, including learner's permitsBoolean
"raw_licence_category"Underlying, non-normalised, licence category (e.g. "Junior operators license")String or Empty
"raw_vehicle_classes"Comma-separated vehicle classes that the user is qualified forString or Empty
"vehicle_class_details"Detailed classes/categories informationArray of objects or Empty
"vehicle_class_details[].categoryVehicle class/categoryString
"vehicle_class_details[].codesSpecial conditions driver must meetString or Empty
"vehicle_class_details[].obtainment_dateCategory obtainment dateString
"vehicle_class_details[].expiry_dateCategory expiry dateString or Empty
"manual_transmission_restriction"True if the user is not qualified to drive a manual transmissionBoolean or Empty
"passenger_vehicle"Normalised data for passenger carsObject or Empty
"passenger_vehicle.permision_to_drive"Whether they are qualified for a passenger car, such as a “B” class in the UKString or Empty
"passenger_vehicle.obtainment_date"Date the class qualification was obtainedString or Empty
"passenger_vehicle.expiry_date"Date the class qualification expires, which may be different to doc expiryString or Empty

Example:

json
1...
2
3"drivers_licence": true,
4"restricted_licence": false,
5"raw_licence_category": "DRIVER LICENSE",
6"raw_vehicle_classes": "AM,B",
7"vehicle_class_details": [{
8 "category": "AM",
9 "obtainment_date": "2020-05-12",
10 "expiry_date": "2030-05-12"
11 },
12 {
13 "category": "B",
14 "obtainment_date": "2020-05-12",
15 "expiry_date": "2030-05-12"
16 }
17]
18
19...

Contact your account manager for more information about the features in the Document with Driver Verification report.

Facial Similarity reports

This API documentation offers detailed information about the structure of a Facial Similarity report, including an example of the report's result and its breakdowns.

For a more general introduction to the Facial Similarity report, you can read our product documentation.

After you've familiarised yourself with the information here, you can read our guide on [suggested client guide/facial-similarity-reports/#suggested-client-actions) for different result scenarios.

Creating a check with a Facial Similarity report will cause you to process facial biometric personal data. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

There are 4 different types of Facial Similarity report:

Report nameRequest body in API
Photo"report_names": ["facial_similarity_photo"]
Photo Fully Auto"report_names": ["facial_similarity_photo_fully_auto"]
Video"report_names": ["facial_similarity_video"]
Motion"report_names": ["facial_similarity_motion"]

All Facial Similarity reports will compare the most recent live photo, live video or motion capture provided by the applicant to the face on the specified document or NFC media provided during check creation in the document_ids field.

"document_ids": ["<DOCUMENT_ID>"]

By default, the most recently uploaded document specified will be used. If unspecified, the most recently uploaded document will be used.

Where the document has two sides, we will search both sides of the document for a face. Where the document has been scanned using NFC, we will use the face extracted from the document's NFC chip.

When document IDs are associated with a Facial Similarity report, the document IDs of the documents used will be returned under the documents attribute of the report object.

When side is not specified, it will take a default value of front. We recommend that all documents contain the side attribute, as this minimises the cases where the back of the document is used for comparison and thus failed as no face is detected.

Required applicant data

For all Facial Similarity report types, first_name and last_name must be provided but can be sample values if you don't know an applicant's name.

Facial Similarity Photo

If applicant_provides_data is true, the Facial Similarity Photo report needs to be paired with a Document report.

Facial Similarity Photo: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Facial Similarity Photo report:

AttributeFormatPossible values
resultString"clear", "consider"
image_integrityString or null"clear", "consider", null
(sub-breakdown) face_detectedString or null"clear", "consider", null
(sub-breakdown) source_integrity1String or null"clear", "consider", null
face_comparisonString or null"clear", "consider", null
(sub-breakdown) face_match2String or null"clear", "consider", null
visual_authenticityString or null"clear", "consider", null
(sub-breakdown) spoofing_detection3String or null"clear", "consider", null

1: source_integrity may contain reasons under the properties bag (see Facial Similarity Photo: Source Integrity)

2: face_match contains a score value and document_id unique identifier under the properties bag (see Facial Similarity Photo: Face Match properties)

3: spoofing_detection contains a score value under the properties bag (see Facial Similarity Photo: Spoofing Detection Score)

A breakdown or sub-breakdown will have the result null when it has not been completed. This occurs when it is not available, or has failed to process the media due to a timeout or an internal error. In this case, the report will go to manual review.

Facial Similarity Photo: Breakdowns

BreakdownDescription
image_integrityobject
Asserts whether the quality and integrity of the uploaded files were sufficient to perform a face comparison.
(sub-breakdown) face_detectedobject
Asserts a single face of good enough quality has been found in both the document image and the live photo.
(sub-breakdown) source_integrityobject
Asserts whether the live photo is trustworthy - i.e. not digitally tampered, from a fake webcam, or from other dubious sources.
face_comparisonobject
Asserts whether the face in the document matches the face in the live photo.
(sub-breakdown) face_matchobject
Contains a score value and document_id unique identifier for the matched document under the properties bag (see Facial Similarity Photo: Match properties).
visual_authenticityobject
Asserts whether the person in the live photo is real (not a spoof).
(sub-breakdown) spoofing_detectionobject
Contains a score value under the properties bag (see Facial Similarity Photo: Spoofing Detection Score).

Facial Similarity Photo: Source Integrity

We will return a reason whenever a report flags for source_integrity. This works by returning the contributing reason and a consider result in the source_integrity breakdown properties. There can be more than one reason, because they aren’t mutually exclusive. All other signals and potential reasons will be omitted.

For Facial Similarity Photo, the source_integrity sub-breakdown is composed of the following properties:

  • digital_tampering - when evidence is found that the image was manipulated by Photoshop, or other software
  • fake_webcam - when evidence is found that a fake webcam was used
  • time_of_capture - when evidence is found that the live photo was taken more than 24 hours before live photo upload
  • emulator - when evidence is found that an Android emulator was used
  • payload_integrity - when evidence is found that the payload was tampered with
  • sanctioned_document_country - when a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The report (either in conjunction with or separate from a document report) will return a consider result, accompanied by a reasons property clarifying that it is not supported due to sanctions
  • reasons - additional comma separated details such as the exact digital tampering software used, or the name of the fake webcam

Facial Similarity Photo: Face Match properties

The face_match breakdown contains a properties object with a score value and document_id unique identifier.

  • The score value is a floating point number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match.

If the face matching algorithm fails to detect a face, the score property will not be present and the face matching task will be done manually. The score only measures how similar the faces are, and does not make an assessment of the nature of the photo. If spoofing (such as photos of printed photos or photos of digital screens) is detected the applicant will be rejected independently of the face match score.

  • document_id returns the UUID for the document containing the extracted face that was used for face matching.

If no face is detected, no document is recorded and the property is returned as null.

Facial Similarity Photo: Spoofing Detection Score

The spoofing_detection breakdown contains a properties object with a score value. This score is a floating point number between 0 and 1. The closer the score is to 0, the more likely it is to be a spoof (i.e. photos of printed photos, or photos of digital screens). Conversely, the closer it is to 1, the less likely it is to be a spoof.

Example Facial Similarity Photo report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2019-12-11T09:39:05Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "id": "<REPORT_ID>",
8 "name": "facial_similarity_photo",
9 "properties": {},
10 "result": "clear",
11 "status": "complete",
12 "sub_result": null,
13 "breakdown": {
14 "face_comparison": {
15 "result": "clear",
16 "breakdown": {
17 "face_match": {
18 "result": "clear",
19 "properties": {
20 "score": 0.6512,
21 "document_id": "<DOCUMENT_ID>"
22 }
23 }
24 }
25 },
26 "image_integrity": {
27 "result": "clear",
28 "breakdown": {
29 "face_detected": {
30 "result": "clear",
31 "properties": {}
32 },
33 "source_integrity": {
34 "result": "clear",
35 "properties": {}
36 }
37 }
38 },
39 "visual_authenticity": {
40 "result": "clear",
41 "breakdown": {
42 "spoofing_detection": {
43 "result": "clear",
44 "properties": {
45 "score": 0.9512
46 }
47 }
48 }
49 }
50 },
51 "check_id": "<CHECK_ID>",
52 "documents": []
53}

Photo Fully Auto

If applicant_provides_data is true, the Photo Fully Auto report needs to be paired with a Document report.

Photo Fully Auto: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Photo Fully Auto report:

AttributeFormatPossible values
resultString"clear", "consider"
image_integrityString or null"clear", "consider", null
(sub-breakdown) face_detectedString or null"clear", "consider", null
(sub-breakdown) source_integrity1String or null"clear", "consider", null
face_comparisonString or null"clear", "consider", null
(sub-breakdown) face_match2String or null"clear", "consider", null
visual_authenticityString or null"clear", "consider", null
(sub-breakdown) spoofing_detection3String or null"clear", "consider", null

1: source_integrity may contain reasons under the properties bag (see Source Integrity for Photo Fully Auto)

2: face_match contains a score value and document_id unique identifier under the properties bag (see Face Match properties for Photo Fully Auto)

3: spoofing_detection contains a score value under the properties bag (see Spoofing Detection Score for Photo Fully Auto)

Photo Fully Auto: Breakdowns

BreakdownDescription
image_integrityobject
Asserts whether the quality and integrity of the uploaded files were sufficient to perform a face comparison.
(sub-breakdown) face_detectedobject
Asserts a single face of good enough quality has been found in both the document image and the live photo.
(sub-breakdown) source_integrityobject
Asserts whether the live photo is trustworthy - i.e. not digitally tampered, from a fake webcam, or from other dubious sources.
face_comparisonobject
Asserts whether the face in the document matches the face in the live photo.
(sub-breakdown) face_matchobject
Contains a score value and document_id unique identifier for the matched document under the properties bag (see Face Match properties for Fully Auto).
visual_authenticityobject
Asserts whether the person in the live photo is real (not a spoof).
(sub-breakdown) spoofing_detectionobject
Contains a score value under the properties bag (see Spoofing Detection Score for Fully Auto).

Photo Fully Auto: Source Integrity

We will return a reason whenever a report flags for source_integrity. This works by returning the contributing reason and a consider result in the source_integrity breakdown properties. There can be more than one reason, because they aren’t mutually exclusive. All other signals and potential reasons will be omitted.

For Photo Fully Auto, the source_integrity sub-breakdown is composed of the following properties:

  • digital_tampering - when evidence is found that the image was manipulated by Photoshop, or other software
  • fake_webcam - when evidence is found that a fake webcam was used
  • time_of_capture - when evidence is found that the live photo was taken more than 24 hours before live photo upload
  • emulator - when evidence is found that an Android emulator was used
  • payload_integrity - when evidence is found that the payload was tampered with
  • sanctioned_document_country - when a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The report (either in conjunction with or separate from a document report) will return a consider result, accompanied by a reasons property clarifying that it is not supported due to sanctions
  • reasons - additional comma separated details such as the exact digital tampering software used, or the name of the fake webcam

Photo Fully Auto: Face Match properties

The face_match breakdown contains a properties object with a score value and document_id unique identifier.

  • The score value is a floating point number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match.

If the face matching algorithm fails to detect a face, the score property will not be present. The score only measures how similar the faces are, and does not make an assessment of the nature of the photo. If spoofing (such as photos of printed photos or photos of digital screens) is detected the applicant will be rejected independently of the face match score.

  • document_id returns the UUID for the document containing the extracted face that was used for face matching.

If no face is detected, no document is recorded and the property is returned as null.

Photo Fully Auto: Spoofing Detection Score

The spoofing_detection breakdown contains a properties object with a score value. This score is a floating point number between 0 and 1. The closer the score is to 0, the more likely it is to be a spoof (i.e. photos of printed photos, or photos of digital screens). Conversely, the closer it is to 1, the less likely it is to be a spoof.

If the anti-spoofing algorithm fails to detect a face, the score property will not be present.

Example Photo Fully Auto report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2020-01-01T14:16:21Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "id": "<REPORT_ID>",
8 "name": "facial_similarity_photo_fully_auto",
9 "result": "clear",
10 "status": "complete",
11 "sub_result": null,
12 "breakdown": {
13 "visual_authenticity": {
14 "result": "clear",
15 "breakdown": {
16 "spoofing_detection": {
17 "result": "clear",
18 "properties": {
19 "score": 0.9901
20 }
21 }
22 }
23 },
24 "image_integrity": {
25 "result": "clear",
26 "breakdown": {
27 "face_detected": {
28 "result": "clear",
29 "properties": {}
30 },
31 "source_integrity": {
32 "result": "clear",
33 "properties": {}
34 }
35 }
36 },
37 "face_comparison": {
38 "result": "consider",
39 "breakdown": {
40 "face_match": {
41 "result": "consider",
42 "properties": {
43 "score": 0.2097,
44 "document_id": "<DOCUMENT_ID>"
45 }
46 }
47 }
48 }
49 },
50 "check_id": "<CHECK_ID>"
51}

Facial Similarity Video

In the Facial Similarity Video report, live videos are collected and uploaded by one of the Onfido SDKs (iOS, Android or Web).

Checks where applicant_provides_data is true are not compatible with Facial Similarity Video reports.

In addition to confirming the two faces match, Facial Similarity Video assesses active liveness by asking users to repeat randomly generated numbers and perform a random head movement. This prevents impersonation - for example masks, and deep fakes displayed on digital screens. This process is reflected in visual_authenticity, which is composed of the sub-breakdowns spoofing_detection and liveness_detected. See Facial Similarity Video Object and Facial Similarity Video Breakdowns.

In order for a Facial Similarity Video report to complete automatically, the user needs to turn their head in the correct direction and correctly say the 3 randomly generated digits in one of our supported languages (see table below).

Language nameLanguage code
English"en"
Spanish"es"
Italian"it"
Indonesian"id"
German"de"
French"fr"
Portuguese"pt"
Polish"pl"
Japanese"ja"
Dutch"nl"
Romanian"ro"
Basque"eu"
Catalan"ca"
Galician"gl"
Chinese"cn"
Turkish"tr"
Malay"ms"

If the user does not say the correct digits, or speak in another language, the live video will be reviewed by an analyst for evidence of spoofing.

SDK localization

We recommend that you localize the strings if you're using one of the Onfido SDKs, so the user is more likely to understand the liveness headturn and speaking instructions.

The Onfido voice processor will attempt to detect the language the user is speaking. This will be more successful if you pass the code for the expected language to the locale mechanism, in any of the Onfido SDKs:

  • iOS SDK - pass the onfido_locale parameter
  • Android SDK - pass the onfido_locale parameter
  • Web SDK - pass the locale parameter

Some string localisations are available out of the box, but this differs depending on the SDK.

You can also provide your own custom translations to your users.

Facial Similarity Video: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Facial Similarity Video report:

AttributeFormatPossible values
resultString"clear", "consider"
image_integrityString or null"clear", "consider", null
(sub-breakdown) face_detectedString or null"clear", "consider", null
(sub-breakdown) source_integrity1String or null"clear", "consider", null
face_comparisonString or null"clear", "consider", null
(sub-breakdown) face_match2String or null"clear", "consider", null
visual_authenticityString or null"clear", "consider", null
(sub-breakdown) spoofing_detection3String or null"clear", "consider", null
(sub-breakdown) liveness_detectedString or null"clear", "consider", null

1: source_integrity may contain reasons under the properties bag (see Facial Similarity Video: Source Integrity)

2: face_match contains a score value and document_id unique identifier under the properties bag (see Facial Similarity Video: Face Match properties)

3: spoofing_detection contains a score value under the properties bag (see Facial Similarity Video: Spoofing Detection Score)

Facial Similarity Video: Breakdowns

BreakdownDescription
face_comparisonobject
Asserts whether the face in the document matches the face in the live video.
(sub-breakdown) face_matchobject
Contains a score value and document_id unique identifier for the matched document under the properties bag (see Facial Similarity Video: Face Match properties).
image_integrityobject
Asserts whether the quality of the uploaded files and the content contained within them were sufficient to perform a face comparison.
(sub-breakdown) face_detectedobject
Asserts a single face of good enough quality has been found in both the document image and in the live video.
(sub-breakdown) source_integrityobject
Asserts whether the live video is trustworthy - e.g. not from a fake webcam.
visual_authenticityobject
Asserts whether the person in the live video is real (not a spoof) and live.
(sub-breakdown) spoofing_detectionobject
Asserts whether the live video is not a spoof (such as videos of digital screens).
(sub-breakdown) liveness_detectedobject
Asserts whether the numbers and head movements were correctly executed.

Facial Similarity Video: Source Integrity

We will return a reason whenever a report flags for source_integrity. This works by returning the contributing reason and a consider result in the source_integrity breakdown properties. There can be more than one reason, because they aren’t mutually exclusive. All other signals and potential reasons will be omitted.

For Facial Similarity Video, the source_integrity sub-breakdown is composed of the following properties:

  • fake_webcam - when evidence is found that a fake webcam was used
  • emulator - when evidence is found that an Android emulator was used
  • payload_integrity - when evidence is found that the payload was tampered with
  • sanctioned_document_country - when a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The report (either in conjunction with or separate from a document report) will return a consider result, accompanied by a reasons property clarifying that it is not supported due to sanctions
  • challenge_reuse - when evidence is found that the video was uploaded in an attempt to circumvent the randomness of the speaking and head turn challenges
  • reasons - additional comma separated details, such as the name of the fake webcam

Facial Similarity Video: Face Match properties

The face_match breakdown contains a properties object with a score value and document_id unique identifier.

  • The score value is a floating point number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match.

If the face matching algorithm fails to detect a face, the score property will not be present and the face matching task will be done manually. The score only measures how similar the faces are, and does not make an assessment of the nature of the live video. If spoofing (such as videos of digital screens, masks or print-outs) is detected the applicant will be rejected independently of the face match score.

  • document_id returns the UUID for the document containing the extracted face that was used for face matching.

If no face is detected, no document is recorded and the property is returned as null.

Facial Similarity Video: Spoofing Detection Score

The spoofing_detection breakdown contains a properties object with a score value. This score is a floating point number between 0 and 1. The closer the score is to 0, the more likely it is to be a spoof (i.e. videos of digital screens, masks or print-outs). Conversely, the closer it is to 1, the less likely it is to be a spoof.

The score value is based on passive facial information only, regardless of whether or not the user said the expected digits or turned their head in the correct direction. For example, a user who performs no action but is a real person should receive a score close to 1.

Example Facial Similarity Video report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2019-12-11T10:06:38Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "id": "<REPORT_ID>",
8 "name": "facial_similarity_video",
9 "properties": {},
10 "result": "clear",
11 "status": "complete",
12 "sub_result": null,
13 "breakdown": {
14 "face_comparison": {
15 "result": "clear",
16 "breakdown": {
17 "face_match": {
18 "result": "clear",
19 "properties": {
20 "score": 0.6512,
21 "document_id": "<DOCUMENT_ID>"
22 }
23 }
24 }
25 },
26 "image_integrity": {
27 "result": "clear",
28 "breakdown": {
29 "face_detected": {
30 "result": "clear",
31 "properties": {}
32 },
33 "source_integrity": {
34 "result": "clear",
35 "properties": {}
36 }
37 }
38 },
39 "visual_authenticity": {
40 "result": "clear",
41 "breakdown": {
42 "liveness_detected": {
43 "result": "clear",
44 "properties": {}
45 },
46 "spoofing_detection": {
47 "result": "clear",
48 "properties": {
49 "score": 0.9512
50 }
51 }
52 }
53 }
54 },
55 "check_id": "<CHECK_ID>",
56 "documents": []
57}

Facial Similarity Motion

In the Facial Similarity Motion report, motion captures are collected and uploaded by one of the Onfido SDKs (iOS, Android or Web).

Checks where applicant_provides_data is true are not compatible with Facial Similarity Motion reports.

In addition to confirming the two faces match, Facial Similarity Motion assesses liveness by asking users to complete a head turn in both directions. This process is reflected in visual_authenticity, which is composed of the sub-breakdowns spoofing_detection and liveness_detected. See Facial Similarity Motion Object and Facial Similarity Motion Breakdowns.

Facial Similarity Motion reports always complete automatically.

Facial Similarity Motion: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Facial Similarity Motion report:

AttributeFormatPossible values
resultString"clear", "consider"
image_integrityString or null"clear", "consider", null
(sub-breakdown) face_detectedString or null"clear", "consider", null
(sub-breakdown) source_integrity1String or null"clear", "consider", null
face_comparisonString or null"clear", "consider", null
(sub-breakdown) face_match2String or null"clear", "consider", null
visual_authenticityString or null"clear", "consider", null
(sub-breakdown) spoofing_detection3String or null"clear", "consider", null
(sub-breakdown) liveness_detectedString or null"clear", "consider", null

1: source_integrity may contain reasons under the properties bag (see Facial Similarity Motion: Source Integrity)

2: face_match contains a score value and document_id unique identifier under the properties bag (see Facial Similarity Motion: Face Match Properties)

3: spoofing_detection contains a score value under the properties bag (see Facial Similarity Motion: Spoofing Detection Score)

Facial Similarity Motion: Breakdowns

BreakdownDescription
face_comparisonobject
Asserts whether the face in the document matches the face in the motion capture.
(sub-breakdown) face_matchobject
Contains a score value and document_id unique identifier for the matched document under the properties bag (see Facial Similarity Motion: Face Match properties).
image_integrityobject
Asserts whether the quality of the uploaded files and the content contained within them were sufficient to perform a face comparison.
(sub-breakdown) face_detectedobject
Asserts a face of good enough quality has been found in both the document image and in the motion capture.
(sub-breakdown) source_integrityobject
Asserts whether the motion capture is trustworthy - e.g. not from a fake webcam.
visual_authenticityobject
Asserts whether the person in the motion capture is real (not a spoof) and live.
(sub-breakdown) spoofing_detectionobject
Asserts whether the motion capture is not a spoof (such as videos of digital screens).
(sub-breakdown) liveness_detectedobject
Asserts whether the head movements were correctly executed.

Facial Similarity Motion: Source Integrity

We will return a reason whenever a report flags for source_integrity. This works by returning the contributing reason and a consider result in the source_integrity breakdown properties. There can be more than one reason, because they aren’t mutually exclusive. All other signals and potential reasons will be omitted.

For Facial Similarity Motion, the source_integrity sub-breakdown is composed of the following properties:

  • fake_webcam - when evidence is found that a fake webcam was used
  • emulator - when evidence is found that an Android emulator was used
  • payload_integrity - when evidence is found that the payload was tampered with
  • sanctioned_document_country - when a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The report (either in conjunction with or separate from a document report) will return a consider result, accompanied by a reasons property clarifying that it is not supported due to sanctions
  • reasons - additional comma separated details, such as the name of the fake webcam

Facial Similarity Motion: Face Match Properties

The face_match breakdown contains a properties object with a score value and document_id unique identifier.

  • The score value is a floating point number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match.

The score only measures how similar the faces are, and does not make an assessment of the nature of the motion capture. If spoofing (such as videos of digital screens, masks or print-outs) is detected the applicant will be rejected independently of the face match score.

  • document_id returns the UUID for the document containing the extracted face that was used for face matching.

If no face is detected, no document is recorded and the property is returned as null.

Facial Similarity Motion: Spoofing Detection Score

The spoofing_detection breakdown contains a properties object with a score value. This score is a floating point number between 0 and 1. The closer the score is to 0, the more likely it is to be a spoof (i.e. videos of digital screens, masks or print-outs). Conversely, the closer it is to 1, the less likely it is to be a spoof.

The score value is based on passive facial information only, regardless of whether or not the user performed the head turn. For example, a user who performs no action but is a real person should receive a score close to 1.

Example Facial Similarity Motion report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "check_id": "<CHECK_ID>",
6 "created_at": "2022-12-11T15:14:58Z",
7 "documents": [
8 {
9 "id": "<DOCUMENT_ID>"
10 }
11 ],
12 "href": "/v3.6/reports/<REPORT_ID>",
13 "id": "<REPORT_ID>",
14 "name": "facial_similarity_motion",
15 "properties": {},
16 "result": "clear",
17 "status": "complete",
18 "sub_result": null,
19 "breakdown": {
20 "face_comparison": {
21 "result": "clear",
22 "breakdown": {
23 "face_match": {
24 "result": "clear",
25 "properties": {
26 "score": 0.6512,
27 "document_id": "<DOCUMENT_ID>"
28 }
29 }
30 }
31 },
32 "image_integrity": {
33 "result": "clear",
34 "breakdown": {
35 "face_detected": {
36 "result": "clear",
37 "properties": {}
38 },
39 "source_integrity": {
40 "result": "clear",
41 "properties": {}
42 }
43 }
44 },
45 "visual_authenticity": {
46 "result": "clear",
47 "breakdown": {
48 "liveness_detected": {
49 "result": "clear",
50 "properties": {}
51 },
52 "spoofing_detection": {
53 "result": "clear",
54 "properties": {
55 "score": 0.9512
56 }
57 }
58 }
59 }
60 }
61}

Suggested client actions

We host a guide on our Developer Hub for suggested client actions in specific scenarios for clients using our Facial Similarity reports.

Known Faces report

This API documentation offers detailed information about the structure of a Known Faces report, including an example of the report's result and its breakdowns.

For a more general introduction to the Known Faces report, you can read our product documentation.

The Known Faces report requires that we keep a database of facial biometric identifiers (personal data) so that individuals can be identified in future checks. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Each applicant you run a Known Faces report against must have an uploaded live photo, live video or motion capture.

If no live photo, live video or motion capture is found, the Known Faces report will be automatically withdrawn and return an error in the report properties:

json
1"properties":{
2 "reason": "Report withdrawn due to missing media (photo, video or motion capture) required for processing."
3}

It is highly recommended the Known Faces report always be run in conjunction with a Facial Similarity report. Only faces processed through Facial Similarity are kept on the database. Thus, although it can be requested on its own, a Known Faces report can only match against applicants who have previously gone through a Facial Similarity report.

No matches will be returned against any permanently deleted applicants.

To request a Known Faces report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["known_faces"]

Required applicant data

For Known Face reports, first_name and last_name must be provided but can be sample values if you don't know an applicant's name.

Known Faces: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Known Faces report:

AttributeFormatPossible values
resultString"clear", "consider"
previously_seen_facesString or null1"clear", "consider" , null
image_integrityString"clear", "consider"
  1. null is returned when image_integrity is "consider". This is because, when no face is detected in the input media, there is nothing to match against previously seen faces.

Known Faces: Breakdowns

BreakdownDescription
previously_seen_facesobject
Asserts whether the applicant's most recent facial media (live photo or live video) matches any other live photos or live videos already in your Onfido account database. Only matches where the suspected field is true will be considered.
image_integrityobject
Asserts whether the uploaded live photo or live video and the content contained within it were of sufficient quality to perform a face comparison.

Known Faces: Properties

The Known Faces response will return any matching applicant IDs as entries inside a matches array under a properties bag. Each applicant ID has a corresponding score and the media type (for example live_photos, live_videos), as well as the corresponding UUID for that media type. For example, the live photo or live video ID.

Only matches where the suspected field is true should be considered as possible fraud. This is determined by fuzzy matching the report's applicant name and matched applicants' names. This can have a value of false only if the fuzzy name matching feature for Known Faces reports is enabled in your account.

The score attribute is a floating point number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match.

json
1"matches": [
2 {
3 "applicant_id": "NTH_MATCHED_APPLICANT_ID",
4 "score": 0.9915,
5 "media_id": "LIVE_PHOTO_ID",
6 "media_type": "live_photos",
7 "suspected": true
8 }
9]

If matches are found and any of them is suspected, the result will be consider. Conversely, if none of the matches are suspected, the result will be clear.

Example Known Faces report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2020-06-19T09:44:14Z",
6 "documents": [],
7 "href": "/v3.6/reports/<REPORT_ID>",
8 "id": "<REPORT_ID>",
9 "name": "known_faces",
10 "properties": {
11 "matches": [
12 {
13 "applicant_id": "<1ST_MATCHED_APPLICANT_ID>",
14 "score": 1,
15 "media_id": "<1ST_MEDIA_ID>",
16 "media_type": "live_photos",
17 "suspected": false
18 },
19 {
20 "applicant_id": "<2ND_MATCHED_APPLICANT_ID>",
21 "score": 1,
22 "media_id": "<2ND_MEDIA_ID>",
23 "media_type": "live_videos",
24 "suspected": true
25 },
26 {
27 "applicant_id": "<3RD_MATCHED_APPLICANT_ID>",
28 "score": 0.8903,
29 "media_id": "<3RD_MEDIA_ID>",
30 "media_type": "live_photos",
31 "suspected": false
32 },
33 {
34 "applicant_id": "<4TH_MATCHED_APPLICANT_ID>",
35 "score": 0.8903,
36 "media_id": "<4TH_MEDIA_ID>",
37 "media_type": "live_photos",
38 "suspected": false
39 },
40 {
41 "applicant_id": "<5TH_MATCHED_APPLICANT_ID>",
42 "score": 0.8903,
43 "media_id": "<5TH_MEDIA_ID>",
44 "media_type": "motion",
45 "suspected": false
46 }
47 ]
48 },
49 "result": "consider",
50 "status": "complete",
51 "sub_result": null,
52 "breakdown": {
53 "previously_seen_faces": {
54 "result": "consider"
55 },
56 "image_integrity": {
57 "result": "clear"
58 }
59 },
60 "check_id": "<CHECK_ID>"
61}

Identity Enhanced report

This API documentation offers detailed information about the structure of a Identity Enhanced report, including an example of the report's result and its breakdowns.

For a more general introduction to the Identity Enhanced report, you can read our product documentation.

For verification checks containing Identity Enhanced reports, the applicant's last name must have at least 2 characters.

Required applicant data

For Identity Enhanced reports, the following applicant data must be provided:

The applicant address object is nested inside the applicant object. You must provide full address information in the request. The address field will not return a match if only address.postcode is provided.

Alternatively, you can provide addresses in the form line1, line2 and line3. If you provide address data in this form, Onfido uses a third-party subprocessor for address cleansing.

For more details, you can review the full list of supported countries with required and recommended data.

If you don't provide date of birth or address information in the request, a consider response with no breakdown information is returned. This is an invalid response and should be interpreted as a failed report.

Supported countries for Identity Enhanced

You can review the full list of supported countries for Identity Enhanced reports.

This is not a list of documents that Onfido supports: you can review that list separately.

Identity Enhanced: Report object

The report object varies depending on the applicant's address country field.

United Kingdom

Example report object where the applicant's address is in the United Kingdom.

Sources (credit_agencies, voting_register, telephone_database) are displayed as breakdowns with their own result value.

Example UK Identity Enhanced report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2019-10-03T15:54:20Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "id": "<REPORT_ID>",
8 "name": "identity_enhanced",
9 "properties": {
10 "matched_address": 19099121,
11 "matched_addresses": [
12 {
13 "id": 19099121,
14 "match_types": [
15 "credit_agencies",
16 "voting_register"
17 ]
18 }
19 ]
20 },
21 "result": "clear",
22 "status": "complete",
23 "sub_result": null,
24 "breakdown": {
25 "sources": {
26 "result": "clear",
27 "breakdown": {
28 "total_sources": {
29 "result": "clear",
30 "properties": {
31 "total_number_of_sources": "3"
32 }
33 }
34 }
35 },
36 "address": {
37 "result": "clear",
38 "breakdown": {
39 "credit_agencies": {
40 "result": "clear",
41 "properties": {
42 "number_of_matches": "1"
43 }
44 },
45 "telephone_database": {
46 "result": "clear",
47 "properties": {}
48 },
49 "voting_register": {
50 "result": "clear",
51 "properties": {}
52 }
53 }
54 },
55 "date_of_birth": {
56 "result": "clear",
57 "breakdown": {
58 "credit_agencies": {
59 "result": "clear",
60 "properties": {}
61 },
62 "voting_register": {
63 "result": "clear",
64 "properties": {}
65 }
66 }
67 },
68 "mortality": {
69 "result": "clear"
70 }
71 },
72 "check_id": "<CHECK_ID>",
73 "documents": []
74}

United States

Example report object where the applicant's address is in the United States.

Any elements that are positively matched will be returned as clear in the report object breakdowns, including the source or sources of the database match in the properties field. When a match cannot be found (i.e. result is not clear) the corresponding properties bucket will be empty as such "properties":{}.

The report includes Social Security Number for a US applicant as an additional match under the ssn breakdown. This breakdown will not be returned if a SSN is not provided.

If an Identity enhanced report includes a Social Security Number breakdown, this will be returned in the ssn object for a report that was run using the using the https://api.us.onfido.com/ base URL, and ssn1 for a report that was run using the https://api.eu.onfido.com/ base URL.

Example US Identity Enhanced report object (with Social Security Number provided)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "check_id": "<CHECK_ID>",
6 "created_at": "2022-05-06T08:44:54Z",
7 "documents": [],
8 "href": "/v3.6/reports/<REPORT_ID>",
9 "id": "<REPORT_ID>",
10 "name": "identity_enhanced",
11 "properties": {},
12 "result": "clear",
13 "status": "complete",
14 "sub_result": null,
15 "breakdown": {
16 "date_of_birth": {
17 "result": "clear",
18 "breakdown": {
19 "date_of_birth_matched": {
20 "result": "clear",
21 "properties": {
22 "sources": "Credit Agencies"
23 }
24 }
25 }
26 },
27 "address": {
28 "result": "clear",
29 "breakdown": {
30 "address_matched": {
31 "result": "clear",
32 "properties": {
33 "sources": "Credit Agencies, Telephone Database"
34 }
35 }
36 }
37 },
38 "ssn": {
39 "result": "clear",
40 "breakdown": {
41 "last_4_digits_match": {
42 "result": "clear",
43 "properties": {}
44 },
45 "full_match": {
46 "result": "clear",
47 "properties": {}
48 }
49 }
50 }
51 }

Non UK or US

Example report object where the applicant's address is not the United Kingdom or United States.

Sources are shown as comma separated under properties.

The report includes national_id_number_matched for a non UK or non US applicant as an additional match under the national_id_number breakdown. This breakdown will not be returned if a National ID Number is not provided or unsupported for the applicant's country.

Non UK/US Identity Enhanced report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "check_id": "<CHECK_ID>",
6 "created_at": "2022-05-06T08:44:54Z",
7 "documents": [],
8 "href": "/v3.6/reports/<REPORT_ID>",
9 "id": "<REPORT_ID>",
10 "name": "identity_enhanced",
11 "properties": {},
12 "result": "clear",
13 "status": "complete",
14 "sub_result": null,
15 "breakdown": {
16 "date_of_birth": {
17 "result": "clear",
18 "breakdown": {
19 "date_of_birth_matched": {
20 "result": "clear",
21 "properties": {
22 "sources": "Credit Agencies"
23 }
24 }
25 }
26 },
27 "address": {
28 "result": "clear",
29 "breakdown": {
30 "address_matched": {
31 "result": "clear",
32 "properties": {
33 "sources": "Credit Agencies, Telephone Database"
34 }
35 }
36 }
37 },
38 "national_id_number": {
39 "result": "clear",
40 "breakdown": {
41 "national_id_number_matched": {
42 "result": "clear",
43 "properties": {
44 "sources": "Government",
45 "type": "Identity Card"
46 }
47 }
48 }
49 }
50 }
51}

Identity Enhanced report custom logic

We've moved this content.

Watchlist reports

This API documentation offers detailed information about the structure of a Watchlist report, including an example of the report's result and its breakdowns.

For a more general introduction to the Watchlist report, you can read our product documentation.

There are 5 different types of Watchlist report:

Report nameRequest body in API
Watchlist AML"report_names": ["watchlist_aml"]
Watchlist Enhanced"report_names": ["watchlist_enhanced"]
Watchlist Standard"report_names": ["watchlist_standard"]
Watchlist PEPs Only"report_names": ["watchlist_peps_only"]
Watchlist Sanctions Only"report_names": ["watchlist_sanctions_only"]

Watchlist AML

The Watchlist AML report provides a granular breakdown of any records found when screening global watchlists and media sources. These include:

  • sanction: Government and International Organisations Sanctions Lists
  • politically_exposed_person: Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources
  • legal_and_regulatory_warnings: Law-Enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists)
  • adverse_media: Negative events reported by publicly and generally available media sources
The Watchlist AML report is 6AMLD compliant.

Records

If no match is found against the subject, the records field will read [] and the overall result will be clear.

If one or more matches are found, each match will be returned under records and the overall result will be consider.

As matches are done based on the available information, none of these properties are guaranteed to be present in the response.

FieldDescription
associatesstring
Any linked persons, for example family relatives or business partners
keywordsstring
last_updated_utcstring
The date and time the entry was last updated
entity_typestring
Should always be "person"
sourcesstring
Where the information was obtained, for example "PEPs list"
typesstring
The type of the source, for example "pep-class-1"
namestring
The name on file. Allows for custom cross-referencing of input details against output details
external_idstring
Returns an empty string
match_typesstring
The type of match, for example, "name_exact"
related_urlsstring
URL to the data source
picture_urlsstring
URL to the picture of the individual found in the match
all_dobsstring
All the date of births on file. Allows for custom cross-referencing of input details against output details
report_idinteger
The ID of the report
entity_fields_dobsstring
Date of birth
entity_fields_dodstring
Date of death
entity_fields_podstring
Place of birth
entity_fields_ofacstring
Office of Foreign Assets Control (OFAC) ID
entity_fields_addressstring
Address
entity_fields_countriesstring
Countries

Where applicable, if multiple values are found from the raw response, string concatenation with a delimiter of ", " is used.

Entity fields are additional, optional fields so they may not be present in the final result.

Required applicant data

For watchlist_aml reports, first_name and last_name must be provided.

dob

address[]postcode (ZIP code in US)

address[]country

address[]state (required for US addresses)

Date of birth

Submitting a date_of_birth with the name is optional but recommended, to narrow the search of the relevant individual.

More than one date of birth might be found per match due to the nature of the data sources, such as newspaper articles, which might include someone's age but not their full date of birth.

Address

Submitting an address with the country is optional but recommended.

The applicant address object is nested inside the applicant object.

Results are filtered by country of operation or office, under these circumstances:

  • There are PEP matches only
  • There are PEP matches with Adverse Media

The country filter is not applied, or in other words, results will still appear regardless of the address country, under these circumstances:

  • There are adverse media matches only
  • Address does not have a country
  • Sanctions, Money Laundering or Terrorist related events will always appear even if the country filter is applied

If a match is found but the date_of_birth or address fields are null, this means there is no date_of_birth or address data on file associated with that match.

Example Watchlist AML report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2019-10-03T15:42:36Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "documents": [],
8 "id": "<REPORT_ID>",
9 "name": "watchlist_aml",
10 "properties": {
11 "records": []
12 },
13 "result": "clear",
14 "status": "complete",
15 "sub_result": null,
16 "breakdown": {
17 "sanction": {
18 "result": "clear"
19 },
20 "politically_exposed_person": {
21 "result": "clear"
22 },
23 "legal_and_regulatory_warnings": {
24 "result": "clear"
25 },
26 "adverse_media": {
27 "result": "clear"
28 }
29 },
30 "check_id": "<CHECK_ID>"
31}

Watchlist Enhanced

The Watchlist Enhanced report provides a granular breakdown of any records found when screening global watchlists. These include the following breakdowns:

  • sanction: Government and International Organisations Sanctions Lists.
  • politically_exposed_person: Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources.
  • monitored_lists: Law-Enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists).
  • adverse_media: Negative events reported by publicly and generally available media sources.

Records

If no match is found against the subject, the records field will read [] and the overall result will be clear.

If one or more matches are found, each match will be returned under records and the overall result will be consider. Each event will correspond to a relevant category of list, which drives one of the breakdowns.

As matches are done based on the available information, none of these properties are guaranteed to be present in the response.

FieldDescriptionSub-fields
addressarray of objects
All addresses on file
address_line1
country
postal_code
state_province
town
locator_type
aliasarray of objects
Any names that the person is also known as
alias_name
alias_type
associatearray of objects
Any linked persons, for example family relatives or business partners
entity_name
relationship_direction
relationship_type
attributearray of objects
Information about the person, for example hair color or nationality
attribute_type
attribute_value
date_of_birtharray of DOB objects
All the date of births on file
eventarray of objects
Information about events that have occurred to the person, for example deportation or arrest
category
event_date
event_description
source (source_date, source_format, source_name)
sub_category
full_namestring
The name on file
positionarray of strings
The role, country and date of each position
sourcearray of objects
Details about where the information was obtained
source_headline
source_name
source_url

Required applicant data

For watchlist_enhanced reports, first_name and last_name must be provided.

dob

address[]postcode (ZIP code in US)

address[]country

address[]state (required for US addresses)

Date of birth

Submitting a date_of_birth with the name is optional but recommended, to narrow the search of the relevant individual.

More than one date of birth might be found per match due to the nature of the data sources, such as newspaper articles, which might include someone's age but not their full date of birth.

Address

Submitting an address with the country is optional but recommended.

The applicant address object is nested inside the applicant object.

Results are filtered by country of operation or office, under these circumstances:

  • There are PEP matches only
  • There are PEP matches with Adverse Media

The country filter is not applied, or in other words, results will still appear regardless of the address country, under these circumstances:

  • There are adverse media matches only
  • Address does not have a country
  • Sanctions, Money Laundering or Terrorist related events will always appear even if the country filter is applied

If a match is found but the date_of_birth or address fields are null, this means there is no date_of_birth or address data on file associated with that match.

Example Watchlist Enhanced report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2019-10-03T15:37:03Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "id": "<REPORT_ID>",
8 "name": "watchlist_enhanced",
9 "properties": {
10 "records": []
11 },
12 "result": "clear",
13 "status": "complete",
14 "sub_result": null,
15 "breakdown": {
16 "politically_exposed_person": {
17 "result": "clear"
18 },
19 "sanction": {
20 "result": "clear"
21 },
22 "adverse_media": {
23 "result": "clear"
24 },
25 "monitored_lists": {
26 "result": "clear"
27 }
28 },
29 "check_id": "<CHECK_ID>",
30 "documents": []
31}

Watchlist Standard

The Watchlist Standard report provides a granular breakdown of any records found when screening global watchlists. These include:

  • sanction: Government and International Organisations Sanctions Lists.
  • politically_exposed_person: Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources.
  • legal_and_regulatory_warnings: Law-Enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists).

You can use a Watchlist PEPs Only report to search only PEPs lists, or a Watchlist Sanctions Only report to search only sanctions and warnings lists. The Watchlist Standard report will search all types.

Records

If no match is found against the subject, the records field will read [] and the overall result will be clear.

If one or more matches are found, each match will be returned under records and the overall result will be consider.

See Watchlist AML records for details of the possible fields.

Required applicant data

For watchlist_standard reports, first_name and last_name must be provided.

dob

address[]postcode (ZIP code in US)

address[]country

address[]state (required for US addresses)

The applicant address object is nested inside the applicant object. If you create an applicant object with an address, you must provide postcode and country, and state for US addresses.

If the applicant's address is provided, the address[]country field will narrow the search to include only PEPs who hold office in that country. The country filter will also be applied if an individual is both a PEP and has warnings or adverse media.

The country filter has no impact on sanctions results.

Example Watchlist Standard report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2019-10-03T15:42:36Z",
6 "href": "/v3.6/reports/<REPORT_ID>",
7 "id": "<REPORT_ID>",
8 "name": "watchlist_standard",
9 "properties": {
10 "records": []
11 },
12 "result": "clear",
13 "status": "complete",
14 "sub_result": null,
15 "breakdown": {
16 "sanction": {
17 "result": "clear"
18 },
19 "politically_exposed_person": {
20 "result": "clear"
21 },
22 "legal_and_regulatory_warnings": {
23 "result": "clear"
24 }
25 },
26 "check_id": "<CHECK_ID>",
27 "documents": []
28}

Watchlist PEPs Only

The Watchlist PEPs Only report is a subset of the Watchlist Standard report. It provides a granular breakdown of politically_exposed_person breakdown matches.

Each match will be returned under records and includes, but is not limited to: name of match, associates, date of birth, related keywords, type of list, name of list, and when the entry was last updated. When available, URLs to data sources are provided, as well as pictures of the individual found in the match. This allows you to quickly assess the relevancy of the match and eliminate false positives. See Watchlist AML records for details of the possible fields.

More than one date of birth might be found per match, due to the nature of the data sources, such as news papers articles, which might include someone's age but not their full date of birth.

Required applicant data

For watchlist_peps_only reports, first_name and last_name must be provided.

dob If the applicant's address is provided, the address[]country field will narrow the search to include only PEPs who hold office in that country. The country filter will also be applied if an individual is both a PEP and has warnings or adverse media.

The country filter has no impact on sanctions results.

Watchlist Sanctions Only

The Watchlist Sanctions Only report is a subset of the Watchlist Standard report. It provides a granular breakdown of sanction breakdown matches.

Each match will be returned under records and includes, but is not limited to: name of match, associates, date of birth, related keywords, type of list, name of list, and when the entry was last updated. When available, URLs to data sources are provided, as well as pictures of the individual found in the match. This allows you to quickly assess the relevancy of the match and eliminate false positives. See Watchlist AML records for details of the possible fields.

More than one date of birth might be found per match, due to the nature of the data sources, such as news papers articles, which might include someone's age but not their full date of birth.

Required applicant data

For Watchlist Sanctions Only reports, first_name and last_name must be provided.

dob

Proof of Address report

This API documentation offers detailed information about the structure of a Proof of Address report, including an example of the report's result and its breakdowns.

For a more general introduction to the Proof of Address report, you can read our product documentation.

Supported issuing countries

Documents issued by the following countries are supported for a PoA report:

  1. Group A:
  • Andorra
  • Gibraltar
  • Isle of Man
  • Jersey
  • Monaco
  • San Marino
  • Switzerland
  • United Kingdom
  1. Group B:
  • Canada
  • European Economic Area (excluding Greece, Cyprus and Bulgaria)
  • New Zealand
  1. Group C:
  • Algeria
  • Argentina
  • Australia
  • Bermuda
  • Brazil
  • British Virgin Islands
  • Bulgaria
  • Cayman Islands
  • Chile
  • Colombia
  • Costa Rica
  • Dominican Republic
  • Ecuador
  • Ethiopia
  • Ghana
  • Guatemala
  • Hong Kong
  • Indonesia
  • Ivory Coast
  • Jamaica
  • Japan
  • Kenya
  • Kuwait
  • Malaysia
  • Mexico
  • Nigeria
  • Panama
  • Peru
  • Philippines
  • Saudi Arabia
  • Senegal
  • Serbia
  • Singapore
  • South Africa
  • South Korea
  • Taiwan
  • Tanzania
  • Turkey
  • Uganda
  • Ukraine
  • United Arab Emirates
  • United States of America
  • Vietnam

You must set the issuing_country field to the corresponding country when uploading the document via the document upload endpoint.

If the issuing_country field is not specified or is from an unsupported country, the document will be uploaded however it will not be processed and the report will complete with the status set to withdrawn and the result set to null.

Applicants are able to upload documents from anywhere in the world, but the document must have been issued by a supported country and be a supported document for this report.

Required applicant data

For Proof of Address reports, the following applicant data must be provided:

first_name

last_name

address[]street

address[]town

address[]postcode

address[]country (must be a 3-letter ISO code e.g. "GBR")

The applicant address object is nested inside the applicant object. If you create an applicant object with an address, you must provide postcode and country, and state for US addresses.

Checks where applicant_provides_data is set to true are not compatible with Proof of Address reports.

Supported document types

The following document types are supported for a PoA report, along with its issue date validity based on document issuing country:

DocumentAPI Document typeGroup AGroup BGroup C
Bank Statement or Building Society Statementbank_building_society_statementLast 3 monthsLast 6 monthsLast 6 months
Utility Bill (electricity, water, gas, broadband, landline )utility_billLast 3 monthsLast 6 monthsLast 6 months
Local Government Tax Lettercouncil_taxLast 1 yearLast 6 months
Benefits Letter (e.g. Job seeker allowance, House benefits, Tax credits)benefit_lettersLast 1 yearLast 6 months
Mortgage statementmortgage_statementLast 1 yearLast 1 year
Mobile phone billmobile_phone_billLast 6 months
General letter (financial institution/utility company)general_letterLast 6 months
Insurance statement or brokerage statementinsurance_statementLast 6 months
Pension statement/letter or Property tax statement/letterpension_property_statement_letterLast 1 year
Identity document with addressidentity_document_with_addressMust not be expiredMust not be expired
Exchange House Statementexchange_house_statementLast 6 months
Accommodation or Tenancy Certificateaccommodation_tenancy_certificateLast 6 monthsLast 6 months

Local Government Tax Letters and Benefits Letter are only supported if issued by the UK.

Address certificates (address_certificate) are only supported if issued in Hungary and Turkey. If dates are present, address certificates must not be expired.

When uploading documents with 2 sides (e.g. identity_document_with_address), document_type should be specified and both sides of the document should be uploaded as separate documents, specifying side value for each one.

Exchange House Statements are only supported if provided from authorized issuers in the United Arab Emirates.

Kenya is the only Group C country that accepts Local Government Tax Letters.

Singapore is the only Group C country that accepts Mobile Phone Bills.

Proof of Address: Breakdowns

A PoA report is composed of the following 3 breakdowns:

BreakdownDescription
image_integrityobject
Asserts whether the quality of the uploaded document was sufficient to verify the address
document_classificationobject
Asserts whether the document is a supported document type and the document has a valid date of issue
data_comparisonobject
Asserts whether the first name, last name and address provided by the applicant match those on the PoA document
source_integrityobject
Asserts whether the source integrity of the uploaded document is sufficient to verify the address

Proof of Address: Properties

In addition, data points extracted from PoA documents are returned in the properties attribute.

FieldDescription
document_typeThis property provides the document type according to the set of supported documents
document_source_typeThis property provides the document source type
issue_dateThis property provides the issue date of the document
expiry_dateThis property provides the expiry date of the document
summary_period_startThis property provides the summary period start date
summary_period_endThis property provides the summary period end date
issuerThis property provides the document issuer (e.g. HSBC, British Gas)
first_namesThis property provides the first names on the document, including any initials and middle names
last_namesThis property provided the last names on the document
addressThis property provides the address on the document
address_parsedobject
This property provides a structured address
unsupported_document_reasonarray
The reasons why the document is unsupported (possible values include unsupported_doc_type, unsupported_alphabet, unsupported_country or possible_fraud).

Only the summary period or the issue date will be returned in the report properties attribute as they are mutually exclusive. Issue date may not be returned if document has only expiry date.

Document source types

The following document source types can be returned for a PoA report:

Source typeDescription
pdfDocument is a PDF file
photo_of_screenDocument is a photo of a monitor, phone, tablet etc. that was taken using another device
screenshotDocument is an image taken using the native screenshot function on a device
paper_documentDocument is a picture of the paper document

Proof of Address: Overall Result Logic

We've moved this content.

Example Proof of Address report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at":"2021-04-27T14:51:35Z",
6 "documents":[],
7 "href":"/v3.6/reports/<REPORT_ID>",
8 "id":"<REPORT_ID>",
9 "name":"proof_of_address",
10 "properties":{
11 "document_type":"council_tax",
12 "document_source_type": "pdf",
13 "issuer":"city of london",
14 "issue_date":"2020-01-01",
15 "first_names":"John",
16 "last_names":"Smith",
17 "address":"123 sample street london xyz 1ab gbr",
18 "address_parsed":{
19 "country":"gbr",
20 "postcode":"1ab gbr",
21 "state":null,
22 "town":"london"
23 },
24 "unsupported_document_reason": [
25 "unsupported_doc_type",
26 "unsupported_alphabet",
27 "unsupported_country",
28 "possible_fraud"
29 ]
30 },
31 "result":"clear",
32 "status":"complete",
33 "sub_result":null,
34 "breakdown":{
35 "image_integrity":{
36 "result":"clear",
37 "breakdown":{
38 "image_quality":{
39 "result":"clear",
40 "properties":{}
41 }
42 }
43 },
44 "document_classification":{
45 "result":"clear",
46 "breakdown":{
47 "supported_document":{
48 "result":"clear",
49 "properties":{}
50 },
51 "valid_document_date":{
52 "result":"clear",
53 "properties":{}
54 }
55 }
56 },
57 "data_comparison":{
58 "result":"clear",
59 "breakdown":{
60 "first_name":{
61 "result":"clear",
62 "properties":{}
63 },
64 "last_name":{
65 "result":"clear",
66 "properties":{}
67 },
68 "address":{
69 "result":"clear",
70 "properties":{}
71 }
72 }
73 },
74 "source_integrity": {
75 "result": "clear",
76 "breakdown": {
77 "digital_tampering": {
78 "result": "clear",
79 "properties": {}
80 },
81 "visible_fraud": {
82 "result": "clear",
83 "properties": {}
84 }
85 }
86 }
87 },
88 "check_id":"<CHECK_ID>"
89}

Driver's License Data Verification report

This API documentation offers detailed information about the structure of a Driver's License Data Verification (DLDV) report, including an example of the report's result and its breakdowns.

For a more general introduction to the DLDV report, you can read our product documentation.

The DLDV report is for United States documents only.

To request a DLDV report as part of a check in the API, use the report_names field (which takes an array of strings):

"report_names": ["us_driving_licence"]

To upload document data, use the us_driving_licence field (which is an object containing all accepted fields for the DLDV report).

json
1...
2"report_names": ["us_driving_licence"],
3"us_driving_licence":{
4 "id_number": "<DRIVER_LICENCE_ID>", // required
5 "issue_state": "<TWO_LETTER_STATE_CODE>", // required
6 ... // all other optional fields
7 }
8...

See optional document data for a table of the accepted optional fields in the us_driving_licence object for a DLDV report.

See create a check for a full list of the possible request body parameters.

If you use this report, Onfido will use a third-party subprocessor to verify driving license data against the American Association of Motor Vehicle Administrators (AAMVA) facilitated Department of Motor Vehicles (DMV) driver's license database.

Required applicant data

For DLDV reports, first_name and last_name must be provided.

Required document data

For DLDV reports, the following document data must be provided in the report request in the us_driving_licence field:

FieldFormat
id_numberString
issue_stateString
(2-character state code)

Optional document data

The following optional fields are also accepted in the us_driving_licence object:

FieldFormatPossible values
address_line_1String
address_line_2String
cityString
date_of_birthDate
YYYY-MM-DD
document_categoryEnum"driver license", "driver permit", "id card"
expiration_dateDate
YYYY-MM-DD
eye_color_codeEnum"BLK", "BLU", "BRO", "DIC", "GRY", "GRN", "HAZ", "MAR", "PNK"
first_nameString
genderString
height_measure_feetInteger
height_measure_inchesInteger
issue_dateDate
YYYY-MM-DD
last_nameString
middle_nameString
name_suffixString
postal_codeString
stateString
(2-character state code)
weight_measureInteger
(in pounds)

Supported document types

  • US driver's license
  • US learner's permit or provisional license
  • ID card

A DLDV report does not require a document upload. Data is entered manually in the report request.

Supported Issue States

  • AR
  • AZ
  • CO
  • CT
  • DC
  • DE
  • HI
  • FL
  • IA
  • ID
  • IN
  • IL
  • KS
  • KY
  • MA
  • MD
  • ME
  • MI
  • MO
  • MS
  • MT
  • NC
  • ND
  • NE
  • NJ
  • NM
  • OH
  • PA
  • RI
  • SD
  • TN
  • TX
  • VA
  • VT
  • WI
  • WA
  • WY
  • GA
  • OR

DLDV: Results

The result field indicates the overall report result. Any optional fields submitted in the report request will be accounted for in the final result.

Possible values for DLDV reports are clear, consider and unidentified:

Report resultDescription
clearAll fields exact match
considerName fields have been flagged as a mismatch through fuzzy matching* or any optional fields don't match
unidentifiedID number or name field doesn't match

* Onfido's third-party subprocessor uses fuzzy matching on the name fields during DLDV checks. This is because information can be provided in many different ways and errors in data submission or collection can be quite high. Fuzzy matching allows capturing data variations.

DLDV: Breakdowns

Breakdowns can have a clear or consider result. Breakdowns will only have a clear result when all included sub-breakdowns are clear.

Breakdowndescriptionsub-breakdowns
documentobject
Asserts whether the document data provided matches a real driving license in the DMV driver's license database.
category
expiration_date
issue_date
document_number
addressobject
Asserts whether the address data provided matches a real driving license in the DMV driver's license database.
city
line_1
line_2
state_code
zip4
zip5
personalobject
Asserts whether the personal data provided matches a real driving license in the DMV driver's license database.
name_suffix
height
weight
sex_code
eye_color
date_of_birth
first_name
last_name
middle_name
first_name_fuzzy
middle_name_fuzzy
last_name_fuzzy
middle_initial
Example DLDV report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2021-03-26T19:51:37Z",
6 "documents": [],
7 "href": "/v3.6/reports/<REPORT_ID>",
8 "id": "<REPORT_ID>",
9 "name": "us_driving_licence",
10 "properties": {},
11 "result": "clear",
12 "status": "complete",
13 "sub_result": null,
14 "breakdown": {
15 "document": {
16 "result": "clear",
17 "breakdown": {
18 "category": {
19 "result": "clear",
20 "properties": {}
21 },
22 "expiration_date": {
23 "result": "clear",
24 "properties": {}
25 },
26 "issue_date": {
27 "result": "clear",
28 "properties": {}
29 },
30 "document_number": {
31 "result": "clear",
32 "properties": {}
33 }
34 }
35 },
36 "address": {
37 "result": "clear",
38 "breakdown": {
39 "city": {
40 "result": "clear",
41 "properties": {}
42 },
43 "line_1": {
44 "result": "clear",
45 "properties": {}
46 },
47 "line_2": {
48 "result": "clear",
49 "properties": {}
50 },
51 "state_code": {
52 "result": "clear",
53 "properties": {}
54 },
55 "zip4": {
56 "result": "clear",
57 "properties": {}
58 },
59 "zip5": {
60 "result": "clear",
61 "properties": {}
62 }
63 }
64 },
65 "personal": {
66 "result": "clear",
67 "breakdown": {
68 "first_name": {
69 "result": "clear",
70 "properties": {}
71 },
72 "name_suffix": {
73 "result": "clear",
74 "properties": {}
75 },
76 "height": {
77 "result": "clear",
78 "properties": {}
79 },
80 "weight": {
81 "result": "clear",
82 "properties": {}
83 },
84 "sex_code": {
85 "result": "clear",
86 "properties": {}
87 },
88 "eye_color": {
89 "result": "clear",
90 "properties": {}
91 },
92 "date_of_birth": {
93 "result": "clear",
94 "properties": {}
95 },
96 "last_name": {
97 "result": "clear",
98 "properties": {}
99 },
100 "middle_name": {
101 "result": "clear",
102 "properties": {}
103 },
104 "first_name_fuzzy": {
105 "result": "clear",
106 "properties": {}
107 },
108 "middle_name_fuzzy": {
109 "result": "clear",
110 "properties": {}
111 },
112 "last_name_fuzzy": {
113 "result": "clear",
114 "properties": {}
115 },
116 "middle_initial": {
117 "result": "clear",
118 "properties": {}
119 }
120 }
121 }
122 },
123 "check_id": "<CHECK_ID>"
124}

Device Intelligence report

This API documentation offers detailed information about the structure of a Device Intelligence report, including an example of the report's result and its breakdowns.

For a more general introduction to the Device Intelligence report, you intend read our product documentation.

The Device Intelligence report will be more effective and provide better data if you're using the Onfido SDKs and not sending the media via the API directly.

You can run Device Intelligence as a standalone report, but we recommend that you combine it with a Document or Facial Similarity report in the same check.

Required applicant data

For Device Intelligence reports, the following applicant data must be provided:

  • first_name and last_name
  • a document or biometric media upload via the Onfido SDKs

Raw signals collected

Signal groupingCategoryDescription
Onfido check dataUserOnfido operational data required for Onfido Services: Onfido User unique identifier, check status/outcome and related tracking information, inferences and outputs from Device Intelligence (e.g. risk score, risk level.)
User dataUserDocument number and other data extracted from any associated doc and bio check.
IP address informationIPIP address and IP address type, including associated geo-location city/region/country level location and detection of any IP masking tools such as a VPN or Proxy.
Device fingerprintDeviceDevice identifiers including audio and video fingerprint, canvas and WebGL fingerprinting.
Media uploaded by userMediaMedia itself, as well as any related metadata, such as complete EXIF extraction and other embedded metatags in media itself.
CameraDeviceCapture of camera feed and information like: camera name, microphone name, aspect ratio, resolution, frame rate, etc.
Device metadata & browser headersDeviceInformation about Users' device including hardware and software attributes (e.g. device type and model, manufacturer, operating system type and version (e.g. iOS or Android), browser type and version, user-agent, navigator, screen details, plugins, fonts, memory, WebGL, battery information, language, timezone, camera name, microphone name, aspect ratio, resolution, frame rate, etc.)
Onfido Device IDDeviceUnique identifier stored by Onfido in the device and used to verify re-use of the device.
End user interactionsUsage dataInformation about an end user’s interactions with the Services, including how the end user uses the Services such as date and time stamps, forms/fields completed, pointer and touch events, timezone offset, distraction events.
Application AuthenticityDeviceOperational data related to verification flow, used to check whether the device is using stolen security tokens.

Available for SDK versions iOS 22.4.0 +; Android 9.2.0 +; Web 5.10.0 +

Device Intelligence: Results

The result field indicates the overall report result.

Possible values for Device Intelligence reports are clear and consider:

Report resultDescription
clearThe applicant used a valid device and is not associated with suspicious behaviour, indicating they are a genuine user.
considerThe applicant was detected to have used an invalid device or is associated with suspicious behaviour, indicating they may be a fraudulent user.

In addition, any additional data and signals are returned in the properties attribute.

Device Intelligence: Breakdowns

Breakdowns can have a clear or consider result.

Breakdowndescription
deviceobject
Asserts whether the device used to upload the media is trustworthy, i.e. it is a real, physical device.
(sub-breakdown) application_authenticityobject
Contains fake_network_request under the properties bag (see Device Intelligence: Application Authenticity properties).
(sub-breakdown) device_integrityobject
Contains randomized_device, emulator, single_device_used, document_capture and biometric_capture under the properties bag (see Device Intelligence: Device Integrity properties).
(sub-breakdown) device_reputationobject
Contains ip_reputation and device_fingerprint_reuse under the properties bag (see Device Intelligence: Device Reputation properties)

Device Intelligence: Application Authenticity properties

We will return a reason whenever a report flags for application_authenticity. The property will be returned as true and the sub-breakdown will have a consider result.

  • fake_network_request - when the device used stolen security tokens to send the network information

Device Intelligence: Device Integrity properties

We will return a reason whenever a report flags for device_integrity. There can be more than one reason, because they aren't mutually exclusive.

  • randomized_device - when the device provided false randomized device and network information. The property will be returned as true and the sub-breakdown will have a consider result.

  • emulator - when evidence is found that an emulator was used. The property will be returned as true and the sub-breakdown will have a consider result.

  • (For opted in customers only) single_device_used - when the associated document and biometric media weren't uploaded from the same device. The property will be returned as false and the sub-breakdown will have a consider result.

  • (For opted in customers only) document_capture - when the associated document media weren't confirmed to be live captured from the device camera. The property will not be returned as live and the sub-breakdown will have a consider result.

  • (For opted in customers only) biometric_capture - when the associated biometric media weren't confirmed to be live captured from the device camera. The property will not be returned as live and the sub-breakdown will have a consider result.

Device Intelligence: Device Reputation properties

We will return a reason whenever a report flags for device_reputation. There can be more than one reason, because they aren't mutually exclusive.

  • ip_reputation - when there is highly suspicious traffic related to the IP address, the sub-breakdown will have a consider result.
  • device_fingerprint_reuse - when the same fingerprint was reused too many times, the sub-breakdown will have a consider result.

Device Intelligence: Properties

Data and signals collected about the device, IP, and geolocation are returned in the properties attribute.

Note: All properties can take the value null in addition to their corresponding list of possible values.

device object:

FieldDescriptionPossible values
sdk_versionstring
The SDK version that was used.
-
sdk_sourcestring
The SDK used to upload the media.
onfido-android-sdk, onfido-ios-sdk, onfido-web-sdk
authentication_typestring
The token used to authenticate the request.
sdk_token, mobile_token, api_token
raw_modelstring
The model as set by the phone manufacturer (for Android and iOS) or the browser manufacturer (for Web). The model can be presented in name or number form depending on each manufacturer implementation.
-
osstring
The operating system of the device. The value came from manufacturer implementation (for Android and iOS) or browser's user agent (for Web).
-
browserstring (Web specific field)
The browser name reported by the browser's user agent.
-
emulatorboolean
Whether the device is an emulator.
true, false
randomized_deviceboolean
Whether the device is providing false randomized device and network information.
true, false
fake_network_requestboolean
Whether device is using stolen security tokens to send the network information.
true, false
true_osstring (deprecated field)
The true operating system of the device.
Note: This deprecated field is always null.
-
os_anomalystring (deprecated field)
The likelihood of an operating system anomaly between the true OS and the OS sent by the device.
Note: This deprecated field is always null.
high, medium, low
rootedboolean (deprecated field)
Whether the device is rooted.
Note: This deprecated field is always null.
true, false
remote_softwareboolean (deprecated field)
Whether the device is controlled via remote software.
Note: This deprecated field is always null.
true, false
ip_reputationstring
Whether there is highly suspicious traffic related to the IP address. The risk depends on the overall ratio of clear checks on a given IP. In case the IP is not highly reused we return NOT_ENOUGH_DATA.
NOT_ENOUGH_DATA, HIGH_RISK, LOW_RISK
device_fingerprint_reuseinteger
The number of times the device was used to create a report for a new applicant. A value greater than 1 indicates potential device reuse.
-
single_device_usednull and boolean
Whether the document or biometric media were uploaded from a single device.
null, true, false
document_capturestring
Whether the document media were live captured from the device camera.
live, unknown_method
biometric_capturestring
Whether the biometric media were live captured from the device camera.
live, unknown_method
data_availableboolean
Whether data was found for the applicant. In rare cases, we're unable to find the signals associated with the applicant. Instead of completely failing the report, we return an incomplete report with this property set to true.
true, false

ip object:

FieldDescriptionPossible values
addressstring
The IP address that uploaded the media.
-
vpn_detectionstring (deprecated field)
The likelihood of the network connection being a VPN.
Note: This deprecated field is always null.
high, medium, low
proxy_detectionstring (deprecated field)
The likelihood of the network connection being a Proxy.
Note: This deprecated field is always null.
high, medium, low
typestring (deprecated field)
The type of organization that owns this IP address.
Note: This deprecated field is always null.
-

geolocation object:

FieldDescriptionPossible values
citystring
City location of the IP address.
-
regionstring
Region location of the IP address.
-
countrystring
Country location of the IP address in a three letter format.
-
Example Device Intelligence report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2021-03-26T19:51:37Z",
6 "documents": [],
7 "href": "/v3.6/reports/<REPORT_ID>",
8 "id": "<REPORT_ID>",
9 "name": "device_intelligence",
10 "result": "clear",
11 "status": "complete",
12 "sub_result": null,
13 "breakdown": {
14 "device": {
15 "breakdown": {
16 "application_authenticity": {
17 "properties": {},
18 "result": "clear"
19 },
20 "device_integrity": {
21 "properties": {},
22 "result": "clear"
23 },
24 "device_reputation": {
25 "properties": {},
26 "result": "clear"
27 }
28 },
29 "result": "clear"
30 }
31 },
32 "check_id": "<CHECK_ID>",
33 "properties": {
34 "device": {
35 "authentication_type": "sdk_token",
36 "sdk_source": "onfido-android-sdk",
37 "sdk_version": "10.3.1",
38 "raw_model": "SM-G900P",
39 "os": "Android",
40 "browser": null,
41 "emulator": false,
42 "randomized_device": false,
43 "fake_network_request": false,
44 "true_os": null,
45 "os_anomaly": null,
46 "rooted": null,
47 "remote_software": null,
48 "device_fingerprint_reuse": 3,
49 "single_device_used": null,
50 "document_capture": "unknown_method",
51 "biometric_capture": "live",
52 "data_available": true
53 },
54 "ip": {
55 "address": "127.0.0.1",
56 "vpn_detection": null,
57 "proxy_detection": null,
58 "type": null,
59 },
60 "geolocation": {
61 "city": "Redmon",
62 "region": "Washington",
63 "country": "USA"
64 }
65 }
66}

India Tax ID report

This API documentation offers detailed information about the structure of a India Tax ID report, including an example of the report's result and its breakdowns.

For a more general introduction to the India Tax ID report, you can read our product documentation.

The India Tax ID report is for use with Indian Permanent Account Number (PAN) cards only.

Required applicant data

For India Tax ID reports, the following applicant data must be provided:

  • first_name
  • last_name
  • PAN in the id_numbers object.

Supported document types

  • Indian PAN card

An India Tax ID report does not require a document upload.

India Tax ID: Result logic

The result field indicates the overall report result. Possible values for PAN reports are clear or consider:

Report resultLogic
clearThe applicant's PAN is valid and full name matches.
considerThe applicant's PAN is invalid or full name doesn't match.

The report is withdrawn if the required applicant data is not provided or the PAN is not for an individual person.

In addition, the applicant's PAN and full name are returned in the properties attribute.

India Tax ID: Breakdowns

Breakdowns can have a clear or consider result.

Breakdowndescription
pan_validobject
Asserts whether the applicant's PAN is valid1.
name_matchobject
Asserts whether the applicant's provided full name matches that in the database.2
  1. Onfido uses a third-party subprocessor to match the provided PAN against the central Indian government database.

  2. Onfido uses fuzzy matching on the name fields. This is because information can be provided in many different ways and errors in data submission or collection can be quite high. Fuzzy matching allows capturing data variations.

India Tax ID: Properties

The applicant's PAN and full name is returned in the properties attribute.

FieldDescription
panThe applicant's PAN (10 digit alphanumeric number).
full_nameThe applicant's full name.
Example India Tax ID report object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "created_at": "2021-03-26T19:51:37Z",
6 "documents": [],
7 "href": "/v3.6/reports/<REPORT_ID>",
8 "id": "<REPORT_ID>",
9 "name": "india_pan",
10 "result": "clear",
11 "status": "complete",
12 "sub_result": null,
13 "breakdown": {
14 "pan_valid": {
15 "result": "clear"
16 },
17 "name_match": {
18 "result": "clear"
19 }
20 },
21 "check_id": "<CHECK_ID>",
22 "properties": {
23 "pan": "AAAPA1111A",
24 "full_name": "Jane Doe"
25 }
26}

Other Endpoints

Ping

GET
/ping

Runs a health check on the Onfido API.

If the regional base URL you're using is operational, the ping endpoint will return OK in Text format.

You can also subscribe to webhook notifications from https://status.onfido.com.

Ping (check api.eu.onfido.com can receive requests)
1GET /ping HTTP/1.1
2Host: api.eu.onfido.com

Webhooks

About webhooks

Onfido provides webhooks to alert you of changes in the status of your resources (i.e. checks and reports). These are POST requests to your server that are sent as soon as an event occurs. The body of the request (the payload object) contains details of the event.

You can create and configure up to 20 webhooks to receive status changes from live, sandbox or both environments.

Retry logic

Upon receiving a webhook notification, you should acknowledge success by responding with an HTTP 20x response within 10 seconds. Otherwise, we will attempt to resend the notification 5 times according to the following schedule:

  • 30 seconds after the first attempt
  • 2 minutes after the first attempt
  • 15 minutes after the first attempt
  • 2 hours after the first attempt
  • 10 hours after the first attempt

We also use circuit breaking for webhooks: if any 5 requests to the same webhook fail in a row, then that webhook will be disabled for one minute.

Testing

You can quickly inspect webhook requests with temporary endpoint URLs. You can create these using free hosted services such as https://webhook.site.

Security

The webhook URL must use HTTPS and both TLSv1.2 and TLSv1.3 versions are supported.

Duplicate events

We guarantee at-least-once delivery of webhooks, which means that in rare occasions you may receive duplicate events. You should treat events as idempotent to avoid unwanted effects in your application.

Ordering

Onfido doesn't guarantee order when delivering events. As a result, you may receive an event before another event that was created earlier. You should expect to receive them out of order and handle them accordingly.

Webhook object

AttributeDescription
idstring
The unique identifier for the webhook.
urlstring
The url to listen to notifications (must be HTTPS).
enabledBoolean
Determines if the webhook should be active. If omitted, will be set to true by default.
eventsarray
The events that should be published to the webhook. If omitted, all events will be subscribed by default. You can read about the supported events.
tokenstring
The webhook token (read more about verifying webhook signatures.
hrefstring
The URI of this resource.
environmentsarray
Lists the environments that the webhook will receive events from.
payload_versioninteger
Webhook version used to control the payload object when sending webhooks.
Example webhook object (check started)
1HTTP/1.1 200 OK
2Content-Type: application/json
3
4{
5 "webhooks": [
6 {
7 "id": "<WEBHOOK_ID>",
8 "url": "https://demo.com",
9 "enabled": false,
10 "href": "/v3.6/webhooks/<WEBHOOK_ID>",
11 "token": "<WEBHOOK_TOKEN>",
12 "environments": [
13 "sandbox"
14 ],
15 "events": [
16 "check.started"
17 ],
18 "payload_version": 3
19 }
20 ]
21}

Webhook IP addresses

All webhook requests will come from the following IPs:

Europe:

  • 52.51.171.25
  • 52.51.228.228
  • 52.51.234.203

United States:

  • 34.232.2.222
  • 52.55.124.58
  • 34.224.182.19

Canada:

  • 15.223.105.11
  • 15.222.176.53
  • 15.222.71.172

Please make sure that you allow these IPs in order to receive webhook notifications.

Events

By default, webhooks are subscribed to all events, but can be subscribed to a subset using the events array.

Beware that some webhooks payload may contain personal data, such as audit_log.created, watchlist_monitor.matches_updated, or Studio related resources (workflow_* events).

You can configure any of the following events to trigger a message to registered webhooks:

General webhook events

ResourceEventsDescription
audit_logaudit_log.createdAn audit log has been created. It requires to have audit logs enabled in your Onfido account.
watchlist_monitorwatchlist_monitor.matches_updatedAn ongoing monitor has new matches.

Studio webhook events

ResourceEventsDescription
workflow_runworkflow_run.completedA workflow run has been completed.
workflow_runworkflow_timeline_file.createdA Workflow Run Timeline File has been generated.
workflow_taskworkflow_task.startedA new task of a workflow run has started.
workflow_taskworkflow_task.completedA workflow task has been completed.
workflow_timeline_fileworkflow_timeline_file.createdA timeline file has been created for a given workflow run.
workflow_run_evidence_folderworkflow_run_evidence_folder.createdAn evidence folder has been created for a given workflow run.

Checks and reports webhook events

ResourceEventsDescription
checkcheck.startedA check has been started. When applicant_provides_data is true, this indicates the applicant has submitted all required information.
checkcheck.reopenedA check has been reopened. This indicates the applicant needs to re-submit required information.
checkcheck.withdrawnA check has been withdrawn.
checkcheck.completedA check has been completed.
checkcheck.form_completedAn applicant has submitted their information using the check form.
reportreport.withdrawnA report has been withdrawn.
reportreport.resumedA paused report has been resumed.
reportreport.cancelledA paused report has been cancelled.
reportreport.awaiting_approvalA report has transitioned to the "Awaiting Approval" status.
reportreport.completedA report has been completed and results are available.

Event object

Attributes

AttributeDescription
payloadobject
The top level element.
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, e.g. report.completed.
objectobject
The object affected by this event. This will contain an id and an href to retrieve that resource.
Example event object (report completed)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "report",
7 "action": "report.completed",
8 "object": {
9 "id": "<REPORT_ID>",
10 "status": "complete",
11 "completed_at_iso8601": "2019-10-28T15:00:39Z",
12 "href": "https://api.onfido.com/v3.6/reports/<REPORT_ID>"
13 }
14 }
15}

Workflow run completed event object

The webhook event workflow_run.completed is fired upon completion of a Workflow Run.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, e.g. workflow_run.completed.
objectobject
The object affected by this event. This will contain an id and an href to retrieve that resource.
resourceobject
An attribute unique to Workflow webhooks, containing the Workflow Run object affect by this event.
Example event object (workflow run completed)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "workflow_run",
7 "action": "workflow_run.completed",
8 "object": {
9 "id": "36a56899-d617-4988-85bf-b76640861bf5",
10 "status": "abandoned",
11 "completed_at_iso8601": "2022-12-19T16:54:44Z",
12 "href": "https://api.onfido.com/v3.6/workflow_runs/36a56899-d617-4988-85bf-b76640861bf5"
13 },
14 "resource": {
15 "dashboard_url": "https://dashboard.onfido.com/results/36a56899-d617-4988-85bf-b76640861bf5",
16 "workflow_version_id": 0,
17 "applicant_id": "9bb725cb-c9a4-4b46-bfc7-d62965a32d9a",
18 "created_at": "2022-12-05T16:54:44Z",
19 "reasons": [],
20 "link": {
21 "language": null,
22 "completed_redirect_url": null,
23 "expires_at": null,
24 "expired_redirect_url": null,
25 "url": "https://onfido.app/l/36a56899-d617-4988-85bf-b76640861bf5"
26 },
27 "error": null,
28 "output": null,
29 "id": "36a56899-d617-4988-85bf-b76640861bf5",
30 "updated_at": "2022-12-19T16:54:44Z",
31 "status": "abandoned",
32 "workflow_id": "f96b8c57-8084-4ca7-bc4c-f737e1cb1718"
33 }
34 }
35}

Workflow task started event object

The webhook event workflow_task.started is fired when a new Task of the Workflow Run starts.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, workflow_task.started.
objectobject
The object affected by this event. This will contain an id and an href to retrieve that resource.
resourceobject
An attribute unique to Workflow webhooks, containing the Task object affected by this event.
Example event object (workflow task started)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "workflow_task",
7 "action": "workflow_task.started",
8 "object": {
9 "id": "document_photo_c0888",
10 "task_spec_id": "document_photo_c0888",
11 "task_def_id": "upload_document_photo",
12 "workflow_run_id": "0072fd81-7c5f-4bff-b3a9-7bea6ec3f838",
13 "status": "started",
14 "started_at_iso8601": "2022-12-19T16:44:54Z",
15 "href": "https://api.onfido.com/v3.6/workflow_runs/0072fd81-7c5f-4bff-b3a9-7bea6ec3f838/tasks/document_photo_c0888"
16 },
17 "resource": {
18 "input": {},
19 "created_at": "2022-12-19T16:44:54Z",
20 "output": null,
21 "id": "document_photo_c0888",
22 "updated_at": "2022-12-19T16:44:54Z",
23 "task_def_version": null,
24 "task_def_id": "upload_document_photo",
25 "workflow_run_id": "0072fd81-7c5f-4bff-b3a9-7bea6ec3f838"
26 }
27 }
28}

Workflow task completed event object

The webhook event workflow_task.completed is fired upon completion of a Workflow task.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, workflow_task.completed.
objectobject
The object affected by this event. This will contain an id and an href to retrieve that resource.
resourceobject
An attribute unique to Workflow webhooks, containing the Task object affected by this event.
Example event object (workflow task completed)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "workflow_task",
7 "action": "workflow_task.completed",
8 "object": {
9 "id": "profile_4f4b2",
10 "task_spec_id": "profile_4f4b2",
11 "task_def_id": "profile_data",
12 "workflow_run_id": "2f152409-d6c4-4711-8750-48517f99a8d6",
13 "status": "cancelled",
14 "completed_at_iso8601": "2022-12-19T16:41:44Z",
15 "href": "https://api.onfido.com/v3.6/workflow_runs/2f152409-d6c4-4711-8750-48517f99a8d6/tasks/profile_4f4b2"
16 },
17 "resource": {
18 "id": "profile_4f4b2",
19 "created_at": "2022-12-05T16:41:43Z",
20 "task_def_id": "profile_data",
21 "workflow_run_id": "2f152409-d6c4-4711-8750-48517f99a8d6",
22 "output": null,
23 "input": {},
24 "task_def_version": null,
25 "updated_at": "2022-12-19T16:41:44Z"
26 }
27 }
28}

Timeline File created event object (BETA)

The webhook event workflow_timeline_file.created is fired upon the generation of a Timeline File for a Workflow Run.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, workflow_timeline_file.created.
objectobject
The object affected by this event. This will contain an id and an href to retrieve that resource.
resourceobject
An attribute unique to Workflow webhooks, containing the timeline_file_download_url needed to download the Timeline File affected by this event.

Note: The Timeline File may contain sensitive personal information (PII). The pre-signed URLs allow downloading the Timeline File and should be handled carefully.

Example event object (timeline file created updated)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "workflow_timeline_file",
7 "action": "workflow_timeline_file.created",
8 "object": {
9 "id": "36a56899-d617-4988-85bf-b76640861bf5",
10 "workflow_run_id": "99a56899-d617-4988-85bf-b76640861b74",
11 "completed_at_iso8601": "2023-08-24T11:49:20Z",
12 "href": "https://api.onfido.com/v3.6/workflow_runs/99a56899-d617-4988-85bf-b76640861b74/timeline_file/36a56899-d617-4988-85bf-b76640861bf5"
13 },
14 "resource": {
15 "timeline_file_download_url": "<Pre-signed URL to download the file>"
16 }
17 }
18}

Watchlist monitor matches updated event object

The webhook event watchlist_monitor.matches_updated is fired when there are new matches on an ongoing monitor.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, watchlist_monitor.matches_updated.
objectobject
The object affected by this event. This will contain details about who and what was performed.
resourceobject
An attribute containing the resource affected by this event.
Example event object (watchlist monitor matches updated)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "watchlist_monitor",
7 "action": "watchlist_monitor.matches_updated",
8 "object": {
9 "id": "e56b6d2d-574b-442b-a9a0-b962cceecf44",
10 "completed_at_iso8601": "2023-08-24T11:49:20Z",
11 "completed_at": "2023-08-24T11:49:20.801Z"
12 },
13 "resource": {
14 "properties":{
15 "monitor_id":"e56b6d2d-574b-442b-a9a0-b962cceecf44",
16 "records":[],
17 "matches":[]
18 },
19 "breakdown":{
20 "sanction":{
21 "result":"clear",
22 "breakdown":{
23 "sanction":{
24 "result":"clear"
25 }
26 }
27 },
28 "politically_exposed_person":{
29 "result":"consider",
30 "breakdown":{
31 "politically_exposed_person":{
32 "result":"consider"
33 }
34 }
35 },
36 "warnings":{
37 "result":"clear",
38 "breakdown":{
39 "warnings":{
40 "result":"clear"
41 }
42 }
43 }
44 },
45 "result":"consider",
46 "applicant_id":"07d71f71-43fb-46af-94b9-7a33a2beb7dc"
47 }
48 }
49}

Workflow Run Evidence Folder created event object

The webhook event workflow_run_evidence_folder.created is fired upon the generation of the Evidence Folder for a Workflow Run.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, workflow_run_evidence_folder.created.
objectobject
The object affected by this event. This will contain a workflow_run_id and an href to retrieve that resource.

Note: The Evidence Folder may contain sensitive personal information (PII).

Example event object (workflow run evidence folder created)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "workflow_run_evidence_folder",
7 "action": "workflow_run_evidence_folder.created_at",
8 "object": {
9 "workflow_run_id": "36a56899-d617-4988-85bf-b76640861bf5",
10 "created_at_iso8601": "2022-12-19T16:54:44Z",
11 "href": "https://api.onfido.com/v3.6/workflow_runs/36a56899-d617-4988-85bf-b76640861bf5/evidence_folder"
12 }
13 }
14}

Audit log created event object

The webhook event audit_log.created is fired when a new Audit log is created.

Attributes

AttributeDescription
resource_typestring
Indicates the resource affected by this event.
actionstring
The event that triggered this webhook, audit_log.created.
objectobject
The object affected by this event. This will contain details about who and what was performed.
Example event object (audit log created)
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "payload": {
6 "resource_type": "audit_log",
7 "action": "audit_log.created",
8 "object": {
9 "activity": "password_reset",
10 "category": "user_activity",
11 "created_at_iso8601": "2022-12-19T16:41:44Z",
12 "user": {
13 "email": "john.doe@onfido.com",
14 "full_name": "John Doe",
15 "ip_address": "127.0.0.1"
16 }
17 }
18 }
19}

Webhook event versioning

Refer to our API versioning guide for details on webhook event versioning.

Verifying webhook signatures

You should verify request signatures on your server to prevent attackers from imitating valid webhook events.

Each webhook you register will return a single secret token in the token field of the API response body, which is used to generate an HMAC using SHA-256. You only need to register a webhook once. The token for each webhook is also displayed on the Onfido Dashboard ‘Webhook Management’ page.

If possible, we recommend that you verify request signatures with our supported client libraries in your integration.

The following Onfido client libraries have support built in:

  • Java

  • Node

  • PHP

  • Python

  • Ruby

Using Onfido client libraries

You must initialise the verifier instance with your webhook’s secret token. For each webhook event, the verifier instance needs:

  • the signature of the webhook (from the X-SHA2-Signature header)

  • the body of the event request (must be in raw format, not decoded from JSON)

Manually

We provide a detailed guide for manually verifying webhook signatures.

1X-SHA2-Signature: <HMAC_VALUE>

Register webhook

POST
/v3.6/webhooks/

Registers a webhook. Returns a webhook object.

You can read more about how to verify request signatures on your server.

You cannot use sandbox tokens to create or manage webhooks for live environments.

Request body parameters

ParameterDescription
urlrequired
The url that will listen to notifications (must be HTTPS).
enabledoptional
Determine if the webhook should be active.
If omitted, will be set to true by default.
environmentsoptional
The environments from which the webhook will receive events.
Allowed values are "sandbox" or "live" but sandbox tokens cannot be used for the "live" environment.
If omitted (with a live token), the webhook will receive events from both environments.
eventsoptional
The events that should be published to the webhook. If omitted, all events will be subscribed by default. You can read about the supported events.
payload_versionoptional
The version used for the payload.

Register a webhook using the Dashboard

You can also register webhooks through the Onfido Dashboard.

Webhook logs

To help you diagnose webhook issues, you can review logs on the Onfido Dashboard.

Register a webhook
1POST /v3.6/webhooks/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "url": "https://yourdomain.com",
8 "enabled": true,
9 "events": [
10 "report.completed",
11 "check.completed"
12 ]
13}

List webhooks

GET
/v3.6/webhooks/

Lists all webhooks you've created.

Returns data in the form: {"webhooks": [<LIST_OF_WEBHOOK_OBJECTS>]}.

List all webhooks youve created
1GET /v3.6/webhooks/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve webhook

GET
/v3.6/webhooks/{webhook_id}

Retrieves a single webhook. Returns a webhook object.

Retrieve a single webhook
1GET /v3.6/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Edit webhook

PUT
/v3.6/webhooks/{webhook_id}

Edits a webhook. Returns the updated webhook object.

Edit a webhook (change the URL)
1PUT /v3.6/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "url": "https://yourdomain.com"
8}

Delete webhook

DELETE
/v3.6/webhooks/{webhook_id}

Deletes a webhook. If successful, returns a 204 No Content response.

Delete a webhook
1DELETE /v3.6/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json

Resend webhooks

POST
/v3.6/webhooks/resend

Resends events to all webhooks registered with a matching environment in your account. Returns a 204 No Content response.

There is a limit of 20 resources for the maximum number of objects that can be defined in the request body.

A resend can only be issued if the webhook event for the given resource_id was triggered in the past 30 days.

Request body parameters

resource_idrequired
ID of the resource whose webhooks are to be retriggered.
eventrequired
The event that should retrigger webhooks. All events are accepted. 1
  1. For workflow_task.* events, the resource_id needs to be composed of the workflow_run_id and task_id. Example: "<WORKFLOW_RUN_ID>:<TASK_ID>"
Resend webhooks
1POST /v3.6/webhooks/resend HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "data": [
8 {
9 "resource_id": "<CHECK_ID>",
10 "event": "check.completed"
11 }
12 ]
13}

Address Picker

GET
/v3.6/addresses/pick?postcode={postcode}

Performs a search for addresses by postcode (UK only).

Returns data in the form: {"addresses": [<LIST_OF_ADDRESS_OBJECTS>]}.

The Onfido Address Picker will always use a third-party subprocessor for address cleansing. In this way, it can be used to make sure addresses passed to the create applicant endpoint are valid.

Query string parameters

postcode (required): the applicant's postcode.

Search for an address using a postcode
1GET /v3.6/addresses/pick?postcode=SW46EH HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Generate SDK token

POST
/v3.6/sdk_token

Generating an SDK token will enable applicants to send personal data to Onfido via one of our SDKs. For more information on how Onfido uses personal data, view our Privacy Policy.

Generates an SDK token. Returns a token object containing the SDK token.

SDK tokens can only be used in our input-capture SDKs. They are restricted to an individual applicant, and expire after 90 minutes.

You’ll need to generate and include a new token each time you initialize the Onfido SDKs.

The SDK token object returned in the response is of the form: {"token": "header.payload.signature"}.

The composition and length of SDK tokens is variable and can change over time.

Request body parameters

ParameterDescription
applicant_idrequired
Specifies the applicant for the SDK instance.
application_idoptional, should not be used if referrer provided
The application ID (or "application bundle ID") - used with the iOS and Android SDKs.
referreroptional, should not be used if application_id provided
The referrer URL pattern - used with the Web SDK.
cross_device_urloptional
The URL to be used by the Web SDK for the cross-device flow. (Max 24 characters).
This replaces the default id.onfido.com and requires additional setup to map back to the Onfido hosted cross-device address.

Each authenticated instance of the SDK will correspond to a single Onfido applicant as specified by the applicant_id.

The application_id

The application_id is the "Application ID" or "Bundle ID" on iOS and Android that was set up during development. For iOS, this is usually in the form com.your-company.app-name. For Android, this is usually in the form com.example.yourapp. Make sure to use a valid application_id or you'll receive a 401 error.

If you want to disable the application ID check, you can pass the wildcard *. Alternatively, don't pass either of the application_id and referrer parameters.

The referrer argument

The referrer argument specifies the URL of the web page where the Web SDK will be used. The referrer sent by the browser must match the referrer URL pattern in the SDK token for the SDK to successfully authenticate. The referrer is based on the Google Chrome match pattern URLs. URLs can contain wild card characters.

The referrer pattern guarantees that other malicious websites cannot reuse the token in case it is lost. You can read more about referrer policy in Mozilla's documentation.

If you want to disable the referer header check, you can pass the wildcard *. Alternatively, don't pass either of the application_id and referrer parameters.

You must use a site referrer policy that lets the Referer header be sent. If your policy does not allow this (e.g. Referrer-Policy: no-referrer), then you'll receive a 401 bad_referrer error when trying to use the Web SDK.

Permitted referrer patterns are as follows:

SectionFormatExample
Referrerscheme://host/pathhttps://*.<DOMAIN>/<PATH>/*
Scheme* or http or httpshttps
Host* or *. then any char except / and **.<DOMAIN>
PathAny char or none<PATH>/*

An example of a valid referrer is https://*.example.com/example_page/*.

The cross_device_url argument

The cross-device flow of the Web SDK allows users to continue the identity verification process from their phone where they can take pictures of their document and themselves rather than uploading images from their desktop. This feature is available to all customers and uses the URL id.onfido.com as the default. The cross_device_url argument is used to white-label the default Onfido cross-device URL to one of your choosing with a maximum character length of 24 including https://. While the cross-device flow is available to all customers, white-labeling the URL using this argument is a premium enterprise feature that must be activated for your account before it may be used. Please talk to your account executive for more information about purchasing this feature.

Example SMS before and after using this feature:

Before:

Continue your identity verification by tapping https://id.onfido.com/<UNIQUE-PATH>

After:

Continue your identity verification by tapping <YOUR-CROSS-DEVICE-URL>/<UNIQUE-PATH>

Generate a new SDK token with a referrer
1POST /v3.6/sdk_token HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "applicant_id": "<APPLICANT_ID>",
8 "referrer:": "https://*.example.com/example_page/*",
9 "cross_device_url": "https://example.com"
10}

Repeat attempts

The repeat attempts endpoint allows you to request a list of repeat attempt matches for Document reports to show instances of repeat fraud where users submit multiple requests using the same document.

A repeat attempt is any previous Document report that was submitted using a document that matches other previously onboarded documents in your Onfido database. For each repeat attempt match, Onfido returns whether the name, date of birth and document number on the document matches the personal document data used for each previous attempt. If the personal document data doesn't match, this indicates that one, or potentially multiple, of the documents might be fraudulent. A large number of repeat attempts can also signal fraudulent behaviour.

The repeat attempts endpoint is for use with Document reports only.

Retrieve repeat attempts

GET
/v3.6/repeat_attempts/{report_uuid}

Returns all repeat attempts for a given Document report.

The Document report must have completed before you can request repeat attempts via this endpoint.

Repeat attempts
1curl -X GET https://api.eu.onfido.com/v3.6/repeat_attempts/<REPORT_UUID> \
2 -H 'Authorization: Token token=<YOUR_API_TOKEN>'

Response

Returns a repeat attempts object containing an array of repeat attempts.

AttributeDescription
report_idstring
The uuid of the completed Document report.
repeat_attemptsarray of objects
An array of repeat attempt objects. If no repeat attempts were found, the array will be empty. The number of objects returned can increase over time if more matches are received.
attempts_countint
The total number of attempts using the same document, including the current report under assessment.
attempts_clear_ratefloat
A number between 0 and 1 which indicates the proportion of attempts that have been cleared, including the current report under assessment.
unique_mismatches_countint
The number of unique entries in the repeat_attempts field for which at least one of the fields is a mismatch.

Repeat attempts object

The repeat_attempts array of objects is nested inside the repeat attempts response object.

AttributeDescriptionPossible values
report_idstring
The uuid of the matching Document report.
-
applicant_idstring
The uuid of the applicant for the matching Document report.
-
date_of_birthstring
Whether the dates of birth are exactly the same or are different.
match, mismatch
namesstring
Whether the names are exactly the same or are different.
match, mismatch
resultstring
The report result of this attempt.
clear, consider
created_atdatetime
When the matching report was created.
-
completed_atdatetime
When the matching report was completed.
-

Document reports flagged as suspected for data_consistency will not be returned by this endpoint. This is to ensure that data was correctly extracted, and the matches are relevant.

Example response for verify Authentication token
1HTTP/1.1 200 OK
2Content-Type: application/json
3
4{
5 "report_id": "<REPORT_UUID>",
6 "repeat_attempts": [
7 {
8 "report_id": "<REPORT_ID>",
9 "applicant_id": "<APPLICANT_ID>",
10 "date_of_birth": "mismatch",
11 "names": "match",
12 "document_number": "match",
13 "result": "clear",
14 "created_at": "2021-12-10T00:00:00",
15 "completed_at": "2021-12-12T00:10:00"
16 },
17 {
18 "report_id": "<REPORT_ID>",
19 "applicant_id": "<APPLICANT_ID>",
20 "date_of_birth": "match",
21 "names": "match",
22 "document_number": "match",
23 "result": "clear",
24 "created_at": "2021-12-12T00:00:00",
25 "completed_at": "2021-12-12T00:10:00"
26 }
27 ],
28 "attempts_count": 3,
29 "attempts_clear_rate": 0.67,
30 "unique_mismatches_count": 1,
31}

Autofill

POST
/v3.6/extractions

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Autofill takes an uploaded document and returns information extracted from the document. This is a synchronous request, which means the extracted information will be presented immediately in the API response.

Request body parameters

ParameterDescription
document_idrequired
The unique identifier of the uploaded document to run extraction on
Return information extracted from a document
1POST /v3.6/extractions HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "document_id": "<DOCUMENT_ID>"
8}

Extraction result

If data has been successfully extracted, the API response will contain the properties document_classification and extracted_data.

document_classification has the following properties:

FieldDescription
issuing_countryDocument country in 3-letter ISO code
document_typeType of document. See Document types. Only certain document types are supported by Autofill. Please contact client-support@onfido.com to find out more.
issuing_stateThe state that issued the document. Only returned for a subset of documents.
subtypeThe document subtype (full, not_full, provisional). Only extracted on USA and UK Driving Licences
versionThe document issuing version. Only returned for a subset of documents.

extracted_data has the following properties:

As extraction is done on a best-effort basis, and also information varies across different documents, none of these properties are guaranteed to be present in the response.

Extraction data will not be populated if the document is issued by a country subject to comprehensive US sanctions.

FieldDescription
document_numberThe official document number.
first_nameFirst name.
last_nameLast name.
middle_nameMiddle name.
full_nameFull name.
spouse_nameSpouse name (French documents only).
widow_nameWidow name (French documents only).
genderGender. Valid values are Male and Female.
date_of_birthDate of birth in YYYY-MM-DD format.
date_of_expiryDate of expiry in YYYY-MM-DD format.
expiry_dateDate of expiry in YYYY-MM-DD format.
nationalityNationality in 3-letter ISO code.
mrz_line1Line 1 of the MRZ code.
mrz_line_1Line 1 of the MRZ code.
mrz_line2Line 2 of the MRZ code.
mrz_line_2Line 2 of the MRZ code.
mrz_line3Line 3 of the MRZ code.
mrz_line_3Line 3 of the MRZ code.
address_line_1Line 1 of the address.
address_line_2Line 2 of the address.
address_line_3Line 3 of the address.
address_line_4Line 4 of the address.
address_line_5Line 5 of the address.
issuing_authorityIssuing authority.
issuing_countryDocument country in 3-letter ISO code.
document_typeType of document. See Document types. Only certain document types are supported by Autofill. Please contact client-support@onfido.com to find out more.
place_of_birthPlace of birth.
issuing_stateThe state that issued the document.
issuing_dateIssuing date in YYYY-MM-DD format.
personal_numberThe owner's unique identification number.
Example response (return information extracted from a document)
1HTTP/1.1 200
2Content-Type: application/json
3
4{
5 "document_id": "<DOCUMENT_ID>",
6 "document_classification": {
7 "document_type": "driving_licence",
8 "issuing_country": "USA",
9 "issuing_state": "CA",
10 "subtype": "full",
11 "version": "2018"
12 },
13 "extracted_data": {
14 "first_name": "JANE",
15 "last_name": "DOE",
16 "full_name": "JANE DOE",
17 "date_of_birth": "1977-08-31",
18 "document_number": "I1234568",
19 "gender": "Female",
20 "issuing_date": "2009-08-31",
21 "date_of_expiry": "2014-08-31",
22 "expiry_date": "2014-08-31",
23 "address_line_1": "2570 24TH STREET",
24 "address_line_2": "ANYTOWN, CA 95818",
25 "document_type": "driving_licence",
26 "issuing_country": "USA",
27 "issuing_state": "CA",
28}

Unsuccessful extraction

Classification failure

If the document cannot be recognised, a classification_failure will be returned.

Unsuccessful extraction response: classification failure
1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5 "document_id": "<DOCUMENT_ID>",
6 "error": {
7 "type": "classification_failure",
8 "message": "We couldn’t recognise the type of this document."
9 }
10}

Extraction failure

If no data can be extracted, an extraction_failure will be returned.

Unsuccessful extraction response: extraction failure
1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5 "document_id": "<DOCUMENT_ID>",
6 "error": {
7 "type": "extraction_failure",
8 "message": "We couldn’t extract data from this document."
9 }
10}

Retrieve Workflow Run Evidence Summary File

The evidence summary file is deprecated. We recommend that you use the Evidence Folder instead.

GET
/v3.6/workflow_runs/{workflow_run_id}/evidence_summary_file

Retrieves the evidence summary file for the designated Workflow Run.

After a successful call, a 302 Found HTTP status is returned with a pre-signed URL to download the file in the Location header.

The evidence summary file is available a few seconds after the Workflow Run has been completed. Please also ensure that file generation is enabled for your account. See the ETSI Certified IDV product guide for more information.

Note: If you invoke this endpoint for Sandbox workflow runs, a mock evidence summary file will be returned.

Path parameters

workflow_run_id (required): the unique identifier of the Workflow Run for which you want to retrieve the evidence summary file.

Note: The Evidence Summary File may contain sensitive personal identifiable information (PII). The pre-signed URLs allow downloading the Evidence Summary File and should be handled carefully.

Retrieve Workflow Run Evidence Summary File
1GET /v3.6/workflow_runs/<WORKFLOW_RUN_ID>/evidence_summary_file HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Fraud reporting ALPHA

Fraud reporting via the API is currently an ALPHA product. Please contact Client Support to find out more.

Onfido provides an endpoint which allows you to report known or suspected missed fraud, or an end user that was flagged by Onfido as potentially fraudulent but who you believe should have been cleared. By reporting missed fraud or genuine users, Onfido is then able to re-review these results as well as use this information to train our ML models to improve our services and catch additional fraud in the future.

You can also report via the Onfido Dashboard.

POST
/results_feedback

Using this endpoint in a live context will cause you to send personal data to Onfido and authorises Onfido to use the data to improve and further develop its products (including by sharing with third party providers as set out in Onfido’s Record of Processing). Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Submits a single request in relation to a specific check or report. If successful, returns a 201 Created response.

The expected_result should be provided in the request indicating what you believe to be the correct result of the check or report, along with either the associated check_id or report_id. You can optionally provide additional information to give reasons or context for the expected result.

Request body parameters

ParameterDescription
expected_resultrequired
An enum. Accepts the values ”clear” or ”consider”. The expected result for the check or report.
check_idoptional, should not be used if report_id is provided
A string. The ID of the check..
report_idoptional, should not be used if check_id is provided
A string. The ID of the report.
feedback_notesoptional
A string. Any additional information or feedback.

You will not receive a detailed response or follow up after submitting to this endpoint.

Fraud reporting
1curl -X POST https://api.eu.onfido.com/v3.6/results_feedback \
2 -H 'Authorization: Token token=<YOUR_API_TOKEN>' \
3 -H 'Content-Type: application/json' \
4 -d '{
5 "expected_result": "consider",
6 "report_id": "<REPORT_ID>"
7 }'

Checks

Checks are performed on an applicant and consist of one or more reports.

Please note: When integrating with Onfido Studio workflows, checks are created automatically based on your specific workflow implementation. Checks are only applicable for implementations that rely on the explicit SDK configuration of verification steps.

Check object

AttributeDescription
idstring
The unique identifier for the check.
created_atdatetime
The date and time at which the check was initiated.
webhook_idsarray of strings
The list of registered webhook IDs to notify as part of this check. Unless the value is included during check creation, this parameter will be null.
hrefstring
The API endpoint to retrieve the check.
applicant_provides_dataBoolean
Run an applicant_provides_data check or not. Default is false.
applicant_idstring
The ID for the applicant associated with the check.
statusstring
The current state of the check in the checking process.
tagsarray of strings
A list of tags associated with this check.
resultstring
The overall result of the check, based on the results of the reports used.
form_uristring
A link to the applicant form, if applicant_provides_data is true.
redirect_uristring
For checks where applicant_provides_data is true, redirect to this URI when the applicant has submitted their data.
results_uristring
A link to the corresponding results page on the Onfido Dashboard
report_idsarray of strings
The list of report object IDs associated with the check.
sandboxBoolean
Indicates whether the object was created in the sandbox or not.

Check status

StatusDescription
in_progressWe are currently processing the check.
awaiting_applicantThe applicant has not yet submitted the applicant form, either because they have not started filling the form out or because they have started but have not finished.
completeAll reports for the applicant have been completed or withdrawn.
withdrawnThe check has been withdrawn.
pausedThe check is paused until you (the client) switch it on manually. Special case used by clients who wants to collect data and run the checks when they want and not immediately.
reopenedInsufficient or inconsistent information was provided by the applicant, and the report has been bounced back for further information.
Example check object
1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5 "applicant_id": "<APPLICANT_ID>",
6 "applicant_provides_data": false,
7 "created_at": "2021-03-22T17:13:12Z",
8 "form_uri": null,
9 "href": "/v3.6/checks/<CHECK_ID>",
10 "id": "<CHECK_ID>",
11 "paused": false,
12 "redirect_uri": null,
13 "report_ids": [
14 "<REPORT_ID>"
15 ],
16 "result": null,
17 "results_uri": "<RESULTS_URI>",
18 "sandbox": true,
19 "status": "in_progress",
20 "tags": [],
21 "version": "3.6",
22 "webhook_ids": null
23}

Check results

The value of the check is derived from the results of the individual reports that it contains:

Check resultDescription
clearIf all the reports contained in the check have clear as their results.
considerIf any reports contained in the check have either consider or unidentified as their result.

Create check

POST
/v3.6/checks/

Please note: When integrating with Onfido Studio workflows, checks are created automatically based on your specific workflow implementation. This endpoint is only applicable for implementations that rely on the explicit SDK configuration of verification steps.

Using this endpoint in a live context will cause you to create a check using an applicant's personal data. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Initiates a check for an applicant, which can contain one or more reports. Returns a check object.

Having created the first check, you are allowed to create further checks for the same applicant, as long as the previous check is not still ongoing (i.e. check has been completed, withdrawn or cancelled). You will receive an error message if you try to create a check for an applicant with an ongoing check.

If you are creating multiple checks for the same applicant you should reuse the same applicant_id in every check request. This ensures all checks are associated with the same individual.

When creating checks, you must use the report_names field (which takes an array of strings). For example, to create a check with 2 reports:

"report_names": ["report_name_1", "report_name_2"]

Required applicant data

The following applicant data is required for all checks. Each report type may also require additional applicant data in order to be processed.

Location

You must provide location information for each applicant before creating a check with a Facial Similarity report. You can include locationas part of your API request when creating an applicant or uploading a document. If you do not provide location all check requests will fail with a validation error.

Consent

If the location of the applicant is the US, you must also provide consent information confirming that the end user has viewed and accepted Onfido’s privacy notices and terms of service. You can specify consents as part of your API request when creating or updating an applicant. If privacy_notices_read is not set to "granted": true, all check requests will fail with a validation error.

If you use the Onfido SDK, location and consent is collected directly by the SDK. You do not need to manually provide the location or consents parameter in this case.

For more information on the requirements and implementation options for collecting US end user consent please see our Onfido privacy notices and consent guide.

Request body parameters

ParameterDescription
applicant_idrequired
The ID of the applicant to run the check on.
report_namesrequired
Array of strings describing reports requested for the check.
document_idsoptional
Array of strings describing which document to process in checks containing a Document report, a Facial Similarity report or both, which takes a maximum of 2 strings (document IDs) 1. By default, the most recently uploaded document is used. document_ids is only usable with Document and Facial Similarity reports.
Note: document_ids is a required parameter for Document Video Report and Document report with NFC. For Document Report with NFC, you must specify the NFC media ID at check creation, in which case the maximum number of strings is 3.
applicant_provides_dataoptional
Default is false. If true, applicant provides required information and documents using the Onfido applicant form.
asynchronousoptional
Default is true.2 It’s strongly recommended that you leave this as the default, and configure webhooks to notify you when a check or report is complete.
tagsoptional
Array of tags being assigned to this check.
suppress_form_emailsoptional
For checks where applicant_provides_data is true, applicant form will not be automatically sent if suppress_form_email is true. You can manually send the form at any time after the check has been created, using the link found in the form_uri attribute of the check object.
Defaults to false (i.e., form will be sent automatically by default).
redirect_urioptional
For checks where applicant_provides_data is true, redirect to this URI when the applicant has submitted their data.
consideroptional
Array of names of particular reports to return consider as their results. This is a feature available in sandbox testing which you can read more about.
webhook_idsoptional
Array of strings describing which webhooks to trigger for this check. By default, all webhooks registered in the account will be triggered and this value will be null in the responses.
us_driving_licenceoptional
An object that contains all accepted fields for the Driver's License Data Verification report.

1: For a check containing a Document and Facial Similarity report, you only need to specify 1 document ID which will be used for both reports. You should only specify 2 document IDs when the uploaded document has a front and a back side. If 2 document IDs are submitted in any other case, the Document report will be rejected for Image Quality: two_documents_uploaded.

2: If asynchronous is set to false:

  • the request to create a check will only return a response when all the reports in the check complete the automatic part of the review, or the request times out after 29 seconds
  • if all reports are completed automatically, the check response is returned with a status of complete
  • if one of the reports goes to manual review (the status of the report is awaiting_approval) the check response is returned with a status of in_progress
  • a check created in sandbox will always complete automatically and never time out, so may not give an accurate representation of the behaviour

webhook_ids

The majority of users do not need to set this parameter. By default, events will be sent to all configured webhooks.

If you need a check to only trigger a subset of your webhooks (for example, if you have multiple regional specific webhooks subscribed to report.completed), you can list the IDs of the webhooks this check should trigger by passing the following array as part of your check request:

"webhook_ids": ["<VALID-WEBHOOK-ID-1>", "<VALID-WEBHOOK-ID-2>", ...]

If an invalid webhook ID is included in the list, that ID will be ignored and the request will be processed as though it were not included.

Omitting webhook_ids from the request, or including any of the following in your request will cause the default behavior of setting the check to trigger all webhooks you've created:

  • "webhook_ids": undefined
  • "webhook_ids": null
  • "webhook_ids": []

To make a check ignoring all webhooks you've created, pass the following as part of your check request:

"webhook_ids": ["no_webhooks"]

If any webhook IDs are included in addition to "no_webhooks", you will receive an error.

Inclusion of a webhook ID in webhook_ids does not affect the type of events that webhook is subscribed to.

Report names in API

The following table is of report names as they are described in the API.

Report nameAPI report name(s)
Documentdocument
Document Video Reportdocument_video
Document with Address Informationdocument_with_address_information
Document with Driving Licence Informationdocument_with_driving_licence_information
Facial Similarityfacial_similarity_photo
facial_similarity_photo_fully_auto
facial_similarity_video
facial_similarity_motion
Known Facesknown_faces
Identityidentity_enhanced
Watchlistwatchlist_aml
watchlist_enhanced
watchlist_standard
watchlist_peps_only
watchlist_sanctions_only
Proof of Addressproof_of_address
Driver's License Data Verificationus_driving_licence
Device Intelligencedevice_intelligence
Document with Driver Verificationdocument_with_driver_verification

When creating a check, pass these in an array of strings to report_names.

Create a check (Document report, Facial Similarity report)
1POST /v3.6/checks/ HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7 "applicant_id": "<APPLICANT_ID>",
8 "report_names": [
9 "document",
10 "facial_similarity_photo"
11 ]
12}

Retrieve check

GET
/v3.6/checks/{check_id}

Retrieves a single check. Returns a check object.

Please note: When integrating with Onfido Studio workflows, the status of verification checks is managed by workflow run output and can be retrieved by making a call to the Retrieve Workflow Run endpoint. This endpoint is only applicable for implementations where checks are created with the explicit SDK configuration of verification steps.

Retrieve a single check
1GET /v3.6/checks/<CHECK_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List checks

GET
/v3.6/checks?applicant_id={applicant_id}

Returns all checks for an applicant. Returns data in the form: {"checks": [<LIST_OF_CHECK_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose checks you want to list.

List all checks associated with an applicant
1GET /v3.6/checks?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Resume check

POST
/v3.6/checks/{check_id}/resume

Resumes a paused check. If successful, returns a 204 No Content response.

A check is paused if all the reports that it contains are in the paused state.

When a check where applicant_provides_data is true gets resumed, all its reports will start processing immediately if the applicant has already submitted the form. The check status will automatically change to in_progress. Otherwise, the check will remain as awaiting_applicant and the reports will only start processing after the applicant submits the form.

Resume a paused check
1GET /v3.6/checks/<CHECK_ID>/resume HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download check

GET
/v3.6/checks/{check_id}/download

Downloads a PDF of a check with a given check ID. Returns the binary data representing the PDF.

Download a check PDF
1GET /v3.6/checks/{check_id}/download HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Reports

In the Onfido API, checks are composed of one or more reports.

Please note: When integrating with Onfido Studio workflows, the results of reports are managed by workflow run output and can be retrieved by making a call to the Retrieve Workflow Run endpoint, with results returned in the output attribute. Report endpoints are only applicable for implementations where reports are part of checks created with the explicit SDK configuration of verification steps.

Report object

The report object will differ depending on the report itself.

AttributeDescription
idstring
The unique identifier for the report.
created_atdatetime
The date and time at which the report was first initiated.
namestring
The type of report.
hrefstring
The API endpoint to retrieve the report.
statusstring
The current state of the report in the checking process.
resultstring
The result of the report (null if report is incomplete).
sub_resultstring
The sub_result of the report. It gives a more detailed result for Document reports only, and will be null otherwise.
breakdownobject
The details of the report. This is specific to each type of report.
propertiesobject
The properties associated with the report, if any.
documentsarray
The document IDs that were processed. Populated for Document and Facial Similarity reports, otherwise an empty array.
check_idstring
The ID of the check to which the report belongs.

The breakdown object differs for each report type. For example, for Document reports.

Report status

StatusDescription
awaiting_dataOnfido has made a request to one of its data providers and we are waiting on their reply.
awaiting_approvalReport is undergoing manual review.
cancelledReport has been cancelled using the cancel report endpoint.
completeReport is done.
withdrawnReport has been automatically withdrawn by the system. For example, due to missing data.
pausedReport is paused until you, i.e. the client, switch it on manually. Special case used by clients who want to collect data and run the reports when they want and not immediately.

Report results

The result field indicates the overall result of a report. The possible values of this field are:

Report resultDescription
clearIf all underlying verifications pass, the overall result will be clear.
considerIf the report has returned information that needs to be evaluated, the overall result will be consider.
unidentifiedFor Identity Enhanced and Driver's License Data Verification reports only.
nullFor Proof of Address reports only.

Sub results (Document reports)

The sub_result field indicates a more detailed result and is unique to Document reports.

Report sub_resultDescription
clearIf all underlying verifications pass, the overall sub result will be clear.
rejectedIf the report has returned information where the check cannot be processed further (poor quality image or an unsupported document).
suspectedIf the document that is analysed is suspected to be fraudulent.
cautionIf any other underlying verifications fail but they don't necessarily point to a fraudulent document (such as the name provided by the applicant doesn't match the one on the document).

Retrieve report

GET
/v3.6/reports/{report_id}

Retrieves a single report. Returns a report object.

Please note: When integrating with Onfido Studio workflows, the results of reports are managed by workflow run output and can be retrieved by making a call to the Retrieve Workflow Run endpoint, with results returned in the output attribute. This endpoint is only applicable for implementations where reports are part of checks created with the explicit SDK configuration of verification steps.

Retrieve a single report
1GET /v3.6/reports/<REPORT_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List reports

GET
/v3.6/reports?check_id={check_id}

Lists all reports belonging to a particular check. Returns data in the form: {"reports": [<LIST_OF_REPORT_OBJECTS>]}.

Query string parameters

check_id (required): the ID of the check whose reports you want to list.

List all reports associated with a check
1GET /v3.6/reports?check_id=<CHECK_ID> HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Resume report

POST
/v3.6/reports/{report_id}/resume

Resumes a single paused report. If successful, returns a 204 No Content response.

When an individual report gets resumed in a check where applicant_provides_data is true, it will start processing immediately if the applicant has already submitted the form. The report status will automatically change from paused to awaiting_data. Otherwise, the status change will happen but the report processing will only start after the applicant submits the form.

Note that you can resume all reports within a check by resuming the check itself.

Resume a single paused report
1POST /v3.6/reports/<REPORT_ID>/resume HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Cancel report

POST
/v3.6/reports/{report_id}/cancel

Cancels single paused reports. If successful, returns a 204 No Content response.

When a report gets cancelled in a check where applicant_provides_data is true, its status will change from paused to cancelled and the report will never get processed.

Cancel a single paused report
1POST /v3.6/reports/<REPORT_ID>/cancel HTTP/1.1
2Host: api.eu.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Responsible Disclosure

Responsible Disclosure Policy

Security is a top priority for Onfido and we value the work done by researchers in improving the security of our products and services. We encourage responsible vulnerability research and disclosure and if you discover a vulnerability in any of our systems, please let us know about it so we can address it as quickly as possible. We are committed to working with the community to verify, reproduce, and respond to all the submissions in a timely manner.

Our full policy can be found at the following URLs:

Reporting a Vulnerability

If you believe you’ve discovered a security vulnerability, please let us know by submitting a report at https://vdp.onfido.com/p/Send-a-report

Onfido highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services.

Bug Bounty

Onfido currently operates a private bug bounty on the YesWeHack platform. If you want to actively participate in the program, please let us know and contact us at bugbounty@onfido.com. You can find more information here.

Contact

Please submit any vulnerability reports at https://vdp.onfido.com/p/Send-a-report. If you aren’t sure whether a system or an issue is in scope or not, contact us at bugbounty@onfido.com.

 

Table of contents
Core Resources
Report Types
Other Endpoints