Overview

Get started (API v2)

The Onfido API is based on REST principles. It uses standard HTTP response codes and verbs, and token-based authentication.

If you're just getting started with our API, read our quick-start guides.

Request, response format

You should use a Content-Type: application/json header with all PUT and POST requests except when uploading documents or live photos. For these requests, use a Content-Type: multipart/form-data header.

Responses return JSON with a consistent structure, except downloads.

You must make all your requests to the API over HTTPS and TLS 1.2+, with Server Name Indication enabled. Any requests made over HTTP will fail.

Text fields support UTF-8, but do not allow certain special characters.

Token authentication

The Onfido API uses token-based authentication. API tokens must be included in the header of all requests made to the API.

You can generate new tokens and find your existing ones in your Onfido Dashboard.

You can make requests using sandbox tokens to test our API before you go live.

Token Authentication

1Authorization: Token token=<YOUR_API_TOKEN>

API tokens

You can use API tokens to authenticate any API action described in this documentation.

You must never use API tokens in the frontend of your application or malicious users could discover them in your source code. You should only use them on your server.

If you do need to collect applicant data in the frontend of your application, we recommend that you use one of the Onfido Smart Capture SDKs.

You should limit live API token access to only the minimum number of people necessary, but you can use sandbox tokens to freely experiment with the sandbox Onfido API.

Note that there are some differences between the sandbox and live APIs.

You should not embed API tokens in your backend code—even if it’s not public—because this increases the risk that they will be discovered. Instead, you should store them in configuration files or environment variables. Please consider enabling GitHub's Secret Scanning and Push Protection feature when hosting your code on GitHub. This will help detect and safeguard Onfido API Tokens that could inadvertently be exposed in your repositories.

You should also periodically rotate your live API tokens (see next section).

API token rotation

We highly recommend that you rotate live API tokens when staff members with access to those tokens leave your organisation. Consider creating a leaver's process which covers this.

You can create and revoke API tokens, and see when they were last used, in your Onfido Dashboard.

Create a new API token
Wherever you use your old API token, replace it with the new one
Confirm your old token isn't in use
Revoke your old token

Your old API tokens will continue to work until you revoke them, so you can rotate your tokens without users experiencing any downtime.

SDK tokens

If you're using the Android SDK at lower than version 4.11.0 or the iOS SDK lower than 12.2.0, please update your integration to use a Mobile SDK version which supports SDK tokens.

All of the latest Onfido Smart Capture SDKs authenticate using SDK tokens. You cannot use an API token to authenticate the SDKs.

SDK tokens are restricted to an individual applicant and expire after 90 minutes.

You can generate SDK tokens using an API endpoint.

Sandbox testing

For sandbox requests, the rate limit is 30 requests per minute. When you hit the limit, you'll receive a 429 Too Many Requests error.

The type of token you use will determine whether you use the sandbox or live environment.

You can use the sandbox to test your technical integration with Onfido's software and to simulate API requests. You should never upload confidential information, including personal data, to the sandbox.

To use the sandbox, you'll need a sandbox API token. You can generate one in your Onfido Dashboard.

You can use the sandbox API to check:

your system's network connectivity with the Onfido API
your webhooks are working correctly
you're posting all required data in the correct format to the Onfido API
you're handling the Onfido API responses correctly

By default, sandbox API tokens start with a api_sandbox. prefix, while live API tokens start with a api_live. prefix. This might vary if you're using a different region environment.

You can make all the same API requests in the sandbox API as in the live one. You will also be notified of check and report status changes via your registered webhooks.

Sandbox and live differences

The key differences between sandbox and live checks are:

sandbox check data is not processed by Onfido services or third parties - this means that sandbox responses are faster than live responses
sandbox check results are pre-determined (but contain the same result response structures as live requests)
sandbox applicants are isolated from the live environment (but applicant notification emails still get sent out to sandbox applicants)
you won't be charged for checks in sandbox

Sample document, photo

You can use the upload document endpoint with the following files as part of running test checks:

The sandbox API will always return pre-determined responses, regardless of what files are uploaded.

These files also work for testing the Onfido Smart Capture SDKs.

Pre-determined responses

To help you test your integration in the sandbox API, you can trigger pre-determined report responses.

Pre-determined responses work for the following report types:

Identity
Document
Watchlist KYC
Watchlist AML
Watchlist Full
Facial Similarity Standard
Facial Similarity Video
Repeat Attempts
Proof of Address

Pre-determined 'consider' results

To test only 'consider' report responses:

Create an applicant which has the last name "Consider"
Create a check with this applicant

All reports specified in check creation will return a consider report result. If you use any other applicant last name, the result will be clear.

Different reports have different minimum requirements for applicant data (even in the sandbox).

Create an applicant with last name of Consider

1POST /v2/applicants/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "Jane",
8  "last_name": "Consider"
9}

Pre-determined 'consider' and 'clear' results

To test different sandbox report responses simultaneously, you can pass specific report types to the consider parameter (in an array).

Only the reports specified in the consider array will return a consider report result. All other reports in the check will return a clear result.

Trigger multiple report results simultaneously

1POST /v2/applicants/<APPLICANT_ID>/checks HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "type": "express",
8  "reports": [
9    {
10      "name": "identity"
11    },
12    {
13      "name": "watchlist"
14    }
15  ],
16  "consider": [
17    "identity"
18  ]
19}

Pre-determined responses for Document reports

The sandbox API supports additional functionality for testing Document reports. You can trigger pre-determined Document report responses for specific:

breakdowns and sub-breakdowns
document types
sub-results

For Document reports, first_name and last_name must be provided when creating an applicant (even in the Sandbox).

Breakdowns and sub-breakdowns

You can trigger responses for particular breakdowns and sub-breakdowns for sandbox Document reports. These responses show possible breakdown and sub-breakdown combinations that can be flagged for a consider report result.

To test breakdown - sub-breakdown combinations:

Create an applicant which has the first_name as the "breakdown - sub-breakdown" combination you intend to trigger.

Sandbox supports the following options:

"Image Integrity - Supported Document"
"Image Integrity - Image Quality"
"Visual Authenticity - Fonts"
"Visual Authenticity - Security Features"
"Visual Authenticity - Face Detection"
"Data Validation - Document Numbers"
"Data Consistency - Document Type"

You can also include a document type by specifying last_name as a supported sandbox document type during applicant creation.

Create a check with this applicant.

Passing a first_name option to generate a Document report pre-determined response will override any conflicting option passed to the applicant's last_name.

Trigger an Image Integrity - Supported Document breakdown combination for a Document report

1POST /v2/applicants/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "Image Integrity - Supported Document",
8  "last_name": "Smith"
9}

Pre determined document types

You can trigger responses for particular document types for sandbox Document reports. These responses show a Document report response including the specific properties for the associated document type.

To test different document types:

Create an applicant which has the last_name as the document type you intend to test.

Sandbox supports the following options:

Sandbox option	Sandbox option *	Document type **
`"CA DL 2018"`	`"CA DL 2018 front only"`	US drivers license for California state
`"NY DL 2017"`	`"NY DL 2017 front only"`	US drivers license for New York state
`"Ontario ID 2010"`	-	Canadian national identity card for Ontario
`"FRA ID 1994"`	`"FRA ID 1994 front only"` and `"FRA ID 1994 front only rejected"`	French identity card

* Specifying "front only" means only data contained on the front side of the document will be returned in the properties.

** The document type properties returned are specific to the document version supported in Sandbox.

You can also trigger a flagged "breakdown - sub-breakdown" combination by specifying first_name as a supported combination during applicant creation.

Create a check with this applicant.

Trigger a Document report with US drivers license for California state

1POST /v2/applicants/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "Jane",
8  "last_name": "CA DL 2018"
9}

Sub-results

You can trigger responses for particular sub-results for sandbox Document reports. These responses show possible individual breakdown results which can lead to different sub-results.

To do this:

Create an applicant which has the last_name as one of the following strings:

"clear"
"rejected"
"suspected"
"caution"

Create a check with this applicant.

You can't also specify a document type when testing sub-results.

Trigger a rejected sub-result for a Document report

1POST /v2/applicants/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "Jane",
8  "last_name": "rejected"
9}

Pre-determined responses for Facial Similarity reports

The sandbox API supports additional functionality for testing breakdowns and sub-breakdowns for Facial Similarity Photo, Photo Fully Auto, Video and Motion reports.

For Facial Similarity reports, first_name and last_name must be provided when creating an applicant (even in the Sandbox).

Breakdowns and sub-breakdowns

You can trigger responses for particular breakdowns and sub-breakdowns for sandbox Facial Similarity reports. These responses show possible breakdown and sub-breakdown combinations that can be flagged for a consider report result.

To test breakdown - sub-breakdown combinations:

Create an applicant which has the first_name as the "breakdown - sub-breakdown" combination you intend to trigger.

Sandbox supports the following options:

"Visual Authenticity - Spoofing Detection"
"Face Comparison - Face Match"
"Image Integrity - Source Integrity"
"Image Integrity - Face Detected"

Create a check with this applicant.

Trigger an Visual Authenticity - Spoofing Detection breakdown combination for a Facial Similarity report

1POST /v2/applicants/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "Visual Authenticity - Spoofing Detection",
8  "last_name": "Smith"
9}

Applicant IDs returned in the response don't map to actual sandbox applicants, they are example uuids to represent the applicant ID field. As a result, there is no associated applicant data.

Pre-determined responses for Repeat Attempts

The sandbox API supports additional functionality for testing breakdowns and sub-breakdowns for Repeat Attempts.

To help you integrate with this service, you can generate pre-defined Repeat Attempts responses. Depending on the scenario you are trying to test, you can use one of four possible keywords as the report_uuid in the request URL:

match
mismatch
error
empty

Trigger a Repeat Attempts match

1$ curl -X POST https://api.eu.onfido.com/v2/repeat_attempts/match \
2  -H 'Authorization: Token token=<YOUR_API_TOKEN>' \

Below is a pre-determined response example for a Repeat Attempts match:

json

1{
2	"report_id": "00000000-0000-0000-0000-000000000000",
3	"repeat_attempts": [
4		{
5			"report_id": "00000000-0000-0000-0000-000000000001",
6			"applicant_id": "00000000-0000-0000-0000-000000000003",
7			"date_of_birth": "match",
8			"names": "match",
9			"result": "clear",
10			"created_at": "2022-01-06T14:46:43Z",
11			"completed_at": "2022-01-06T15:46:43Z"
12		},
13		{
14			"report_id": "00000000-0000-0000-0000-000000000002",
15			"applicant_id": "00000000-0000-0000-0000-000000000003",
16			"date_of_birth": "match",
17			"names": "match",
18			"result": "clear",
19			"created_at": "2022-02-18T03:09:34Z",
20			"completed_at": "2022-02-18T03:10:34Z"
21		}
22	],
23	"attempts_count": 3,
24	"attempts_clear_rate": 1,
25	"unique_mismatches_count": 0
26}

Go live

Before you go live, you may find the introductory guides in our Getting Started section useful.

API client libraries

Language	Library	Notes
Ruby	onfido-ruby	API v2 support only up to v0.15.0
Java	api-java-client
JavaScript	api-javascript-client
Python	api-python-client
PHP	api-php-client

Refer to our API versioning guide for details on client library versioning.

OpenAPI specification

We publicly host an OpenAPI specification.

For any custom libraries you generate yourself with this specification, we can only provide support on a best-effort basis.

Rate limits

Onfido's API enforces a maximum volume of requests per second for all clients. Unless contractually agreed otherwise, the maximum rate is 400 requests per minute (up to 7 requests per second with a burst of 14 requests).

For sandbox requests, the rate limit is 120 requests per minute (up to 2 requests per second with a burst of 4 requests).

Onfido uses the token bucket algorithm to handle usage.

Any request over the limit will return a 429 Too Many Requests error.

Rate limit reached error object

1HTTP/1.1 429 Too Many Requests
2Content-Type: application/json
3
4{
5  "error": {
6    "type": "rate_limit",
7    "message": "Rate limit exceeded. Please try again later."
8  }
9}

Regions

Onfido offers region-specific environments: EU (default), US, and Canada. You can use these to store the data in your Onfido account at rest within a specific geographic region.

Regions have unique base URLs and API token formats for both live and sandbox environments.

Change the region to US

1Onfido.configure do |config|
2  config.region = 'us'
3end

Region	Notes	API base URL	API token format
EU	Default	`https://api.onfido.com/`
US		`https://api.us.onfido.com/`	Tokens are prepended with `api_live_us.` and `api_sandbox_us.`
CA		`https://api.ca.onfido.com/`	Tokens are prepended with `api_live_ca.` and `api_sandbox_ca.`

Unless specified, all examples in the documentation refer to the default https://api.onfido.com/ base URL and token format.

For the 'EU' region, data is physically stored in the Republic of Ireland, with backup storage in Germany.

Versioning policy

Refer to our API versioning guide for details on Onfido's versioning policy.

Changelog


2022-01-12	Added documentation for Watchlist AML report.
2021-07-21	Added documentation for new Sandbox functionality.
2021-05-11	Added share code content to Right to Work report (product now deprecated and no longer available)
2021-02-22	Added information about `privacy_notices_read_consent_given` parameter to check creation.
2020-10-22	New API documentation system released
2020-09-18	Added new sandbox pre-determined responses for Document reports
2020-06-09	Adds Canada region base URL and Canada webhook IP addresses
2020-03-12	Added documentation on the Known Faces report
2020-02-04	Removed the ability to charge applicants for checks
2019-11-25	Updated the example webhook event object
2019-11-19	Added documentation for using line1, line2, line3 for address
2019-11-08	Added documentation for building custom logic around Identity reports
2019-10-30	Added documentation on forbidden characters for names and addresses
2019-09-11	Added documentation on API token rotation
2019-09-04	Updated documentation on Mobile tokens and SDK tokens
2019-09-01	Updated documentation for Autofill endpoint and Document report results
2019-08-31	Added documentation surrounding logic around Document report results
2019-06-05	Added endpoint to download a live video frame
2019-03-14	Removed 'Conditional checks' section
2019-03-11	Added testing data for Proof of Address
2019-03-07	Added a 'Run in Postman' button linking to a Postman API collection
2019-02-18	Removed documentation for UK credit and criminal history reports
2019-02-06	Updated the Proof of Address documentation
2018-12-18	Added a new rate limits feature
2018-12-13	Removed documentation for India Aadhaar and PAN Card reports
2018-12-03	Added applicant deletion feature
2018-11-26	Added Proof of Address report
2018-10-15	Added `age_validation` as a new breakdown on the Document report
2018-09-18	Removed documentation for US-specific reports
2018-08-15	Added `documents` as a new report argument
2018-05-24	Added new Autofill endpoint
2017-12-18	Updated documentation on basic criminal history report Added support for additional criminal history report details for basic criminal history reports in create check Removed support for basic criminal history report as an Express check
2017-12-04	Added new events to the webhooks section
2017-08-25	Updated documentation on Facial Similarity Report Added support for Facial Similarity reports under sandbox responses
2017-07-14	Added a new token authentication scheme for the web SDK
2017-03-03	Added report options for Watchlist full report
2017-02-21	Added support for additional reports under sandbox responses
2017-02-01	Added new client libraries
2017-01-18	Added `social_insurance` as a id number type
2016-12-08	Added support for basic criminal history report as an Express check
2016-10-31	Added support of testing multiple-report scenarios inside sandbox
2016-10-24	Added support of additional criminal history report details in create check
2016-09-29	Added documentation around tag support for checks Added more detailed description of applicant address requirements
2016-09-15	Added endpoint to download document for a particular applicant
2016-09-07	Added charge_applicant_for_check support for Standard check Added Drug Test support Updated Right to Work report document requirements (product now deprecated and no longer available) Added SSN format specification
2016-09-01	Added new section on Testing
2016-08-25	Added the referrer argument to the JSON web token endpoint
2016-08-25	Added endpoint: Create live photo Added new report: Facial Similarity Report
2016-08-25	Added two new endpoints: Delete applicant Update applicant
2016-08-15	Added Right to Work support (product now deprecated and no longer available) Added documentation on criminal history supported options Added documentation on supported Applicant `title` values Added documentation on UK Address `street` attribute character limit restriction Added documentation on Create check `suppress_form_email` attribute
2016-08-08	Added Resume Report endpoint and Conditional Checks documentation
2016-07-14	Added Report Type Groups (packages) support
2016-04-25	Released API v2: Restructures document report results for greater clarity and detail Changes the report type name for SSN trace from `identity` to `ssn_trace`

Upcoming maintenance

There's currently no scheduled maintenance.

Errors

All errors are returned with the same structure:

json

1{
2  "error": {
3    "type": <TYPE>,
4    "message": <MESSAGE>,
5    "fields": <FIELDS - NOT ALWAYS PRESENT>
6  }
7}

Example error object

Attribute	Description
type	string The type of error returned.
message	string A human-readable message giving more details about the error.
fields	object The invalid fields and their associated errors. Only applies to validation errors.

Example validation error object

1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5  "error": {
6    "type": "validation_error",
7    "message": "",
8    "fields": {
9      "email": [
10        "invalid format"
11      ]
12      "name": [
13        "can't be blank"
14      ]
15    }
16  }
17}

Error codes and what to do

Status	Action
400 bad_request	Make sure your request is formatted correctly.
401 authorization_error	Make sure you've entered your API token correctly. The Onfido Smart Capture SDKs use SDK tokens for authentication, not API tokens. If you're receiving a 401 error on one of our SDKs, check you've entered a valid application ID when generating the SDK token.
401 user_authorization_error	Contact an administrator about user permissions.
401 bad_referrer	Check the referrer used to generate the SDK token.
401 expired_token	Request a new SDK token.
403 account_disabled	Please contact client-support@onfido.com.
403 trial_limits_reached	Please contact client-support@onfido.com.
404 resource_not_found	Make sure you've formatted the URI correctly.
410 gone	The resource has been deleted or is scheduled for deletion.
422 validation_error	Check the `fields` property for a specific error message.
422 missing_billing_info	Make sure you've provided your billing information before starting a check.
422 missing_documents	Make sure you've uploaded the required documents before starting a check.
422 invalid_reports_names	Make sure you've entered the report name(s) in the correct format (string).
422 missing_id_numbers	Make sure you've supplied all required ID numbers.
422 report_names_blank	Make sure you've specified `report_names` in your request.
422 report_names_format	`report_names` must be an array of strings, not an array of objects.
422 deprecated_reports	The requested reports have been deprecated.
422 check_type_deprecated	`type` is not used in this version of the API. See the API v2 to v3.2 migration guide.
422 document_ids_without_document_report	You should only specify the optional `document_ids` argument when creating a check containing a Document report.
422 facial_similarity_photo_without_document	For `applicant_provides_data` checks, Facial Similarity reports must be paired with a Document report. See the API v2 to v3.2 migration guide.
422 facial_similarity_video_not_supported	The Facial Similarity Video report is not supported for checks where `applicant_provides_data` is `true`. See the API v2 to v3.2 migration guide.
422 failed_check_requirements	Check that all required information has been provided and correctly specified.
422 incomplete_checks	There are other ongoing checks associated with this applicant.
422 disabled_reports	There are reports disabled in your account. Please contact client-support@onfido.com.
422 too_many_checks	You have exceeded the limit of 1000 checks for the given applicant.
429 rate_limit	The rate limit has been reached. Please try again later.
500 internal_server_error	The server encountered an error. If this persists, please contact client-support@onfido.com.

Core Resources

Applicants

An applicant represents an individual who will be the subject of a check. An applicant must exist before a check can be initiated.

Different report types have different minimum requirements for applicant data, and different recommended data. For each report, this information is noted in under the relevant section of this documentation. For example, for Document reports.

Applicants with Sanctioned Documents

If an applicant uploads a document which is issued by a country subject to comprehensive US sanctions (list of countries here), any reports run with that applicant will return a withdrawn status unless otherwise specified in the report documentation. Current exceptions to this are the Document and Facial Similarity reports, which will still run but return a result indicating the presence of a sanctioned document.

Applicant object

Attribute	Description
id	string The unique identifier for the applicant.
created_at	datetime The date and time when this applicant was created.
delete_at	datetime The date and time when this applicant is scheduled to be deleted, or `null` if the applicant is not scheduled to be deleted.
href	string The URI of this resource.
title	string The applicant's title. Valid values are `Mr`, `Mrs`, `Miss` and `Ms`.
first_name	string The applicant's first name.
middle_name	string The applicant's middle name(s) or initial.
last_name	string The applicant's surname.
email	string The applicant's email address.
gender	string The applicant's gender. Valid values are `male` and `female`.
dob	date The applicant's date of birth in YYYY-MM-DD format.
telephone	string The applicant's landline phone number.
mobile	string The applicant's mobile phone number.
country	string The country where this applicant will be checked. This must be a three-letter ISO code e.g. `GBR` or `USA`. If not provided the default is `GBR`.
mothers_maiden_name	string The applicant's mother's maiden name.
previous_last_name	string The applicant's previous surname.
nationality	string The applicant's current nationality. This must be a three-letter ISO code e.g. `GBR` or `USA`.
country_of_birth	string The applicant's country of birth. This must be a three-letter ISO code e.g. `GBR` or `USA`.
town_of_birth	string The applicant's town of birth.
id_numbers	array of id number objects A collection of identification numbers belonging to this applicant.
addresses	array of address objects The address history of the applicant.
sandbox	Boolean Indicates whether the object was created in the sandbox or not.

ID number object

The ID number array of objects is nested inside the applicant object.

Attribute	Description
type	string Type of ID number. Valid values are `ssn`, `social_insurance` (e.g. UK National Insurance), `tax_id`, `identity_card`, `driving_licence`, `share_code`.
value	string Value of ID number. `ssn` supports both the full SSN or the last 4 digits. If the full SSN is provided then it must be in the format `xxx-xx-xxxx`.
state_code	string Two letter code of issuing state (state-issued driving licences only).

The type in the id_numbers array uses the spelling "driving_license". The type for the Document resource in the API uses the spelling "driving_licence".

Addresses object

The addresses array of objects is nested inside the applicant object.

Attribute	Description
flat_number	string The flat number.
building_number	string The building number.
building_name	string The building name.
street	string The street of the applicant's address. There is a 32-character limit on this field for UK addresses.
sub_street	string The sub-street.
town	string The town.
state	string The address state. US states must use the USPS abbreviation (see also ISO 3166-2:US), for example `AK`, `CA`, or `TX`.
postcode	string The postcode or ZIP of the applicant's address. For UK postcode, specify the value in the following format: `SW4 6EH`.
country	string The 3-character ISO country code of this address. For example, `GBR` is the country code for the United Kingdom.
start_date	date The date the applicant started living at this address in YYYY-MM-DD format.
end_date	date The date the applicant left this address in YYYY-MM-DD format. If current residence, leave `null`.
line1	string Line 1 of the address.
line2	string Line 2 of the address.
line3	string Line 3 of the address.

postcode and country are required fields if an address is provided for an applicant. For US addresses, state is also a required field.

Most addresses will contain information such as flat_number. Make sure they are supplied as separate fields, and do not try and fit them all into the street field. Doing so is likely to affect check performance.

Alternatively, if you're creating a check with an Identity KYC report on an applicant, you can provide addresses in the form line1, line2 and line3. If you provide address data in this form, Onfido uses a third-party subprocessor for address cleansing.

Forbidden characters

For addresses the following characters are forbidden:

!$%^*=<>

For names the following characters are forbidden:

^!#$%*=<>;{}"

Example applicant object

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<APPLICANT_ID>",
6  "created_at": "2014-05-23T13:50:33Z",
7  "delete_at": "2018-10-31T04:39:52Z",
8  "href": "/v2/applicants/<APPLICANT_ID>",
9  "title": "Mr",
10  "first_name": "John",
11  "middle_name": null,
12  "last_name": "Smith",
13  "gender": "Male",
14  "dob": "2013-02-17",
15  "telephone": "02088909293",
16  "mobile": null,
17  "country": "GBR",
18  "mothers_maiden_name": "Johnson",
19  "previous_last_name": null,
20  "nationality": "USA",
21  "country_of_birth": "USA",
22  "town_of_birth": "New York City",
23  "id_numbers": [
24    {
25      "type": "ssn",
26      "value": "433-54-3937"
27    },
28    {
29      "type": "driving_license",
30      "value": "I1234562",
31      "state_code": "CA"
32    }
33  ],
34  "addresses": [
35    {
36      "flat_number": null,
37      "building_name": null,
38      "building_number": "100",
39      "street": "Main Street",
40      "sub_street": null,
41      "state": null,
42      "town": "London",
43      "postcode": "SW4 6EH",
44      "country": "GBR",
45      "start_date": "2013-01-01",
46      "end_date": null
47    },
48    {
49      "flat_number": "Apt 2A",
50      "building_name": null,
51      "building_number": "1017",
52      "street": "Oakland Ave",
53      "sub_street": null,
54      "town": "Piedmont",
55      "state": "CA",
56      "postcode": "94611",
57      "country": "USA",
58      "start_date": "2006-03-07",
59      "end_date": "2012-12-31"
60    }
61  ]
62}

Create applicant

POST

https://api.onfido.com/v2/applicants/

Using this endpoint in a live context will cause you to send personal data to Onfido. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Creates a single applicant. Returns an applicant object.

When you create an applicant, some characters are forbidden.

The parameters required depend on whether you are planning to perform Standard or Express checks on this applicant. Standard checks require the applicant to provide their information using Onfido's applicant form, whereas Express checks are performed using data provided through the API.

The minimum required (and recommended) applicant data depends on the type of report requested. For example, for Document reports.

Request body parameters


title	optional The applicant's title. Valid values are `Mr`, `Mrs`, `Miss` and `Ms`.
first_name	required The applicant's forename.
last_name	required The applicant's surname.
middle_name	optional The applicant's middle name(s) or initials.
email	required if creating a Standard check The applicant's email address.
gender	optional The applicant's gender. Valid values are `male` and `female`.
dob	optional The applicant's date of birth in YYYY-MM-DD format.
telephone	optional The applicant's landline phone number.
mobile	optional The applicant's mobile phone number.
country	optional The country where this applicant will be checked. This must be a three-letter ISO code e.g. `GBR` or `USA`. If not provided the default is `GBR`.
mothers_maiden_name	optional The applicant's mother's maiden name.
previous_last_name	optional The applicant's previous surname.
nationality	optional The applicant's current nationality. This must be a three-letter ISO code e.g. `GBR` or `USA`.
country_of_birth	optional The applicant's country of birth. This must be a three-letter ISO code e.g. `GBR` or `USA`.
town_of_birth	optional The applicant's town of birth.
id_numbers	optional A collection of identification numbers belonging to this applicant.
addresses	optional The address history of the applicant.

Create an applicant

1POST /v2/applicants/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "Jane",
8  "last_name": "Doe",
9  "dob": "1990-01-31",
10  "country": "GBR",
11  "addresses": [
12    {
13      "building_number": "100",
14      "street": "Main Street",
15      "town": "London",
16      "postcode": "SW4 6EH",
17      "country": "GBR",
18      "start_date": "2013-01-31"
19    }
20  ]
21}

Retrieve applicant

GET

https://api.onfido.com/v2/applicants/{applicant_id}

Retrieves a single applicant. Returns an applicant object.

Retrieve an applicant

1GET /v2/applicants/<APPLICANT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Update applicant

PUT

https://api.onfido.com/v2/applicants/{applicant_id}

Updates an applicant's information. Returns the updated applicant object.

Partial updates are valid
Addresses and ID numbers present will replace existing ones
Takes the same request body parameters as creating an applicant
Applicant details can be updated between check creations

Update an applicant

1PUT /v2/applicants/<APPLICANT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "first_name": "New",
8  "last_name": "Name"
9}

Delete applicant

DELETE

https://api.onfido.com/v2/applicants/{applicant_id}

Deletes a single applicant. If successful, returns a 204 No Content response.

Sending a deletion request adds the applicant object and all associated documents, photos, videos, checks, reports and analytics data to our deletion queue. The objects will be permanently deleted from Onfido's production object storage and relational database system after a deletion delay which can be configured by emailing our client support team. After deletion, applicant details cannot be recovered or queried, and Onfido will not be able to troubleshoot. Within the delay period, the applicant can be restored. For more information about Onfido's deletion service, see our Data Deletion FAQ.

Once deleted, Onfido will not be able to carry out any troubleshooting or investigate any queries raised by the client. It is for this reason we recommend a longer deletion period, for example, a minimum of thirty days.

Delete an applicant

1DELETE /v2/applicants/<APPLICANT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Restore applicant

POST

https://api.onfido.com/v2/applicants/{applicant_id}/restore

Restores a single applicant scheduled for deletion. If successful, returns a 204 No Content response.

A restore request will also restore all associated documents, photos, videos, checks, reports and analytics data.

Applicants that have been permanently deleted cannot be restored.

Restore an applicant

1POST /v2/applicants/<APPLICANT_ID>/restore HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List applicants

GET

https://api.onfido.com/v2/applicants/

Lists all applicants you've created, sorted by creation date in descending order. Returns data in the form: {"applicants": [<LIST_OF_APPLICANT_OBJECTS>]}.

Requests to this endpoint will be paginated to 20 items by default.

Query string parameters

include_deleted=true (optional): include applicants scheduled for deletion.

per_page (optional): set the number of results per page (500 at maximum). Defaults to 20.

page (optional): return specific pages. Defaults to 1.

Link header

The Link header contains pagination information. For example:

Link: [https://api.onfido.com/v2/applicants?page=3059](https://api.onfido.com/v2/applicants?page=3059); rel="last", [https://api.onfido.com/v2/applicants?page=2](https://api.onfido.com/v2/applicants?page=2); rel="next"

Possible rel values are:

Name	Link relation (description)
`next`	Next page of results.
`last`	Last page of results.
`first`	First page of results.
`prev`	Previous page of results.

The custom X-Total-Count header gives the total resource count.

Return all applicants youve created

1GET /v2/applicants?page=1&per_page=5 HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Documents

Some reports require uploaded identity documents in order to be processed successfully.

Depending on the type of the document, we may require both sides of the image to be uploaded. See the full list of documents we support.

Documents belong to a single applicant, so they must be uploaded after an applicant has been created.

The API uses the British English spelling driving_licence.

Document object

Attribute	Description
id	string The unique identifier of the document.
created_at	datetime The date and time at which the document was uploaded.
href	string The URI of this resource.
download_href	string The URI that can be used to download the document.
file_name	string The name of the uploaded file.
file_type	string The file type of the uploaded file.
file_size	integer The size of the file in bytes.
type	string The type of document.
side	string The side of the document, if applicable. The possible values are `front` and `back`.
issuing_country	string The issuing country of the document, in 3-letter ISO code, specified when uploading it.
applicant_id	string The id of the applicant to whom the document belongs.

Example document object

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<DOCUMENT_ID>",
6  "created_at": "2019-02-11T13:49:20Z",
7  "file_name": "sample_driving_licence.png",
8  "file_type": "png",
9  "file_size": 490408,
10  "type": "driving_licence",
11  "side": "front",
12  "issuing_country": null,
13  "href": "/v2/applicants/<APPLICANT_ID>/documents/<DOCUMENT_ID>",
14  "download_href": "/v2/applicants/<APPLICANT_ID>/documents/<DOCUMENT_ID>/download"
15}

Document types

Identity documents

The following is a partial list of document types (i.e. type when uploading a document):

Type
`national_identity_card`
`driving_licence`
`passport`
`voter_id`
`work_permit`
`residence_permit`
`right_to_work_share_code_result`

This list is not exhaustive.

If you're unsure of the type of document you want to verify, you can submit documents with type unknown. In this case, we will attempt to classify and recognize the document type when processing a Document report.

Upload document

POST

https://api.onfido.com/v2/applicants/{applicant_id}/documents/

Uploads a single document as part of a multipart request. Returns a document object.

We provide a sample document to test this endpoint.

Valid file formats for documents are jpg, png and pdf. The file size must be between 32KB and 10MB. Maximum supported resolution is 64MPx.

Supply side when uploading documents for optimal results.

Request body parameters


file	required The file to be uploaded.
type	required The type of document. For example, `passport`.
side	optional (required for documents which have multiple sides) Either the `front` or `back` of the document.
issuing_country	optional (required for Proof of Address reports) The issuing country of the document in 3-letter ISO code.
validate_image_quality	optional A Boolean. Defaults to `false`. When `true` the submitted image will undergo an image quality validation which may take up to 5 seconds.

Image quality

You can request image quality validation when uploading a document. It is conducted synchronously and you'll receive the result as a response to your request.

When the image passes validation, returns a document object.

When the image fails validation, returns a 422 validation_error. There can be one or more failed image quality validations for a request. The list of reasons is provided in the fields property.

If the image fails validation, you should ask the end user to retake the photo of their document.

Field	Message
`detect_blur`	blur detected in image
`detect_cutoff`	cutoff document detected in image
`document_detection`	no document in image

Sample images to trigger various error responses can be provided.

Upload passport.png

1POST /v2/applicants/<APPLICANT_ID>/documents HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: multipart/form-data
5
6<YOUR FILE DATA (path/to/passport.png)>

Retrieve document

GET

https://api.onfido.com/v2/applicants/{applicant_id}/documents/{document_id}

Retrieves a single document. Returns a document object.

1GET /v2/applicants/<APPLICANT_ID>/documents/<DOCUMENT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List documents

GET

https://api.onfido.com/v2/applicants/{applicant_id}/documents/

Lists all documents belonging to an applicant, and includes any associated media (document photos and videos when these are retrieved by UUID).

Returns data in the form: {"documents": [<LIST_OF_DOCUMENT_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant ID whose documents you want to list.

List all documents for a specific applicant

1GET /v2/applicants/<APPLICANT_ID>/documents HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download document

GET

https://api.onfido.com/v2/applicants/{applicant_id}/documents/{document_id}/download

Downloads specific documents belonging to an applicant. If successful, the response will be the binary data representing the image.

Path parameters

document_id (required): the unique identifier (UUID) of the document.

Download a document associated with an applicant

1GET /v2/applicant/<APPLICANT_ID>/documents/<DOCUMENT_ID>/download HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Live photos

Live photos are images of the applicant's face, typically taken at the same time as documents are provided. Some reports require uploaded live photos in order to be processed successfully.

Live photo object

Attribute	Description
id	string The unique identifier of the live photo.
created_at	datetime The date and time at which the live photo was uploaded.
href	string The URI of this resource.
download_href	string The URI that can be used to download the live photo.
file_name	string The name of the uploaded file.
file_type	string The file type of the uploaded file.
file_size	integer The size of the file in bytes.

Example live photo object

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<LIVE_VIDEO_ID>",
6  "created_at": "2018-05-14T16:44:53Z",
7  "href": "/v2/live_videos/<LIVE_VIDEO_ID>",
8  "download_href": "/v2/live_videos/<LIVE_VIDEO_ID>/download",
9  "file_name": "video_name.mp4",
10  "file_type": "video/mp4",
11  "file_size": 1431121,
12  "challenge": [
13    {
14      "type": "recite",
15      "query": [
16        1,
17        2,
18        3
19      ]
20    },
21    {
22      "type": "movement",
23      "query": "turnRight"
24    }
25  ]
26}

Upload live photo

POST

https://api.onfido.com/v2/live_photos/

Uploads a live photo as part of a multipart request. Returns a live photo object.

We provide a sample photo to test this endpoint.

Valid file formats for live photos are jpg, jpeg and png. The file size must be between 32KB and 10MB. Live photos are validated at the point of upload to check that they contain exactly one face. This validation can be disabled by setting the advanced_validation argument to false.

Request body parameters


file	required The file to be uploaded.
applicant_id	required The `applicant_id` to associate the live photo with.
advanced_validation	optional A Boolean which defaults to true Validates that the live photo contains exactly one face.

Upload sample_photo.png

1POST /v2/live_photos/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: multipart/form-data
5
6<YOUR FILE DATA (path/to/sample_photo.png)>

Retrieve live photo

GET

{'https://api.onfido.com/v2/live_photos/{live_photo_id}'}

Retrieves a single live photo. Returns a live photo object.

Retrieve a single live photos object

1GET /v2/live_photos/<LIVE_PHOTO_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List live photos

GET

https://api.onfido.com/v2/live_photos?applicant_id={applicant_id}

Lists the live photos that belong to an applicant. Returns data in the form: {"live_photos": [<LIST_OF_LIVE_PHOTO_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose live photos you want to list.

List all live photo (objects) for a specific applicant

1GET /v2/live_photos/live_photos?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download live photo

GET

https://api.onfido.com/v2/live_photos/{live_photo_id}/download

Downloads a live photo. If successful, the response will be the binary data representing the image.

Download a live photo

1GET /v2/live_photos/<LIVE_PHOTO_ID>/download HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Live videos

Live videos are footage of the applicant's face, recorded and uploaded by the Onfido Smart Capture SDKs (iOS, Android or Web), at the same time as the document image is captured—also by the SDKs. These videos are used to perform the video variant of the Facial Similarity check on the applicant.

Live video object

During the video recording end users are asked to perform randomly generated actions, represented in challenge. Challenges always have 2 parts recite and movement, but the order in which these happen can vary. The order of the challenges is maintained in the live video object. recite asks the user to say 3 randomly generated digits, whereas movement asks the user to look over their right or left shoulder.

Attribute	Description
id	string The unique identifier of the live video.
created_at	datetime The date and time at which the live video was uploaded.
href	string The URI of this resource.
download_href	string The URI that can be used to download the live video.
file_name	string The name of the uploaded file.
file_type	string The file type of the uploaded file.
file_size	integer The size of the file in bytes.
challenge	array of objects Challenge the end user was asked to perform during the video recording.

Example live video object

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<LIVE_VIDEO_ID>",
6  "created_at": "2018-05-14T16:44:53Z",
7  "href": "/v2/live_videos/<LIVE_VIDEO_ID>",
8  "download_href": "/v2/live_videos/<LIVE_VIDEO_ID>/download",
9  "file_name": "video_name.mp4",
10  "file_type": "video/mp4",
11  "file_size": 1431121,
12  "challenge": [
13    {
14      "type": "recite",
15      "query": [
16        1,
17        2,
18        3
19      ]
20    },
21    {
22      "type": "movement",
23      "query": "turnRight"
24    }
25  ]
26}

Upload live video

Live videos can only be uploaded via one of Onfido's Smart Capture SDKs, not via the API directly.

As a result, Onfido does not provide an upload live video endpoint.

To upload live videos for [Facial Similarity Video reports(#facial-similarity-video), integrate with one of our Smart Capture SDKs (iOS, Android or Web).

Retrieve live video

GET

https://api.onfido.com/v2/live_videos/{live_video_id}

Retrieves a single live video. Returns the corresponding live video object.

Retrieve a single live videos object

1GET /v2/live_videos/<LIVE_VIDEO_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List live videos

GET

https://api.onfido.com/v2/live_videos?applicant_id={applicant_id}

Lists all the live videos that belong to an applicant.

Returns data in the form: {"live_videos": [<LIST_OF_LIVE_VIDEO_OBJECTS>]}.

Query string parameters

applicant_id (required): the ID of the applicant whose live videos you want to list.

List all live videos for a specific applicant

1GET /v2/live_videos?applicant_id=<APPLICANT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download live video

GET

https://api.onfido.com/v2/live_videos/{live_video_id}/download

Downloads a live video. Returns the binary data representing the video.

Download the data representing a live video

1GET /v2/live_videos/<LIVE_VIDEO_ID>/download HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Download live video frame

GET

https://api.onfido.com/v2/live_videos/{live_video_id}/frame

Instead of the whole video, a single frame can be downloaded using this endpoint. Returns the binary data representing the frame.

This will be the frame extracted from the video where the end user is facing the camera. If no face can be detected, it will fallback to the first frame of the video.

Download the data representing a live video frame

1GET /v2/live_videos/<LIVE_VIDEO_ID>/frame HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Unsuccessful frame extraction

Frame extraction failed

If a frame cannot be extracted from the live video, a frame_extraction_failed response will be returned.

Unsuccessful frame extraction response: failure

1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5  "error": {
6    "type": "frame_extraction_failed",
7    "message": "<Reason>"
8  }
9}

Frame extraction unavailable

If the extraction feature is temporarily unavailable, a frame_extraction_unavailable response will be returned instead.

Unsuccessful frame extraction response: temporarily unavailable

1HTTP/1.1 503 Service Unavailable
2Content-Type: application/json
3
4{
5  "error": {
6    "type": "frame_extraction_unavailable",
7    "message": "Frame extraction is temporarily unavailable"
8  }
9}

Report Types

Document report

For a general introduction to the Document report, please read our product documentation.

After you've familiarised yourself with the information here, you can also read our guide on suggested client actions for different result scenarios.

By default, the most recently uploaded document will be used.

The Document report is composed of data integrity, visual authenticity and police record checks. It checks the internal and external consistency of the document provided by the applicant to identify potential discrepancies.

In addition, any data extracted from the document through OCR is returned in the properties attribute.

The Document report combines software and an expert team to maximise fraud detection. The majority of documents will be processed instantly. However, when document analysis falls back to expert review, the report status will be delivered asynchronously via webhook notifications.

Expert review is required when we encounter images that use sophisticated counterfeiting techniques, or the image is of poor quality (blurred, low resolution, obscured, cropped, or held at an unreadable angle).

Supported Documents

In your Onfido Dashboard, you can configure which documents you want to accept in your verification workflow, filtering according to issuing country and document type.

When an applicant submits a restricted document (i.e. a document not included in your supported documents), the Supported document breakdown of the Document Report will flag as consider, producing a sub-result of reject.

Required applicant data

For Document reports, first_name and last_name must be provided but can be sample values if you don't know an applicant's name.

Document type and issuing country

If you’re creating a check containing a Document report, we do not validate that the properties type and issuing_country in the uploaded document match extracted values (which are returned in the Document report object).

Report	Name	Variants	Standard check	Express check
Document report	`document`	-	yes	yes

The Document report is composed of data integrity, visual authenticity and police record checks. It checks the internal and external consistency of the most recent identity document provided by the applicant to identify potential discrepancies.

In addition, any data extracted from the document through OCR is returned in the properties attribute.

Document report: Object

We host a separate page which contains a detailed description of the Document report object values from an API user's perspective.

Our newly expanded OpenAPI specification is also a resource for understanding the Document report response object structure.

Results

The result field indicates the overall report result. Possible values for Document reports are clear and consider:

Report result
clear	If all underlying verifications pass, the overall result will be `clear`
consider	If the report has returned information that needs to be evaluated, the overall result will be `consider`.

Sub-results

The sub_result field indicates a more detailed result. sub_result is only applicable to Document reports. Possible values are as follows:

Sub-result
clear	If all underlying verifications pass, the overall sub result will be `clear`. There are no indications the document is fraudulent.
caution	We can't successfully complete all verifications, but this doesn’t necessarily point to a suspected document (for example, expired document).
suspected	Document shows signs of suspect fraud.
rejected	We can't process the document image, or the document isn't supported by Onfido for processing. Another reason is if the age of the applicant is too low (the standard threshold is 16 years old but you can write to your Onfido contact to have this changed).

Document report: Breakdowns

Breakdowns can have the values clear and consider.

A breakdown will have the result consider when at least one sub-breakdown contains a consider or unidentified result. For example, a consider result for the mrz sub-breakdown will produce a consider result for the data_validation breakdown. This will then also set the report sub_result value to suspected.

Some breakdowns contain sub-breakdowns. For example, the image_integrity breakdown comprises the sub-breakdowns supported_document, image_quality, colour_picture and conclusive_document_quality.

The possible values for sub-breakdowns are clear, consider, failed, null and unidentified.

Breakdown order priority

Breakdown sub-results have the following order of priority:

rejected->suspected->caution->clear

For example, a caution sub-result will only ever be asserted when the following conditions are met:

no individual breakdown has caused a rejected or suspected sub-result
a breakdown which maps to a caution sub-result has been flagged

Breakdown descriptions and logic

police_record:

Asserts whether the document has been identified as lost, stolen or otherwise compromised. Applies to all documents that have been reported as stolen or fraudulent to the UK Metropolitan Police.

This breakdown is only returned if Police Record Checks are enabled for your account. Otherwise, the breakdown and its sub-breakdowns are returned as null and will not affect the final report result. To enable Police Record Checks, please contact Client Support.
compromised_document:

Asserts whether the image of the document has been found in our internal database of compromised documents.
data_consistency:

Asserts whether data represented in multiple places on the document is consistent. For example, between MRZ lines and OCR extracted text on passports. Uses the following sub-breakdowns:
- document_type
- gender
- date_of_expiry
- nationality
- issuing_country
- document_numbers
- date_of_birth
- last_name
- first_name
data_validation:

Asserts whether the format and length of the fields are correct for that document type. Uses the following sub-breakdowns:
- document_expiration ¹
- gender
- document_numbers
- expiry_date ²
- date_of_birth
- mrz

If this is flagged, the document has expired.
If this is flagged, the expiration date has the incorrect format or the date is in the past.

visual_authenticity:

Asserts whether visual (non-textual) elements are correct given the document type. Uses the following sub-breakdowns:
- original_document_present:
  
  The document was not present when the photo was taken. For example, a photo of a photo of a document or a photo of a computer screen. Configurable to map to caution instead of suspected.
- digital_tampering:
  
  Indication of digital tampering in the image (for example, name altered).
- picture_face_integrity:
  
  The pictures of the person identified on the document show signs of tampering or alteration. In most cases this will focus on the primary picture yet it may also apply to the secondary and tertiary pictures when documents contain them.
- security_features:
  
  Security features expected on the document are missing or wrong.
- template:
  
  The document doesn’t match the expected template for the document type and country it is from.
- fonts:
  
  Fonts in the document don’t match the expected ones.
- face_detection:
  
  No face was detected on the document.
- other:
  
  This sub-breakdown is returned for backward compatibility reasons. Its value will be consider when at least one of the other breakdowns is consider, and clear when all the other breakdowns are clear.
image_integrity:

Asserts whether the document was of sufficient quality to verify. Uses the following sub-breakdowns:
- colour_picture:
  
  Asserts whether the image was a colour one. A black and white picture will map to a caution Document report sub-result. Configurable to map to rejected.
- conclusive_document_quality:
  
  A result of clear for this sub-breakdown will assert if the document was of enough quality to be able to perform a fraud inspection. A result of consider will mean that even if sub breakdowns of visual_authenticity fail, we cannot positively say the document is fraudulent or not (in cases such as parts of the document are not visible).
- supported_document:
  
  Asserts whether the submitted document is supported. Takes value of clear or unidentified.
- image_quality:
  
  Asserts whether the quality of the image was sufficient for processing.
data_comparison:

Establishes whether the data provided by the applicant matches the data extracted from the document. This breakdown is only returned if Comparison Checks are enabled for your account. Otherwise, the breakdown and its sub-breakdowns are returned as null and will not affect the final report result. To enable Comparison Checks, please contact Client Support.

We compare the following fields:
- first_name
- last_name
- date_of_birth
- gender
first_name and last_name can be configured to use a fuzzy or exact mechanism for the comparison. We take into account all available names for comparison, including spouse, widow or alias names.

date_of_birth and gender will always be compared using an exact mechanism.

Fuzzy comparison allows for greater flexibility during comparison, catering for discrepancies which may occur, for example, when an applicant uses their middle or spouse name, or there's been an extraction error.

Note:
- When an applicant hasn’t provided data the sub-breakdown result is null for the missing field
- When an applicant has provided names but names have not been extracted from the document, the sub-breakdown result is consider
- When an applicant has provided date of birth and/or gender, but these fields have not been extracted from the document, the sub-breakdown result is null
Any other sub-breakdowns present under data_comparison in the document report object exist only for legacy reasons.
age_validation:

Asserts whether the age calculated from the document’s date of birth data point is greater than or equal the minimum accepted age set at account level. The standard threshold is 16 years old but you can write to your Onfido contact to have this changed.

Breakdown properties

We will return a reason whenever a report flags for one of the following breakdowns:

Image Integrity - Image Quality
Image Integrity - Conclusive Document Quality
Visual Authenticity - Original Document Present

This works by returning the contributing reason and corresponding fail result (a Consider result) in the breakdown properties.

There can be more than one reason per breakdown, as they aren’t mutually exclusive.

All other signals and potential reasons will be omitted.

Image Quality reasons:

dark_photo - When an image of the document is too dark to be able to see data points

glare_on_photo - When there is light reflecting on the document causing glare to obstruct data points

blurred_photo - When data points are blurred and no reference can be made elsewhere in the document or if the data points are too blurry and 'they could be something else' (e.g. "I" could be "1", "B" could be "8")

covered_photo - When data points have been covered either by the applicant or by another object such as a sticker

other_photo_issue - Any other reason not listed, such as when holograms are obscuring data points

damaged_document - When a document is damaged and we are unable to make out data points

incorrect_side - When the incorrect side of a document has been uploaded, and we have not received the front

cut_off_document - When data points are not included in the image due to the document being cut off (i.e. out of the frame of the image)

no_document_in_image - If no document has been uploaded or there is a blank image

two_documents_uploaded - When two different identity documents are submitted in the same check

Conclusive Document Quality reasons:

obscured_data_points - This refers to when data points are obscured to the point that we cannot confirm if the fonts match the expected ones

obscured_security_features - This refers to whenever a critical security feature is obscured. This can also refer to when the holder's wet signature, necessary for the document to be valid, is not present

abnormal_document_features - This refers to when something other than obscuration of data points and security features makes the document insufficient to be assessed (i.e. poor image resolution, poor lighting, distortions due to capturing devices, misalignment due to cracks, visual alterations due to cases/laminates, some stickers etc.)

watermarks_digital_text_overlay - Any digital text or electronic watermarks on the document

corner_removed - If the corner has been physically cut off. This can be found on some documents that are no longer valid

punctured_document - A punched hole is present. This can be found on DLs that are no longer valid, for example

missing_back - When the back of a document is needed for processing (e.g. for key data points to extract), but is not available (e.g. if the same front was uploaded twice)

digital_document - When a document has been published digitally, there aren’t enough security features to review so we cannot perform a full fraud assessment

Original Document Present reasons:

photo_of_screen - When we can see that the applicant's document is on a physical screen or device, e.g. when the device is visible, software applications are seen, a computer cursor is present, or the pixels on the image appearing to have a different texture than expected

screenshot - When the applicant has used their mobile phone, tablet, or computer to take a photo within the device, e.g. when software applications are seen, the time and mobile provider are visible, or any digitally added component that wouldn't be seen on a physical document, such as an upload icon

document_on_printed_paper - when the applicant has previously captured an image of the document, printed it out, and has now taken a photo of this print out to upload, e.g. when the edges of the paper are visible, when there are fold creases on the paper, or the document's edges blending into the background and appearing flat

scan - When the document has clearly been captured using a scanner and there are visible indicators of this, e.g. unusual shadows on the edges of the document, or written text around the document

Example check object with a Document report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<CHECK_ID>",
6  "created_at": "2019-07-29T15:14:29Z",
7  "status": "complete",
8  "redirect_uri": null,
9  "type": "express",
10  "result": "clear",
11  "sandbox": true,
12  "tags": [],
13  "results_uri": "<RESULTS_URI>",
14  "download_uri": "<DOWNLOAD_URI>",
15  "form_uri": null,
16  "reports": [
17    {
18      "created_at": "2019-07-29T15:14:30Z",
19      "documents": [
20        {
21          "id": "<DOCUMENT_ID>"
22        }
23      ],
24      "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
25      "id": "<REPORT_ID>",
26      "name": "document",
27      "properties": {
28        "nationality": "",
29        "last_name": "Smith",
30        "issuing_country": "GBR",
31        "gender": "",
32        "first_name": "John",
33        "document_type": "passport",
34        "document_numbers": [
35          {
36            "value": "999999999",
37            "type": "document_number"
38          }
39        ],
40        "date_of_expiry": "2030-01-01",
41        "date_of_birth": "1990-01-01"
42      },
43      "result": "clear",
44      "status": "complete",
45      "sub_result": "clear",
46      "variant": "standard",
47      "breakdown": {
48        "age_validation": {
49          "result": "clear",
50          "breakdown": {
51            "minimum_accepted_age": {
52              "result": "clear",
53              "properties": {}
54            }
55          }
56        },
57        "compromised_document": {
58          "result": "clear"
59        },
60        "data_comparison": {
61          "result": "clear",
62          "breakdown": {
63            "issuing_country": {
64              "result": "clear",
65              "properties": {}
66            },
67            "gender": {
68              "result": "clear",
69              "properties": {}
70            },
71            "date_of_expiry": {
72              "result": "clear",
73              "properties": {}
74            },
75            "last_name": {
76              "result": "clear",
77              "properties": {}
78            },
79            "document_type": {
80              "result": "clear",
81              "properties": {}
82            },
83            "document_numbers": {
84              "result": "clear",
85              "properties": {}
86            },
87            "first_name": {
88              "result": "clear",
89              "properties": {}
90            },
91            "date_of_birth": {
92              "result": "clear",
93              "properties": {}
94            }
95          }
96        },
97        "data_consistency": {
98          "result": "clear",
99          "breakdown": {
100            "date_of_expiry": {
101              "result": "clear",
102              "properties": {}
103            },
104            "document_numbers": {
105              "result": "clear",
106              "properties": {}
107            },
108            "issuing_country": {
109              "result": "clear",
110              "properties": {}
111            },
112            "document_type": {
113              "result": "clear",
114              "properties": {}
115            },
116            "date_of_birth": {
117              "result": "clear",
118              "properties": {}
119            },
120            "gender": {
121              "result": "clear",
122              "properties": {}
123            },
124            "first_name": {
125              "result": "clear",
126              "properties": {}
127            },
128            "last_name": {
129              "result": "clear",
130              "properties": {}
131            },
132            "nationality": {
133              "result": "clear",
134              "properties": {}
135            }
136          }
137        },
138        "data_validation": {
139          "result": "clear",
140          "breakdown": {
141            "gender": {
142              "result": "clear",
143              "properties": {}
144            },
145            "date_of_birth": {
146              "result": "clear",
147              "properties": {}
148            },
149            "document_numbers": {
150              "result": "clear",
151              "properties": {}
152            },
153            "document_expiration": {
154              "result": "clear",
155              "properties": {}
156            },
157            "expiry_date": {
158              "result": "clear",
159              "properties": {}
160            },
161            "mrz": {
162              "result": "clear",
163              "properties": {}
164            }
165          }
166        },
167        "visual_authenticity": {
168          "result": "clear",
169          "breakdown": {
170            "fonts": {
171              "result": "clear",
172              "properties": {}
173            },
174            "picture_face_integrity": {
175              "result": "clear",
176              "properties": {}
177            },
178            "template": {
179              "result": "clear",
180              "properties": {}
181            },
182            "security_features": {
183              "result": "clear",
184              "properties": {}
185            },
186            "original_document_present": {
187              "result": "clear",
188              "properties": {}
189            },
190            "digital_tampering": {
191              "result": "clear",
192              "properties": {}
193            },
194            "other": {
195              "result": "clear",
196              "properties": {}
197            },
198            "face_detection": {
199              "result": "clear",
200              "properties": {}
201            }
202          }
203        },
204        "image_integrity": {
205          "result": "clear",
206          "breakdown": {
207            "image_quality": {
208              "result": "clear",
209              "properties": {}
210            },
211            "conclusive_document_quality": {
212              "result": "clear",
213              "properties": {}
214            },
215            "supported_document": {
216              "result": "clear",
217              "properties": {}
218            },
219            "colour_picture": {
220              "result": "clear",
221              "properties": {}
222            }
223          }
224        },
225        "police_record": {
226          "result": "clear"
227        }
228      }
229    }
230  ],
231  "paused": false,
232  "report_type_groups": [
233    "<REPORT_TYPE_GROUP_ID>"
234  ],
235  "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
236  "version": "2.0"
237}

Breakdowns which map to `caution`

image_integrity
- colour_picture (configurable to map to rejected)
- conclusive_document_quality
data_comparison:
- gender
- date_of_birth
- first_name
- last_name
data_validation:
- document_expiration
visual_authenticity:
- face_detection

Breakdowns which map to `suspected`

data_validation:
- date_of_birth
- expiry_date
- mrz
- gender
- document_numbers
visual_authenticity:
- original_document_present (configurable to map to caution)
- digital_tampering
- picture_face_integrity
- security_features
- template
- fonts
data_consistency:
- date_of_expiry ¹
- document_type
- gender
- date_of_birth
- nationality
- issuing_country
- document_numbers
- first_name
- last_name

If this is flagged, the expiration date that is in the body of the document does not match the one in the MRZ or barcode.

compromised_document: Document has been found in our database
police_record: Document has been recorded as lost, stolen or compromised

Breakdowns which map to `rejected`

image_integrity:
- image_quality
- supported_document
age_comparison:
- minimum_accepted_age

Note: When a breakdown mapped to rejected is flagged, all other breakdowns and the document properties will be omitted from the response object.

Example client actions

We've moved this content.

Facial Similarity report

Report	Name	Variants	Standard check	Express check
Facial Similarity report	`facial_similarity`	`standard` `video`	yes no	yes yes

Creating a check with a Facial Similarity report will cause you to process facial biometric personal data. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

All Facial Similarity reports will compare the most recent live photo or live video provided by the applicant to the face on the most recent document provided. Where the document has two sides, we will search both sides of the document for a face.

When side is not specified, it will take a default value of front. It is recommended that all documents contain the side attribute, as this minimises the cases where the back of the document is used for comparison and thus failed as no face is detected.

There are 2 different variants of Facial Similarity report:

Standard, which uses live photos and
Video, which uses live videos

Required applicant data

For all Facial Similarity report variants, first_name and last_name must be provided but can be sample values if you don't know an applicant's name.

Facial Similarity Standard

The Facial Similarity Standard report needs to be paired with a Document report in order to work as a Standard check.

The Facial Similarity Standard report uses live photos. The photo needs to be a live photo taken at the time of check submission, so that it can assess whether the holder of the identity document is the same person as the one on the document.

Facial Similarity Standard: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Facial Similarity Standard report:

Attribute	Format	Possible values
`result`	String	`"clear"`, `"consider"`
`image_integrity`	String or `null`	`"clear"`, `"consider"`, `null`
(sub-breakdown) `face_detected`	String or `null`	`"clear"`, `"consider"`, `null`
(sub-breakdown) `source_integrity`	String or `null`	`"clear"`, `"consider"`, `null`
`face_comparison`	String or `null`	`"clear"`, `"consider"`, `null`
`visual_authenticity`	String or `null`	`"clear"`, `"consider"`, `null`
`properties`
`score`	Floating point number between 0 and 1

A breakdown or sub-breakdown will have the result null when it has not been completed. This occurs when it is not available, or has failed to process the media due to a timeout or an internal error. In this case, the report will go to manual review.

Facial Similarity Standard: Breakdowns


image_integrity	object Asserts whether the quality and integrity of the uploaded files were sufficient to perform a face comparison
(sub-breakdown) face_detected	object Asserts a single face of good enough quality has been found on both the document image and the live photo
(sub-breakdown) source_integrity	object Asserts whether the live photo is trustworthy - i.e. not digitally tampered, from a fake webcam, or from other dubious sources
face_comparison	object Asserts whether the face in the document matches the face in the live photo
visual_authenticity	object Asserts whether the person in the live photo is real (not a spoof)

We will return a reason whenever a report flags for source_integrity. This works by returning the contributing reason and a consider result in the source_integrity breakdown properties. There can be more than one reason, because they aren’t mutually exclusive. All other signals and potential reasons will be omitted.

For Facial Similarity Standard, the source_integrity sub-breakdown is composed of the following properties:

digital_tampering - when evidence is found that the image was manipulated by Photoshop, or other software
fake_webcam - when evidence is found that a fake webcam was used
time_of_capture - when evidence is found that the live photo was taken more than 24 hours before live photo upload
emulator - when evidence is found that an Android emulator was used
sanctioned_document_country - when a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The report (either in conjunction with or separate from a document report) will return a consider result, accompanied by a reasons property clarifying that it is not supported due to sanctions
reasons - additional comma separated details such as the exact digital tampering software used, or the name of the fake webcam

Facial Similarity Standard: Properties

The score property is a number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match. If the face matching algorithm fails to detect a face, the score property will not be present and the face matching task will be done manually.

The score only measures how similar the faces are, and does not make an assessment of the nature of the photo. If tampering is detected, the applicant will be rejected independently of the score. Examples of tampering are photos of printed photos, or photos of digital screens.

Example check object with a Facial Similarity Standard report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<CHECK_ID>",
6  "created_at": "2019-09-24T14:11:05Z",
7  "status": "complete",
8  "redirect_uri": null,
9  "result": "consider",
10  "sandbox": true,
11  "tags": [],
12  "results_uri": "<RESULTS_URI>",
13  "form_uri": null,
14  "reports": [
15    {
16      "created_at": "2019-09-24T14:11:05Z",
17      "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
18      "id": "<REPORT_ID>",
19      "name": "facial_similarity",
20      "properties": {
21        "score": 0.1512
22      },
23      "result": "consider",
24      "status": "complete",
25      "sub_result": null,
26      "variant": "standard",
27      "documents": [],
28      "breakdown": {
29        "face_comparison": {
30          "result": "consider"
31        },
32        "image_integrity": {
33          "result": "clear",
34            "breakdown": {
35              "face_detected": {
36                 "result": "clear",
37                 "properties": {}
38              },
39              "source_integrity": {
40                "result": "clear",
41                "properties": {}
42              }
43            }
44        },
45        "visual_authenticity": {
46          "result": "consider"
47        }
48      }
49    }
50  ],
51  "paused": false,
52  "type": "express",
53  "report_type_groups": [
54    "<REPORT_TYPE_GROUP_ID>"
55  ],
56  "download_uri": "<DOWNLOAD_URI>",
57  "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
58  "version": "2.0"
59}

Facial Similarity Video

We recommend that you always create asynchronous checks with Facial Similarity Video to minimise the risk of timeouts.

In the Video variant of the Facial Similarity report, live videos are collected and uploaded by the Onfido iOS, Android or Web SDKs.

In addition to confirming the two faces match, Facial Similarity Video assesses liveness by asking users to repeat randomly generated numbers and perform a random head movement. This prevents impersonation - for example photos of photos, or photos of screens. This process is reflected in visual_authenticity, which is composed of the sub-breakdowns spoofing_detection and liveness_detected. See the sections Facial Similarity Video Object and Facial Similarity Video Breakdowns.

In order for a Facial Similarity Video report to complete automatically, the user needs to turn their head in the correct direction and correctly say the 3 randomly generated digits in one of our supported languages (see table below).

Language name	Language code
English	"en"
Spanish	"es"
Indonesian	"id"
Italian	"it"
German	"de"
French	"fr"
Portuguese	"pt"
Polish	"pl"
Japanese	"ja"
Dutch	"nl"
Romanian	"ro"
Basque	"eu"
Catalan	"ca"
Galician	"gl"
Chinese	"cn"
Turkish	"tr"
Malay	"ms"

If the user does not say the correct digits, or speak in another language, the live video will be reviewed by an analyst for evidence of spoofing.

SDK localization

We recommend that you localize the strings if you're using one of the Onfido SDKs, so the user is more likely to understand the liveness headturn and speaking instructions.

The Onfido voice processor will attempt to detect the language the user is speaking. This will be more successful if you pass the code for the expected language to the locale mechanism, in any of the Onfido SDKs:

iOS SDK - pass the onfido_locale parameter
Android SDK - pass the onfido_locale parameter
Web SDK - pass the locale parameter

Some string localisations are available out of the box, but this differs depending on the SDK.

You can also provide your own custom translations to your users.

Facial Similarity Video: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Facial Similarity Video report:

Attribute	Format	Possible values
`result`	String	`"clear"`, `"consider"`
`image_integrity`	String or `null`	`"clear"`, `"consider"`, `null`
(sub-breakdown) `face_detected`	String or `null`	`"clear"`, `"consider"`, `null`
(sub-breakdown) `source_integrity`	String or `null`	`"clear"`, `"consider"`, `null`
`face_comparison`	String or `null`	`"clear"`, `"consider"`, `null`
`visual_authenticity`	String or `null`	`"clear"`, `"consider"`, `null`
(sub-breakdown) `spoofing_detection`	String or `null`	`"clear"`, `"consider"`, `null`
(sub-breakdown) `liveness_detected`	String or `null`	`"clear"`, `"consider"`, `null`
`properties`
`score`	Floating point number between 0 and 1, or `null`

Facial Similarity Video: Breakdowns


face_comparison	object Asserts whether the face in the document matches the face in the live video
image_integrity	object Asserts whether the quality of the uploaded files and the content contained within them were sufficient to perform a face comparison
(sub-breakdown) face_detected	object Asserts a single face of good enough quality has been found on both the document image and in the live video
(sub-breakdown) source_integrity	object Asserts whether the live video is trustworthy - e.g. not from a fake webcam
visual_authenticity	object Asserts whether the person in the live video is real (not a spoof) and live
(sub-breakdown) spoofing_detection	object Asserts whether the live video is not a spoof (such as videos of digital screens)
(sub-breakdown) liveness_detected	object Asserts whether the numbers and head movements were correctly executed

For Facial Similarity Video, the source_integrity sub-breakdown is composed of the following properties:

fake_webcam - when evidence is found that a fake webcam was used
emulator - when evidence is found that an Android emulator was used
challenge_reuse - when evidence is found that the video was uploaded in an attempt to circumvent the randomness of the speaking and head turn challenges
sanctioned_document_country - when a document is issued by a country subject to comprehensive US sanctions (you can find the list of countries here). The report (either in conjunction with or separate from a document report) will return a consider result, accompanied by a reasons property clarifying that it is not supported due to sanctions
reasons - additional comma separated details, such as the name of the fake webcam

Facial Similarity Video: Properties

The score only measures how similar the faces are, and does not make an assessment of the nature of the video. If tampering is detected, the applicant will be rejected independently of the score. Examples of tampering are videos of digital screens, videos of masks, videos of print outs.

Example check object with a Facial Similarity Video report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<CHECK_ID>",
6  "created_at": "2019-09-25T11:41:22Z",
7  "status": "complete",
8  "redirect_uri": null,
9  "result": "consider",
10  "sandbox": false,
11  "tags": [
12      "Under 18"
13  ],
14  "results_uri": "<RESULTS_URI>",
15  "form_uri": null,
16  "reports": [
17      {
18          "created_at": "2019-09-25T11:41:22Z",
19          "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
20          "id": "<REPORT_ID>",
21          "name": "facial_similarity",
22          "properties": {
23              "score": 0.1252
24          },
25          "result": "consider",
26          "status": "complete",
27          "sub_result": null,
28          "variant": "video",
29          "documents": [],
30          "breakdown": {
31              "face_comparison": {
32                  "result": "consider"
33              },
34              "image_integrity": {
35                  "result": "consider",
36                  "breakdown": {
37                      "face_detected": {
38                          "result": "clear",
39                          "properties": {}
40                      },
41                      "source_integrity": {
42                          "result": "consider",
43                          "properties": {
44                              "fake_webcam": "consider",
45                              "reasons": "Used fake webcam Perfect Fake Webcam"
46                          }
47                      }
48                  }
49              },
50              "visual_authenticity": {
51                  "result": "consider",
52                  "breakdown": {
53                      "liveness_detected": {
54                          "result": "consider",
55                          "properties": {}
56                      },
57                      "spoofing_detection": {
58                          "result": null,
59                          "properties": {}
60                      }
61                  }
62              }
63          }
64      }
65  ],
66  "paused": false,
67  "type": "express",
68  "report_type_groups": [
69      "<REPORT_TYPE_GROUP_ID>"
70  ],
71  "download_uri": "<DOWNLOAD_URI>",
72  "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
73  "version": "2.0"
74}

Known Faces report

This section contains API documentation for the Known Faces report. You can also read our product documentation.

The Known Faces report requires that we keep a database of facial biometric identifiers (personal data) so that individuals can be identified in future checks. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Report	Name	Variants	Standard check	Express check
Known Faces report	`known_faces`	-	yes	yes

Each applicant you run a Known Faces report against must have an uploaded live photo, live video or motion capture.

If no live photo, live video or motion capture is found, the Known Faces report will be automatically withdrawn and return an error in the report properties:

json

1"properties":{
2    "reason": "Report withdrawn due to missing media (photo, video or motion capture) required for processing."
3}

It is highly recommended the Known Faces report always be run in conjunction with a Facial Similarity report. Only faces processed through Facial Similarity are kept on the database. Thus, although it can be requested on its own, a Known Faces report can only match against applicants who have previously gone through a Facial Similarity report.

No matches will be returned against any permanently deleted applicants.

Required applicant data

For Known Face reports, first_name and last_name must be provided but can be sample values if you don't know an applicant's name.

Known Faces: Object

The following table describes the unique fields returned in this version of the Onfido API for a completed Known Faces report:

Attribute	Format	Possible values
`result`	String	`"clear"`, `"consider"`
`previously_seen_faces`	String or `null`¹	`"clear"`, `"consider"` , `null`
`image_integrity`	String	`"clear"`, `"consider"`

null is returned when image_integrity is "consider". This is because, when no face is detected in the input media, there is nothing to match against previously seen faces.

Known Faces: Breakdowns


previously_seen_faces	object Asserts whether the applicant's most recent facial media (live photo or live video) matches any other live photos or live videos already in your Onfido account database
image_integrity	object Asserts whether the uploaded live photo or live video and the content contained within it were of sufficient quality to perform a face comparison

Known Faces: Score

The Known Faces response will return any matching applicant IDs as entries inside a matches array under a properties bag. Each applicant ID has a corresponding score and the media type (for example live_photos or live_videos), and the corresponding UUID for that media type. For example, the live photo ID or live video ID.

This score is a floating point number between 0 and 1 that expresses how similar the two faces are, where 1 is a perfect match.

For example:

json

1"matches": [
2  {
3    "applicant_id": "NTH_MATCHED_APPLICANT_ID",
4    "score": 0.9915,
5    "media_id": "LIVE_PHOTO_ID",
6    "media_type": "live_photos"
7  }
8]

If any matches are found, the response will also contain "result": "consider".

The score property is number from 0 to 1, where 1 is a perfect match. The higher the score the more similar the two applicants are. score is a floating point number up to 16 decimal places.

Example check object with a Known Faces report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<CHECK_ID>",
6  "created_at": "2020-06-19T09:44:14Z",
7  "status": "complete",
8  "redirect_uri": null,
9  "type": "express",
10  "result": "consider",
11  "sandbox": false,
12  "report_type_groups": [
13    "<REPORT_TYPE_GROUP_ID>"
14  ],
15  "tags": [],
16  "results_uri": "https://onfido.com/dashboard/information_requests/<REQUEST_ID>",
17  "download_uri": "https://onfido.com/dashboard/pdf/information_requests/<REQUEST_ID",
18  "form_uri": null,
19  "href": "/v2/applicants/<TESTED_APPLICANT_ID>/checks/<CHECK_ID>",
20  "reports": [
21    {
22      "created_at": "2019-05-10T10:49:08Z",
23      "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
24      "id": "<REPORT_ID>",
25      "name": "known_faces",
26      "properties": {
27        "matches": [
28          {
29            "applicant_id": "<1ST_MATCHED_APPLICANT_ID>",
30            "score": 0.9216,
31            "media_id": "<1ST_MEDIA_ID>",
32            "media_type": "live_photos"
33          },
34          {
35            "applicant_id": "<2ND_MATCHED_APPLICANT_ID>",
36            "score": 0.9373,
37            "media_id": "<2ND_MEDIA_ID>",
38            "media_type": "live_videos"
39          },
40          {
41            "applicant_id": "<3RD_MATCHED_APPLICANT_ID>",
42            "score": 0.9832,
43            "media_id": "<3RD_MEDIA_ID>",
44            "media_type": "motion"
45          }
46        ]
47      },
48      "result": "consider",
49      "status": "complete",
50      "sub_result": null,
51      "variant": "standard",
52      "breakdown": {
53        "previously_seen_faces": {
54          "result": "consider"
55        },
56        "image_integrity": {
57          "result": "clear"
58        }
59      }
60    }
61  ],
62  "paused": false,
63  "version": "2.0"
64}

Identity report

Report	Name	Variants	Standard check	Express check
Identity report	`identity`	`kyc` `standard`	yes yes	yes yes

An Identity report validates an applicant's address, date of birth, name, and mortality (where applicable) by cross-referencing their details against a range of verified databases. For applicants in the United States, the Identity report can also optionally match the Social Security Number, either the full 9 digits or the last 4.

For checks containing Identity reports, applicants with 1-character last name are allowed for all countries except for GBR. Applicants with country GBR must have last names of at least two non-whitespace characters.

The Identity report will be run in the jurisdiction specified as country in the applicant object, not the applicant's address country field. The country field in the applicant object will default to GBR if not provided. Please make sure that the applicant object's country field matches the applicant's address country field when creating an applicant, and that the country is supported for Identity reports.

Example check object with an Identity report

Report results vary depending on the jurisdiction they were run in.

Identity report conducted in the United Kingdom

The example in the code box shows an identity report conducted in the United Kingdom using the https://api.onfido.com/ base URL.

Sources (credit_agencies, voting_register, telephone_database) are displayed as breakdowns with their own result value.

UK Identity report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{  
5  "breakdown": {
6      "address": {
7          "breakdown": {
8              "credit_agencies": {
9                  "properties": {
10                      "number_of_credit_agencies": "1"
11                  },
12                  "result": "clear"
13              },
14              "telephone_database": {
15                  "properties": {},
16                  "result": "clear"
17              },
18              "voting_register": {
19                  "properties": {},
20                  "result": "unidentified"
21              }
22          },
23          "result": "clear"
24      },
25      "date_of_birth": {
26          "breakdown": {
27              "credit_agencies": {
28                  "properties": {},
29                  "result": "clear"
30              },
31              "voting_register": {
32                  "properties": {},
33                  "result": "clear"
34              }
35          },
36          "result": "clear"
37      },
38      "mortality": {
39          "result": null
40      }
41    },
42    "created_at": "2021-10-26T16:02:21Z",
43    "documents": [],
44    "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
45    "id": "<REPORT_ID>",
46    "name": "identity",
47    "properties": {
48        "matched_address": 61755766,
49        "matched_addresses": [
50            {
51                "id": 61755766,
52                "match_types": [
53                    "credit_agencies"
54                ]
55            }
56        ]
57    },
58    "result": "clear",
59    "status": "complete",
60    "sub_result": null,
61    "variant": "standard"
62}

Identity report conducted in the United States

The example in the code box shows the results for an Identity report conducted in the United States using the https://api.us.onfido.com/ base URL.

Any elements that are positively matched will be returned as clear in the report object breakdowns, including the source or sources of the database match in the properties field. When a match cannot be found (i.e. result is not clear) the corresponding properties bucket will be empty as such "properties":{}.

The report includes Social Security Number for a US applicant as an additional match under the ssn breakdown.

If an Identity report includes a Social Security Number breakdown, this will be returned in the ssn1 object for a report that was run using the https://api.onfido.com/ base URL, and ssn for a report that was run using the using the https://api.us.onfido.com/ base URL.

US Identity report (with Social Security Number provided)

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<REPORT_ID>",
6  "name": "identity",
7  "created_at": "2014-05-23T13:50:33Z",
8  "status": "complete",
9  "result": "clear",
10  "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
11  "breakdown": {
12    "date_of_birth": {
13      "result": "clear",
14      "breakdown": {
15        "date_of_birth_matched": {
16          "result": "clear",
17          "properties": {
18            "sources": "Credit Agencies"
19          }
20        }
21      }
22    },
23    "address": {
24      "result": "clear",
25      "breakdown": {
26        "address_matched": {
27          "result": "clear",
28          "properties": {
29            "sources": "Credit Agencies, Telephone Database"
30          }
31        }
32      }
33    },
34    "ssn": {
35      "result": "clear",
36      "breakdown": {
37        "last_4_digits_match": {
38          "result": "clear",
39          "properties": {}
40        },
41        "full_match": {
42          "result": "clear",
43          "properties": {}
44        }
45      }
46    }
47  },
48  "properties": {},
49  "documents": []
50}

Identity report conducted outside of the UK/US

The example in the code box shows the results for an Identity report conducted in a jurisdiction other than the United Kingdom or United States using the https://api.onfido.com/ base URL, where sources are shown as comma separated under properties.

Non UK/US Identity report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<REPORT_ID>",
6  "name": "identity",
7  "created_at": "2014-05-23T13:50:33Z",
8  "status": "complete",
9  "result": "clear",
10  "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
11  "breakdown": {
12    "date_of_birth": {
13      "result": "clear",
14      "breakdown": {
15        "date_of_birth_matched": {
16          "result": "clear",
17          "properties": {
18            "sources": "Credit Agencies"
19          }
20        }
21      }
22    },
23    "address": {
24      "result": "clear",
25      "breakdown": {
26        "address_matched": {
27          "result": "clear",
28          "properties": {
29            "sources": "Credit Agencies, Telephone Database"
30          }
31        }
32      }
33    } 
34  },
35  "properties": {},
36  "documents": []
37}

Supported countries for Identity reports

This is not a list of documents that Onfido supports. You can review that list separately

You can also review the full list of supported countries for Identity reports. The column Onfido Identity Report on that page lists supported and unsupported countries.

Required applicant data

For all Identity report variants, the following applicant data must be provided:

first_name

last_name

dob

country (the country of jurisdiction, where the check will be performed. Must be a three-letter ISO code e.g. "GBR")

address[]state (US only)

address[]postcode (ZIP code in US)

address[]country (must be a three-letter ISO code e.g. "GBR")

The country of jurisdiction must be the same as the value in address[]country

Recommended applicant data

address[]street

The address object is nested inside the applicant object. If you create an applicant object with an address, you must always provide postcode and country, and state for US addresses.

Source names and definitions


Source name	Definition
Credit Agencies	Data comprised of consumer credit applications
Voting Register	Data comprised of voter registration within a country
Telephone Database	Data provided by both landline and mobile providers. In the UK, this is landline only
Government	Any standard publicly accessible data collected by government entities. These include driving licence data, motor vehicle registration, court filings, property ownership registers, permanent place of residence registration and other similar data sets
Business Registration	Data comprised of business registrations, corporate directors filings and business hierarchy data
Consumer Database	Opt-in consumer data leveraging database marketing and other similar opt-in data sources
Utility Registration	Data comprised of utility registrations such as electricity, gas, water accounts
Postal Authorities	Data provided by postal authorities
Commercial Database	These are corporate/private databases where users have opted-in and allowed for their information to be used for the purpose of verification of their identities
Proprietary	This is when a data provider chooses not to divulge the source of the data to us for varied reasons, and also includes social media based data
Register of Deaths	Negative source for known deaths (UK only)

There are two different variants of the Identity report: kyc and standard. To specify which one you want, pass variant with the create check request. If not provided the default is standard.

Identity KYC

This check should be used for "Know Your Customer" (KYC) purposes, for instance, if you are providing a financial service.

Overall result logic:

If the applicant address is in the UK:

"result": "clear" the applicant is not found in mortality lists AND
- at least one match on the applicant's name and current address, and a match on the applicant's name and date of birth (either in the same or different source) OR
- two matches on the applicant's name and current address from two different sources
"result": "consider" either:
- the applicant is found in mortality lists, or;
- only one match on the applicant's name and current address or name and date of birth
"result": "unidentified" no matches are found

This follows the definition of 2+2 as per the JMLSG Guidelines 2014 Section 5.3.69.

If the applicant address is outside of the UK:

"result": "clear" at least one source matches the applicant's name and current address
"result": "consider" the name and date of birth is matched, but no name and address matches are found
"result": "unidentified" no matches are found

When the SSN or the last four digits of the SSN are provided:

"result": "clear" at least one source matches the applicant's name and address, and the last four digits of the SSN are matched
"result": "unidentified" no matches are found
"result": "consider" otherwise

Number of addresses: As per JMLSG definitions, this check will only attempt to find a match using the applicant's current address. Mortality: Only checked in the UK.

Identity Standard

This check should be used for employment or recruitment purposes, or where identity verification is performed in an unregulated industry.

Overall result logic:

"result": "clear" at least one source matches the applicant's name and address
"result": "consider" the name and date of birth is matched, but no name and address matches are found
"result": "unidentified" no matches are found

When the SSN or the last four digits of the SSN are provided:

"result": "clear" at least one source matches the applicant's name and address, and the last four digits of the SSN are matched
"result": "unidentified" no matches are found
"result": "consider" otherwise

Number of addresses: This check will attempt to find an address match for the current applicant address. If no match is found it will attempt to match the previous address (if provided), up to a total of 3 applicant addresses. Mortality: Not checked.

Example check object with an Identity report (Standard variant)

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5    "id": "<CHECK_ID>",
6    "created_at": "2019-10-08T14:27:08Z",
7    "status": "complete",
8    "redirect_uri": null,
9    "result": "clear",
10    "sandbox": true,
11    "tags": [],
12    "results_uri": "<RESULTS_URI>",
13    "form_uri": null,
14    "reports": [
15        {
16            "created_at": "2019-10-08T14:27:08Z",
17            "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
18            "id": "<REPORT_ID>",
19            "name": "identity",
20            "properties": {
21                "matched_address": <MATCHED_ADDRESS_ID>,
22                "matched_addresses": [
23                    {
24                        "id": <MATCHED_ADDRESS_ID>,
25                        "match_types": [
26                            "credit_agencies",
27                            "voting_register"
28                        ]
29                    }
30                ]
31            },
32            "result": "clear",
33            "status": "complete",
34            "sub_result": null,
35            "variant": "standard",
36            "documents": [],
37            "breakdown": {
38                 "sources": {
39                  "result": "clear",
40                  "breakdown": {
41                    "total_sources": {
42                      "result": "clear",
43                      "properties": {
44                        "total_number_of_sources": "3"
45                      }
46                    },
47                  }
48                },
49                "address": {
50                    "result": "clear",
51                    "breakdown": {
52                        "credit_agencies": {
53                            "result": "clear",
54                            "properties": {
55                                "number_of_credit_agencies": "1"
56                            }
57                        },
58                        "telephone_database": {
59                            "result": "clear",
60                            "properties": {}
61                        },
62                        "voting_register": {
63                            "result": "clear",
64                            "properties": {}
65                        }
66                    }
67                },
68                "date_of_birth": {
69                    "result": "clear",
70                    "breakdown": {
71                        "credit_agencies": {
72                            "result": "clear",
73                            "properties": {}
74                        },
75                        "voting_register": {
76                            "result": "clear",
77                            "properties": {}
78                        }
79                    }
80                },
81                "mortality": {
82                    "result": null
83                }
84            }
85        }
86    ],
87    "paused": false,
88    "type": "express",
89    "report_type_groups": [
90        "<REPORT_TYPE_GROUP_ID>"
91    ],
92    "download_uri": "<DOWNLOAD_URI>",
93    "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
94    "version": "2.0"
95}

Identity report custom logic

You can (optionally) build your own logic around report results.

For example, you may require matches to be found on 2 or more sources and at least 1 match on the applicant's name and current address.

In this example, you would add criteria of:

>=2 against total_number of sources under the total_sources sub-breakdown that is under the sources parent breakdown.
clear against the result value under the address parent breakdown.

Partial Identity report result for custom logic example

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4...
5
6  "breakdown": {
7    "sources": {
8      "result": "clear",
9      "breakdown": {
10          "total_sources": {
11              "result": "clear",
12              "properties": {
13                "total_number_of_sources": "3" ## --< ADD ">=2" CRITERIA HERE>
14              }
15            },
16          }
17        },
18    "address": {
19      "result": "clear", ## --< ADD "clear" CRITERIA HERE>
20      "breakdown": {
21        "credit_agencies": {
22          "result": "clear",
23          "properties": {
24            "number_of_credit_agencies": "1"
25          }
26        },
27        "telephone_database": {
28          "result": "clear",
29          "properties": {}
30        },
31        "voting_register": {
32          "result": "clear",
33          "properties": {}
34        }
35      }
36    },
37    "date_of_birth": {
38      "result": "clear",
39      "breakdown": {
40        "credit_agencies": {
41          "result": "clear",
42          "properties": {}
43        },
44
45...

Watchlist KYC report

Report	Name	Variants	Standard check	Express check
Watchlist report	`watchlist`	`kyc`	yes	yes

A Watchlist KYC report provides a granular breakdown of any records found when screening global watchlists. These include the following breakdowns:

sanction: Government and International Organisations Sanctions Lists.
politically_exposed_person: Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources.
monitored_lists: Law-Enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists).
adverse_media: Negative events reported by publicly and generally available media sources.

If no match is found against the subject, the records field will read [] and the overall result will be clear.

If one or more matches are found, each match will be returned under records and includes, but is not limited to: name and date of birth of match, aliases and associates, and relevant events and sources. Each event will correspond to a relevant category of list, which drives one of the breakdowns, and the overall result will be consider.

When available, URLs to data sources are provided, as well as pictures of the individual found in the match. This, along with other detail in the response, allows you to quickly assess the relevancy of the match and eliminate false positives.

Required applicant data

For Watchlist (KYC) reports, the following applicant data must be provided:

first_name

last_name

Recommended applicant data

dob

address[]postcode (ZIP code in US)

address[]country

address[]state (required for US addresses)

Date of birth

Submitting a date_of_birth with the name is optional but recommended, to narrow the search of the relevant individual.

More than one date of birth might be found per match due to the nature of the data sources, such as newspaper articles, which might include someone's age but not their full date of birth.

Address

Submitting an address with the country is optional but recommended.

The applicant address object is nested inside the applicant object.

Results are filtered by country of operation or office, under these circumstances:

There are PEP matches only
There are PEP matches with Adverse Media

The country filter is not applied, or in other words, results will still appear regardless of the address country, under these circumstances:

There are adverse media matches only
Address does not have a country
Sanctions, Money Laundering or Terrorist related events will always appear even if the country filter is applied

If a match is found but the date_of_birth or address fields are null, this means there is no date_of_birth or address data on file associated with that match.

Example check object with a Watchlist KYC report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5    "id": "<CHECK_ID>",
6    "created_at": "2019-10-08T14:31:20Z",
7    "status": "complete",
8    "redirect_uri": null,
9    "result": "clear",
10    "sandbox": true,
11    "tags": [],
12    "results_uri": "<RESULTS_URI>",
13    "form_uri": null,
14    "reports": [
15        {
16            "created_at": "2019-10-08T14:31:20Z",
17            "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
18            "id": "<REPORT_ID>",
19            "name": "watchlist",
20            "properties": {
21                "records": []
22            },
23            "result": "clear",
24            "status": "complete",
25            "sub_result": null,
26            "variant": "kyc",
27            "documents": [],
28            "breakdown": {
29                "politically_exposed_person": {
30                    "result": "clear"
31                },
32                "sanction": {
33                    "result": "clear"
34                },
35                "adverse_media": {
36                    "result": "clear"
37                },
38                 "monitored_lists": {
39                  "result": "clear"
40                }
41            }
42        }
43    ],
44    "paused": false,
45    "type": "express",
46    "report_type_groups": [
47        "<REPORT_TYPE_GROUP_ID>"
48    ],
49    "download_uri": "<DOWNLOAD_URI>",
50    "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
51    "version": "2.0"
52}

Watchlist AML report

Report	Name	Variants	Standard check	Express check
Watchlist report	`watchlist`	`aml`	yes	yes

A Watchlist AML check provides a granular breakdown of any records found when screening global watchlists and media sources. These include:

sanction: Government and International Organisations Sanctions Lists.
politically_exposed_person: Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources.
legal_and_regulatory_warnings: Law-Enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists).
adverse_media: Negative events reported by publicly and generally available media sources

Records

If no match is found against the subject, the records field will read [] and the overall result will be clear.

If one or more matches are found, each match will be returned under records and the overall result will be consider. Fields include, but are not limited to: name of match, associates, date of birth, related keywords, type of list, name of list, and when the entry was last updated. When available, URLs to data sources are provided, as well as pictures of the individual found in the match.

Required applicant data

For Watchlist Full checks, the following applicant data must be provided:

first_name

last_name

Recommended applicant data

dob

address[]postcode (ZIP code in US)

address[]country

address[]state (required for US addresses)

The applicant address object is nested inside the applicant object. If you create an applicant object with an address, you must provide postcode and country, and state for US addresses.

Example check object with a Watchlist AML report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5    "id": "<CHECK_ID>",
6    "created_at": "2019-10-08T14:32:40Z",
7    "status": "complete",
8    "redirect_uri": null,
9    "result": "clear",
10    "sandbox": true,
11    "tags": [],
12    "results_uri": "<RESULTS_URI>",
13    "form_uri": null,
14    "reports": [
15        {
16            "created_at": "2019-10-08T14:32:40Z",
17            "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
18            "id": "<REPORT_ID>",
19            "name": "watchlist",
20            "properties": {
21                "records": []
22            },
23            "result": "clear",
24            "status": "complete",
25            "sub_result": null,
26            "variant": "aml",
27            "documents": [],
28            "breakdown": {
29                "sanction": {
30                    "result": "clear"
31                },
32                "politically_exposed_person": {
33                    "result": "clear"
34                },
35                "legal_and_regulatory_warnings": {
36                    "result": "clear"
37                },
38                "adverse_media": {
39                    "result": "clear"
40                }
41            }
42        }
43    ],
44    "paused": false,
45    "type": "express",
46    "report_type_groups": [
47        "<REPORT_TYPE_GROUP_ID>"
48    ],
49    "download_uri": "<DOWNLOAD_URI>",
50    "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
51    "version": "2.0"
52}

Watchlist Full report

Report	Name	Variants	Standard check	Express check
Watchlist report	`watchlist`	`full`	yes	yes

A Watchlist Full check provides a granular breakdown of any records found when screening global watchlists. These include:

sanction: Government and International Organisations Sanctions Lists.
politically_exposed_person: Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources.
legal_and_regulatory_warnings: Law-Enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists).

Required applicant data

For Watchlist Full checks, the following applicant data must be provided:

first_name

last_name

Recommended applicant data

dob

Extra report options

For Watchlist Full reports, you can use the options array when creating a check. You can populate this with the following:

peps - returns politically_exposed_person breakdown matches only
sanctions - returns sanction breakdown matches only

If no options are specified, all types will be searched: PEPs, Sanctions and Warnings.

Each match will be returned under records and includes, but is not limited to: name of match, associates, date of birth, related keywords, type of list, name of list, and when the entry was last updated. When available, URLs to data sources are provided, as well as pictures of the individual found in the match. This allows you to quickly assess the relevancy of the match and eliminate false positives.

More than one date of birth might be found per match, due to the nature of the data sources, such as news papers articles, which might include someone's age but not their full date of birth.

Example check object with a Watchlist Full report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5    "id": "<CHECK_ID>",
6    "created_at": "2019-10-08T14:32:40Z",
7    "status": "complete",
8    "redirect_uri": null,
9    "result": "clear",
10    "sandbox": true,
11    "tags": [],
12    "results_uri": "<RESULTS_URI>",
13    "form_uri": null,
14    "reports": [
15        {
16            "created_at": "2019-10-08T14:32:40Z",
17            "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
18            "id": "<REPORT_ID>",
19            "name": "watchlist",
20            "properties": {
21                "records": []
22            },
23            "result": "clear",
24            "status": "complete",
25            "sub_result": null,
26            "variant": "full",
27            "documents": [],
28            "breakdown": {
29                "sanction": {
30                    "result": "clear"
31                },
32                "politically_exposed_person": {
33                    "result": "clear"
34                },
35                "legal_and_regulatory_warnings": {
36                    "result": "clear"
37                }
38            }
39        }
40    ],
41    "paused": false,
42    "type": "express",
43    "report_type_groups": [
44        "<REPORT_TYPE_GROUP_ID>"
45    ],
46    "download_uri": "<DOWNLOAD_URI>",
47    "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
48    "version": "2.0"
49}

Street Level report

Report	Name	Variants	Standard check	Express check
Street Level report	`street_level`	-	yes	yes

Creating a check with a Street Level report will cause you to process personal data. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

A Street Level report confirms a person's address by sending a letter to their home with a unique verification code. The applicant enters this code online to confirm their address, which yeilds a "result": "clear". If after 15 days no response is received, the report will return a "result": "consider".

Required applicant data

For Street Level reports, the following applicant data must be provided:

first_name

last_name

address[]street

address[]postcode (ZIP code in US)

address[]country

The applicant address object is nested inside the applicant object. If you create an applicant object with an address, you must provide postcode and country, and state for US addresses.

Delivery times

The time at which the 15 day counter starts depends on the check type. For Express checks, it starts from the report creation date. For Standard checks, time starts counting from the moment the applicant has submitted their details in the applicant form.

Letters to UK addresses are sent out by Royal Mail second class postal service. Letters to countries other than the UK are sent out by Royal Mail first class postal service.

All mail is collected Monday-Friday at 3:00pm UK time, excluding UK bank holidays. This means that letters for any reports created after 3pm on a Friday will only be collected on the following Monday at 3pm.

Delivery times from time of mail collection:

UK: 2 to 3 working days, including Saturdays.
Europe: 3 to 5 working days.
Rest of the World: 5 to 7 working days.

Remote areas may take longer.

Royal Mail claim to have a 99% deliverability rate in the UK and 93% for Rest of the World. Providing good quality address data, with all fields correctly filled in the applicant object, greatly increases the deliverability of the letter. Do note that deliverability of the letter is not enough to clear the report. The applicant must enter the code online within the 15 days in order for the report to return as clear.

Customisation

The default letter is Onfido branded and directs the applicant to enter their code in an Onfido-managed interface.

Alternatively the letter can be customised with your branding of choice. To discuss this further, please contact your account manager or email client-support@onfido.com.

You can also build your own front end for the applicant to input their code using the submit code endpoint.

Street Level: Breakdowns


address	object Contains the result and details of an address match

Example check object with a Street Level report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5    "id": "<CHECK_ID>",
6    "created_at": "2019-10-08T14:35:55Z",
7    "status": "complete",
8    "redirect_uri": null,
9    "result": "clear",
10    "sandbox": true,
11    "tags": [],
12    "results_uri": "<RESULTS_URI>",
13    "form_uri": null,
14    "reports": [
15        {
16            "created_at": "2019-10-08T14:35:55Z",
17            "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
18            "id": "<REPORT_ID>",
19            "name": "street_level",
20            "properties": {},
21            "result": "clear",
22            "status": "complete",
23            "sub_result": null,
24            "variant": "standard",
25            "documents": [],
26            "breakdown": {
27                "slv_address": {
28                    "result": "clear"
29                }
30            }
31        }
32    ],
33    "paused": false,
34    "type": "express",
35    "report_type_groups": [
36        "<REPORT_TYPE_GROUP_ID>"
37    ],
38    "download_uri": "<DOWNLOAD_URI>",
39    "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
40    "version": "2.0"
41}

Proof of Address report

The Onfido Proof of Address (PoA) solution allows users to upload PoA documents from anywhere in the world. Currently, the Onfido platform can only process UK PoA documents.

The document’s issuing country must be specified when uploading the document via the document upload endpoint by setting the issuing_country field. If the issuing_country field is not specified or is from an unsupported country (i.e. it is different from "GBR"), the document will be uploaded on the system however it will not be processed and the report will complete with the status set to cancelled and the result set to null.

Report	Name	Variants	Standard check	Express check
Proof of Address report	`proof_of_address`	-	no	yes

Required applicant data

For Proof of Address reports, the following applicant data must be provided:

first_name

last_name

address[]street

address[]town

address[]postcode

address[]country (must be a three-letter ISO code e.g. "GBR")

The applicant address object is nested inside the applicant object. If you create an applicant object with an address, you must provide postcode and country, and state for US addresses.

Supported document types


Bank Statement/Building Society Statements	`bank_building_society_statement`
Utility Bill (electricity, water, gas, broadband )	`utility_bill`
Council Tax	`council_tax`
Benefits Letter (i.e. Job seeker allowance, House benefits, Tax credits)	`benefit_letters`

Capture-only document types

For PoA documents from unsupported countries (i.e. non-UK PoA documents), the following document types can be uploaded to the system:


Bank Statement/Building Society Statements	`bank_building_society_statement`
Utility Bill (electricity, water, gas, broadband )	`utility_bill`
Government Letters	`government_letter`

Proof of Address: Breakdowns

A PoA report upon completion is composed of 3 breakdowns.

Breakdown	Description
`image_integrity`	object Asserts whether the quality of the uploaded document was sufficient to verify the address
`document_classification`	object Asserts whether the document is of a valid type as PoA
`data_comparison`	object Asserts whether the first name, last name and address provided by the applicant match those on the PoA document

Proof of Address: Properties

Data points extracted from PoA documents are returned in the properties attribute:


`document_type`	This property provides the document type according to the set of supported documents
`issue_date`	This property provides the issue date of the document
`expiry_date`	This property provides the expiry date of the document
`summary_period_start`	This property provides the summary period start date
`summary_period_end`	This property provides the summary period end date
`issuer`	This property provides the document issuer (e.g. HSBC, British Gas)
`first_names`	This property provides the first names on the document, including any initials and middle names
`last_names`	This property provided the last names on the document
`address`	This property provides the address on the document

The summary period and the issue date are mutually exclusive, in the sense that only one of them is returned in the report properties attribute (either the summary period start and end dates or the issue date). Issue date may not be returned if document has only expiry date.

Overall result logic

The PoA report can return a result of clear or consider or null.

The overall report result will be clear if all of the following are true:

the quality of the provided PoA document is sufficient to process it
the provided PoA document is a supported UK PoA document
the data provided by the applicant matches the data that is on their PoA document
the source integrity of the provided PoA document is sufficient to process it

The overall report result will be null if any of the following is true:

the issuing_country field set when uploading the document is from an unsupported country (i.e. it is different from "GBR")
the issuing_country field is not provided when uploading the document

Please note that if the report result is null, the report status will be cancelled.

The overall report result will be consider if any of the following is true:

the document was not of enough quality to be processed (e.g. image blurred, data points not visible on the document). In this scenario, the value of the image_quality breakdown (which is part of the image_integrity breakdown) will be unidentified and no data will be extracted from the document, hence the report properties attribute will be empty and all the other breakdowns will be null
the document is not a valid UK PoA document (i.e. it does not feature in the list of supported document types). In this scenario the value of the supported_document breakdown (which is part of the document_classification breakdown) will be unidentified, no data will be extracted from the document, hence the report properties attribute will be empty and the data comparison breakdowns will be set to null
the data provided by the applicant does not match the data extracted from the PoA document. In this scenario the breakdowns first_name, last_name and address (which are part of the data_comparison breakdown) will have a value of unidentified. Data is extracted from the document and returned as part of the report properties attribute.
the document was digitally tampered and therefore the source integrity is insufficient for it to be processed. In this scenario, the value of the digitally_tampered breakdown (which is part of the source_integrity breakdown) will be consider

Example check object with a Proof of Address report

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5    "id": "<CHECK_ID>",
6    "created_at": "2021-06-03T11:00:36Z",
7    "status": "complete",
8    "redirect_uri": null,
9    "result": "clear",
10    "sandbox": true,
11    "tags": [],
12    "results_uri": "<RESULTS_URI>",
13    "form_uri": null,
14    "paused": false,
15    "type": "express",
16    "report_type_groups": [
17        "<REPORT_TYPE_GROUP_ID>"
18    ],
19    "download_uri": "<DOWNLOAD_URI>",
20    "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
21    "reports": [
22        {
23            "created_at": "2021-06-03T11:00:36Z",
24            "documents": [],
25            "href": "/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
26            "id": "<REPORT_ID>",
27            "name": "proof_of_address",
28            "properties": {
29                "document_type": "bank_building_society_statement",
30                "issuer": "a bank",
31                "issue_date": "2000-01-01",
32                "first_names": "first name",
33                "last_names": "last name",
34                "address": "1 high street london wc2n 123"
35            },
36            "result": "clear",
37            "status": "complete",
38            "sub_result": null,
39            "variant": "standard",
40            "breakdown": {
41                "data_comparison": {
42                    "result": "clear",
43                    "breakdown": {
44                        "address": {
45                            "result": "clear",
46                            "properties": {}
47                        },
48                        "last_name": {
49                            "result": "clear",
50                            "properties": {}
51                        },
52                        "first_name": {
53                            "result": "clear",
54                            "properties": {}
55                        }
56                    }
57                },
58                "document_classification": {
59                    "result": "clear",
60                    "breakdown": {
61                        "supported_document": {
62                            "result": "clear",
63                            "properties": {}
64                        }
65                    }
66                },
67                "image_integrity": {
68                    "result": "clear",
69                    "breakdown": {
70                        "image_quality": {
71                            "result": "clear",
72                            "properties": {}
73                        }
74                    }
75                }
76            }
77        }
78    ],
79    "version": "2.0"
80}

Other Endpoints

Ping

GET

https://api.onfido.com/ping

Runs a health check on the Onfido API.

If api.onfido.com is operational, the ping endpoint will return OK in Text format.

You can also subscribe to webhook notifications from https://status.onfido.com.

Ping (check api.onfido.com can receive requests)

1GET /ping HTTP/1.1
2Host: api.onfido.com

Webhooks

About webhooks

Onfido provides webhooks to alert you of changes in the status of your resources (i.e. checks and reports). These are POST requests to your server that are sent as soon as an event occurs. The body of the request contains details of the event.

You can create and configure up to 20 webhooks to receive status changes from live, sandbox or both environments.

Retry logic

Upon receiving a webhook notification, you should acknowledge success by responding with an HTTP 20x response within 10 seconds. Otherwise, we will attempt to resend the notification 5 times according to the following schedule:

30 seconds after the first attempt
2 minutes after the first attempt
15 minutes after the first attempt
2 hours after the first attempt
10 hours after the first attempt

We also use circuit breaking for webhooks: if any 5 requests to the same webhook fail in a row, then that webhook will be disabled for one minute.

Testing

You can quickly inspect webhook requests with temporary endpoint URLs. You can create these using free hosted services such as https://webhook.site.

Security

The webhook URL must use HTTPS and both TLSv1.2 and TLSv1.3 versions are supported.

Duplicate events

We guarantee at-least-once delivery of webhooks, which means that in rare occasions you may receive duplicate events. You should treat events as idempotent to avoid unwanted effects in your application.

Ordering

Onfido doesn't guarantee order when delivering events. As a result, you may receive an event before another event that was created earlier. You should expect to receive them out of order and handle them accordingly.

Webhook object

Attribute	Description
id	string The unique identifier for the webhook.
url	string The url to listen to notifications (must be HTTPS).
enabled	Boolean Determines if the webhook should be active. If omitted, will be set to true by default.
events	array The events that should be published to the webhook. If omitted, all events will be subscribed by default. You can read about the supported events.
token	string The webhook token (read more about verifying webhook signatures.
href	string The URI of this resource.
environments	array Lists the environments that the webhook will receive events from.

Example webhook object (check started)

1HTTP/1.1 200 OK
2Content-Type: application/json
3
4{
5  "webhooks": [
6    {
7      "id": "<WEBHOOK_ID>",
8      "url": "https://demo.com",
9      "enabled": false,
10      "href": "/v2/webhooks/<WEBHOOK_ID>",
11      "token": "<WEBHOOK_TOKEN>",
12      "environments": [
13        "sandbox"
14      ],
15      "events": [
16        "check.started"
17      ]
18    }
19  ]
20}

Webhook IP addresses

All webhook requests will come from the following IPs:

Europe:

52.51.171.25
52.51.228.228
52.51.234.203

United States:

34.232.2.222
52.55.124.58
34.224.182.19

Canada:

15.223.105.11
15.222.176.53
15.222.71.172

Please make sure that you allow these IPs in order to receive webhook notifications.

Events

By default, webhooks are subscribed to all events, but can be subscribed to a subset using the events array.

You can configure the following events to trigger a message to registered webhooks:

Resource	Events	Description
check	check.started	A check has been started. For Standard checks, this indicates the applicant has submitted all required information.
check	check.reopened	A check has been reopened. This indicates the applicant needs to re-submit required information.
check	check.withdrawn	A check has been withdrawn.
check	check.completed	A check has been completed.
check	check.form_completed	An applicant has submitted their information using the check form.
report	report.withdrawn	A report has been withdrawn.
report	report.resumed	A paused report has been resumed.
report	report.cancelled	A paused report has been cancelled.
report	report.awaiting_approval	A report has transitioned to the "Awaiting Approval" status.
report	report.completed	A report has been completed and results are available.

Event object

Attributes

Attribute	Description
payload	object The top level element.
resource_type	string Indicates the resource affected by this event.
action	string The event that triggered this webhook, e.g. `report.completed`.
object	object The object affected by this event. This will contain an `id` and an `href` to retrieve that resource.

Webhook event versioning

Refer to our API versioning guide for details on webhook event versioning.

Example event object (report completed)

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "payload": {
6    "resource_type": "report",
7    "action": "report.completed",
8    "object": {
9      "id": "<REPORT_ID>",
10      "status": "complete",
11      "completed_at_iso8601":"2019-11-25T10:11:36Z",
12      "href": "https://api.onfido.com/v2/checks/<CHECK_ID>/reports/<REPORT_ID>",
13      "completed_at": "2019-11-25 10:11:36 UTC"
14    }
15  }
16}

Verifying webhook signatures

If you're already verifying webhooks in production using SHA-1, this will continue to work and we'll support this for the lifetime of API version 2.

You should verify request signatures on your server to prevent attackers from imitating valid webhook events.

Each webhook you register will return a single secret token in the token field of the API response body, which is used to generate an HMAC using SHA-256. You only need to register a webhook once. The token for each webhook is also displayed on the Onfido Dashboard ‘Webhook Management’ page.

We provide a detailed guide for manually verifying webhook signatures.

1X-SHA2-Signature: <HMAC_VALUE>

Register webhook

POST

https://api.onfido.com/v2/webhooks/

Registers a webhook. Returns a webhook object.

You can read more about how to verify request signatures on your server.

You cannot use sandbox tokens to create or manage webhooks for live environments.

Request body parameters


url	required The url that will listen to notifications (must be HTTPS).
enabled	optional Determine if the webhook should be active. If omitted, will be set to true by default.
environments	optional The environments from which the webhook will receive events. Allowed values are "sandbox" or "live" but sandbox tokens cannot be used for the "live" environment. If omitted (with a live token), the webhook will receive events from both environments.
events	optional The events that should be published to the webhook. If omitted, all events will be subscribed by default. You can read about the supported events.

Register a webhook using the Dashboard

You can also register webhooks through the Onfido Dashboard.

Webhook logs

To help you diagnose webhook issues, you can review logs on the Onfido Dashboard.

1GET /v2/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List webhooks

GET

https://api.onfido.com/v2/webhooks/

Lists all webhooks you've created.

List all webhooks youve created

1GET /v2/webhooks/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Retrieve webhook

GET

https://api.onfido.com/v2/webhooks/{webhook_id}

Retrieves a single webhook.

Retrieve a single webhook

1GET /v2/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Edit webhook

PUT

https://api.onfido.com/v2/webhooks/{webhook_id}

Edits a webhook.

Edit a webhook (change the URL)

1PUT /v2/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7    "url": "https://yourdomain.com"
8}

Delete webhook

DELETE

https://api.onfido.com/v2/webhooks/{webhook_id}

Deletes a webhook.

Delete a webhook

1DELETE /v2/webhooks/<WEBHOOK_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json

Address Picker

GET

https://api.onfido.com/v2/addresses/pick?postcode={postcode}

Performs a search for addresses by postcode (UK only).

Returns data in the form: {"addresses": [<LIST_OF_ADDRESS_OBJECTS>]}.

The Onfido Address Picker will always use a third-party subprocessor for address cleansing. In this way, it can be used to make sure addresses passed to the create applicant endpoint are valid.

Query string parameters

postcode (required): the applicant's postcode.

Search for an address using a postcode

1GET /v2/addresses/pick?postcode=SW46EH HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Generate SDK token

POST

https://api.onfido.com/v2/sdk_token

Generating an SDK token will enable applicants to send personal data to Onfido via one of our SDKs. For more information on how Onfido uses personal data, view our Privacy Policy.

Generates an SDK token. Returns a token object containing the SDK token.

SDK tokens are JWTs. These are restricted to an individual applicant and expire after 90 minutes, so you can safely use them in the frontend of your application.

You’ll need to generate and include a new token each time you initialize the Onfido SDKs.

Request body parameters


`applicant_id`	required Specifies the applicant for the SDK instance.
`application_id`	optional, should not be used if `referrer` provided The application ID (or "application bundle ID") - used with the iOS and Android SDKs.
`referrer`	optional, should not be used if `application_id` provided The referrer URL pattern - used with the Web SDK.
`cross_device_url`	optional The URL to be used by the Web SDK for the cross-device flow. (Max 24 characters). This replaces the default id.onfido.com and requires additional setup to map back to the Onfido hosted cross-device address.

Each authenticated instance of the SDK will correspond to a single Onfido applicant as specified by the applicant_id.

The application_id

The application_id is the "Application ID" or "Bundle ID" on iOS and Android that was set up during development. For iOS, this is usually in the form com.your-company.app-name. For Android, this is usually in the form com.example.yourapp. Make sure to use a valid application_id or you'll receive a 401 error.

If you want to disable the application ID check, you can pass the wildcard *. Alternatively, don't pass either of the application_id and referrer parameters.

The referrer argument

The referrer argument specifies the URL of the web page where the Web SDK will be used. The referrer sent by the browser must match the referrer URL pattern in the SDK token for the SDK to successfully authenticate. The referrer is based on the Google Chrome match pattern URLs. URLs can contain wild card characters.

The referrer pattern guarantees that other malicious websites cannot reuse the token in case it is lost. You can read more about referrer policy in Mozilla's documentation.

If you want to disable the referer header check, you can pass the wildcard *. Alternatively, don't pass either of the application_id and referrer parameters.

You must use a site referrer policy that lets the Referer header be sent. If your policy does not allow this (e.g. Referrer-Policy: no-referrer), then you'll receive a 401 bad_referrer error when trying to use the Web SDK.

Permitted referrer patterns are as follows:

Section	Format	Example
Referrer	`scheme://host/path`	`https://.<DOMAIN>/<PATH>/`
Scheme	`*` or `http` or `https`	`https`
Host	`` or `.` then any char except `/` and `*`	`*.<DOMAIN>`
Path	Any char or none	`<PATH>/*`

An example of a valid referrer is https://*.example.com/example_page/*.

The cross_device_url argument

The cross-device flow of the Web SDK allows users to continue the identity verification process from their phone where they can take pictures of their document and themselves rather than uploading images from their desktop. This feature is available to all customers and uses the URL id.onfido.com as the default. The cross_device_url argument is used to white-label the default Onfido cross-device URL to one of your choosing with a maximum character length of 24 including https://. While the cross-device flow is available to all customers, white-labeling the URL using this argument is a premium enterprise feature that must be activated for your account before it may be used. Please talk to your account executive for more information about purchasing this feature.

Example SMS before and after using this feature:

Before:

Continue your identity verification by tapping https://id.onfido.com/<UNIQUE-PATH>

After:

Continue your identity verification by tapping <YOUR-CROSS-DEVICE-URL>/<UNIQUE-PATH>

Generate a new SDK token with a referrer

1POST /v2/sdk_token HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "applicant_id": "<APPLICANT_ID>",
8  "referrer:": "https://*.example.com/example_page/*",
9  "cross_device_url": "https://example.com"
10}

Repeat attempts

The repeat attempts endpoint allows you to request a list of repeat attempt matches for Document reports to show instances of repeat fraud where users submit multiple requests using the same document.

A repeat attempt is any previous Document report that was submitted using a document that matches other previously onboarded documents in your Onfido database. For each repeat attempt match, Onfido returns whether the name and date of birth (and document number starting from API version 3.6) on the document matches the personal document data used for each previous attempt. If the personal document data doesn't match, this indicates that one, or potentially multiple, of the documents might be fraudulent. A large number of repeat attempts can also signal fraudulent behaviour.

The repeat attempts endpoint is for use with Document reports only.

Retrieve repeat attempts

GET

/v2/repeat_attempts/{report_uuid}

Returns all repeat attempts for a given Document report.

The Document report must have completed before you can request repeat attempts via this endpoint.

Repeat attempts

1curl -X GET https://api.eu.onfido.com/v2/repeat_attempts/<REPORT_UUID> \
2  -H 'Authorization: Token token=<YOUR_API_TOKEN>'

Example response for verify Authentication token

1HTTP/1.1 200 OK
2Content-Type: application/json
3
4{
5  "report_id": "<REPORT_UUID>",
6  "repeat_attempts": [
7    {
8      "report_id": "<REPORT_ID>",
9      "applicant_id": "<APPLICANT_ID>",
10      "date_of_birth": "mismatch",
11      "names": "match",
12      "result": "clear",
13      "created_at": "2021-12-10T00:00:00",
14      "completed_at": "2021-12-12T00:10:00"
15    },
16    {
17      "report_id": "<REPORT_ID>",
18      "applicant_id": "<APPLICANT_ID>",
19      "date_of_birth": "match",
20      "names": "match",
21      "result": "clear",
22      "created_at": "2021-12-12T00:00:00",
23      "completed_at": "2021-12-12T00:10:00"
24    }
25  ],
26  "attempts_count": 3, 
27  "attempts_clear_rate": 0.67,
28  "unique_mismatches_count": 1,
29}

Response

Returns a repeat attempts object containing an array of repeat attempts.

Attribute	Description
`report_id`	string The uuid of the completed Document report.
`repeat_attempts`	array of objects An array of repeat attempt objects. If no repeat attempts were found, the array will be empty. The number of objects returned can increase over time if more matches are received.
`attempts_count`	int The total number of attempts using the same document, including the current report under assessment.
`attempts_clear_rate`	float A number between 0 and 1 which indicates the proportion of attempts that have been cleared, including the current report under assessment.
`unique_mismatches_count`	int The number of unique entries in the `repeat_attempts` field for which at least one of the fields is a mismatch.

Repeat attempts object

The repeat_attempts array of objects is nested inside the repeat attempts response object.

Attribute	Description	Possible values
`report_id`	string The uuid of the matching Document report.	-
`applicant_id`	string The uuid of the applicant for the matching Document report.	-
`date_of_birth`	string Whether the dates of birth are exactly the same or are different.	`match`, `mismatch`
`names`	string Whether the names are exactly the same or are different.	`match`, `mismatch`
`result`	string The report result of this attempt.	`clear`, `consider`
`created_at`	datetime When the matching report was created.	-
`completed_at`	datetime When the matching report was completed.	-

Document reports flagged as suspected for data_consistency will not be returned by this endpoint. This is to ensure that data was correctly extracted, and the matches are relevant.

Autofill

POST

https://api.onfido.com/v2/ocr

Autofill takes an uploaded document and returns information extracted from the document. This is a synchronous request, which means the extracted information will be presented immediately in the API response.

Request body parameters


document_id	required The unique identifier of the uploaded document to run extraction on

Return information extracted from a document

1POST /v2/ocr HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "document_id": "<DOCUMENT_ID>"
8}

Extraction result

If data has been successfully extracted, the API response will contain the properties document_classification and extracted_data.

document_classification has the following properties:


issuing_country	Document country in 3-letter ISO code
document_type	Type of document. See Document types. Only certain document types are supported by Autofill. Please contact client-support@onfido.com to find out more.
issuing_state	The state that issued the document. Only returned for a subset of documents.
subtype	The document subtype. Only extracted from USA and UK Driving Licences. For USA DLs, it returns `full` or `u21`. For UK DLs, it returns `full` or `provisional`.
version	The document issuing version. Only returned for a subset of documents.

extracted_data has the following properties:

As extraction is done on a best-effort basis, and also information varies across different documents, none of these properties are guaranteed to be present in the response.

Extraction data will not be populated if the document is issued by a country subject to comprehensive US sanctions.


document_number	The official document number.
first_name	First name.
last_name	Last name.
middle_name	Middle name.
full_name	Full name.
spouse_name	Spouse name (French documents only).
widow_name	Widow name (French documents only).
gender	Gender. Valid values are `Male` and `Female`.
date_of_birth	Date of birth in YYYY-MM-DD format.
date_of_expiry	Date of expiry in YYYY-MM-DD format.
expiry_date	Date of expiry in YYYY-MM-DD format.
nationality	Nationality in 3-letter ISO code.
mrz_line1	Line 1 of the MRZ code.
mrz_line_1	Line 1 of the MRZ code.
mrz_line2	Line 2 of the MRZ code.
mrz_line_2	Line 2 of the MRZ code.
mrz_line3	Line 3 of the MRZ code.
mrz_line_3	Line 3 of the MRZ code.
address_line_1	Line 1 of the address.
address_line_2	Line 2 of the address.
address_line_3	Line 3 of the address.
address_line_4	Line 4 of the address.
address_line_5	Line 5 of the address.
issuing_authority	Issuing authority.
issuing_country	Document country in 3-letter ISO code.
document_type	Type of document. See Document types. Only certain document types are supported by Autofill. Please contact client-support@onfido.com to find out more.
place_of_birth	Place of birth.
issuing_state	The state that issued the document.
issuing_date	Issuing date in YYYY-MM-DD format.
personal_number	The owner's unique identification number.

Example response (return information extracted from a document)

1HTTP/1.1 200
2Content-Type: application/json
3
4{
5  "document_id": "<DOCUMENT_ID>",
6  "document_classification": {
7    "document_type": "driving_licence",
8    "issuing_country": "USA",
9    "issuing_state": "CA",
10    "subtype": "full",
11    "version": "2018"
12  },
13  "extracted_data": {
14    "first_name": "JANE",
15    "last_name": "DOE",
16    "full_name": "JANE DOE",
17    "date_of_birth": "1977-08-31",
18    "document_number": "I1234568",
19    "gender": "Female",
20    "issuing_date": "2009-08-31",
21    "date_of_expiry": "2014-08-31",
22    "expiry_date": "2014-08-31",
23    "address_line_1": "2570 24TH STREET",
24    "address_line_2": "ANYTOWN, CA 95818",
25    "document_type": "driving_licence",
26    "issuing_country": "USA",
27    "issuing_state": "CA",
28}

Unsuccessful extraction

Classification failure

If the document cannot be recognised, a classification_failure will be returned.

Unsuccessful extraction response: classification failure

1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5  "document_id": "<DOCUMENT_ID>",
6  "error": {
7    "type": "classification_failure",
8    "message": "We couldn’t recognise the type of this document."
9  }
10}

Extraction failure

If no data can be extracted, an extraction_failure will be returned.

Unsuccessful extraction response: extraction failure

1HTTP/1.1 422 Unprocessable Entity
2Content-Type: application/json
3
4{
5  "document_id": "<DOCUMENT_ID>",
6  "error": {
7    "type": "extraction_failure",
8    "message": "We couldn’t extract data from this document."
9  }
10}

Report type groups

Report type groups provide a convenient way to group and organize different types of reports, so that you can easily request different sets of reports for different buckets of applicants. For example, you may want to only run an identity report and a right_to_work report on a junior-level role, but you may want additional reports on a more senior-level role.

To set up or update your report type groups, please contact client-support@onfido.com.

Report type group object

The report type group object defines the set of reports to be requested in a check.

Note that more than one report type group can be requested in a single check.

Attribute	Description
id	string The unique identifier for the group.
name	string The group's name, as specified under your account.
group_only	boolean If false, individual reports in that group can be requested; if true, all reports must be requested together.
report_types	array of report type group objects A list of objects containing information regarding the different report types included in this group.

Example report type group object (Identity)

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<REPORT_TYPE_GROUP_ID>",
6  "name": "Junior level",
7  "group_only": false,
8  "report_types": [
9    {
10      "id": "<REPORT_ID>",
11      "name": "identity"
12    }
13  ]
14}

Retrieve report type group

GET

https://api.onfido.com/v2/report_type_groups/{report_type_group_id}

A single report type group can be retrieved by calling this endpoint with the group's unique identifier.

List report type groups

GET

https://api.onfido.com/v2/report_type_groups/

All report type groups belonging to your account can be listed from this endpoint.

Checks

Checks are performed on an applicant and consist of one or more reports.

Please note: When integrating with Onfido Studio workflows, checks are created automatically based on your specific workflow implementation. Checks are only applicable for implementations that rely on the explicit SDK configuration of verification steps.

Check object

Attribute	Description
id	string The unique identifier for the check.
created_at	datetime The date and time at which the check was initiated.
href	string The API endpoint to retrieve the check.
type	string The type of check (`standard` or `express`).
status	string The current state of the check in the checking process.
tags	array of strings A list of tags associated with this check.
result	string The overall result of the check, based on the results of the reports used in the check.
download_uri	string A link to a PDF output of the check results. Append `.pdf` to get the PDF file.
form_uri	string A link to the applicant form, if the check is of type `standard`.
redirect_uri	string For Standard checks, redirect to this URI when the applicant has submitted their data.
results_uri	string A link to the corresponding results page on the Onfido Dashboard.
reports (via check creation, expanded check retrieval, or expanded check listing)	array of objects An array of report objects associated with the check(s).
reports (via default check retrieval or default check listing)	array of strings, expandable to array of objects Array of strings of report IDs associated with the check.
sandbox	Boolean Indicates whether the object was created in the sandbox or not.

Check status

Status	Description
in_progress	We are currently processing the check.
awaiting_applicant	The applicant has not yet submitted the applicant form, either because they have not started filling the form out or because they have started but have not finished.
complete	All reports for the applicant have been completed or withdrawn.
withdrawn	The check has been withdrawn.
paused	The check is paused until you (the client) switch it on manually. Special case used by clients who wants to collect data and run the checks when they want and not immediately.
reopened	Insufficient or inconsistent information was provided by the applicant, and the report has been bounced back for further information.

Example check object (express check)

1HTTP/1.1 201 Created
2Content-Type: application/json
3
4{
5  "id": "<CHECK_ID>",
6  "created_at": "2014-05-23T13:50:33Z",
7  "href": "/v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID>",
8  "type": "express",
9  "status": "complete",
10  "result": "clear",
11  "redirect_uri": "https://somewhere.else",
12  "results_uri": "<RESULTS_URI>",
13  "download_uri": "<DOWNLOAD_URI>",
14  "reports": [
15    {EXPANDED_REPORT_OBJECT_1},
16    {EXPANDED_REPORT_OBJECT_2}
17  ],
18  "tags": [
19    "My tag",
20    "Another tag"
21  ]
22}

Standard checks

If you require Onfido to collect information from an applicant, you can use Standard checks.

Standard checks require applicants to enter their information in a form, which is sent to applicants via email.

A Standard check will only start processing when the applicant has submitted the form.

Check results

The value of the check is derived from the results of the individual reports that it contains:

Check result
clear	If all the reports contained in the check have `clear` as their results.
consider	If some of the reports contained in the check have either `consider` or `unidentified` as their results.

Create check

POST

https://api.onfido.com/v2/applicants/{applicant_id}/checks/

Using this endpoint in a live context will cause you to create a check using an applicant's personal data. Always make sure you inform your users about this and obtain any necessary permissions. For more information on how Onfido uses personal data, view our Privacy Policy.

Initiates a check for an applicant, which can contain one or more reports. Returns a check object, which contains an expanded list of report objects.

Having created the first check, you are allowed to create further checks for the same applicant, as long as the previous check is not still ongoing (i.e. check has been completed, withdrawn or cancelled). You will receive an error message if you try to create a check for an applicant with an ongoing check.

Request body parameters

Either reports or report_type_groups must be specified when creating a check.


type	required `standard` or `express`. See “Checks”.
reports	required if `report_type_groups` not provided Array of reports being requested for this check.
report_type_groups	required if `reports` not provided Array containing ids of the report type groups being requested for.
privacy_notices_read_consent_given	optional Boolean to indicate that the privacy notices and terms of service have been read and, where specific laws require, that consent has been given for Onfido.
redirect_uri	optional For Standard checks, redirect to this URI when the applicant has submitted their data.
tags	optional Array of tags being assigned to this check.
suppress_form_emails	optional For Standard checks, applicant form will not be automatically sent if this is set to `true`. You can manually send the form at any time after the check has been created, using the link found in the form_uri attribute of the check object. Defaults to `false` (i.e., form will be sent automatically by default).
async asynchronous (alias)	optional It’s strongly recommended that you set this as `true`, and configure webhooks to notify you when a check or report is complete. Defaults to `false`* Note: async and asynchronous cannot be provided together.
consider	optional Array of names of the reports to return `consider` as their results. This is a sandbox testing specific argument for testing multiple-report scenarios.

* If asynchronous is set to false:

the request to create a check will only return a response when all the reports in the check complete the automatic part of the review, or the request times out after 29 seconds
if all reports are completed automatically, the check response is returned with a status of complete
if one of the reports goes to manual review (the status of the report is awaiting_approval) the check response is returned with a status of in_progress
a check created in sandbox will always complete automatically and never time out, so may not give an accurate representation of the behaviour

Request body parameters (report)


name	required The name of the report type. You can read about the different report types.
variant	optional The name of the report type variant, if required.
options	optional Array of report options objects.
documents	optional Array of report documents objects. This argument allows you to specify which document to use as part of the Document report. If unspecified, the most recently uploaded document (or documents for a two-sided ID document) will be used.

Request body parameters (report options)


name	required The option to be applied (used by Watchlist Full reports).

Request body parameters (report documents)


id	required ID of uploaded document to use.

Create a check (Document report, Facial Similarity report)

1POST /v2/applicants/<APPLICANT_ID>/checks HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>
4Content-Type: application/json
5
6{
7  "type": "express",
8  "reports": [
9    {
10      "name": "document"
11    },
12    {
13      "name": "facial_similarity",
14      "variant": "standard"
15    }
16  ],
17  "async": "true"
18}

Retrieve check

GET

https://api.onfido.com/v2/applicants/{applicant_id}/checks/{check_id}

Retrieves a single check.

By default, individual check objects returned will contain an array of strings (reports), referencing the IDs of individual reports in the check.

You can expand the reports value to return an array of the report objects in the response, instead of the default array of strings of report IDs.

Query string parameters

expand=reports (Optional)

Retrieve a single check

1GET /v2/applicants/<APPLICANT_ID>/checks/<CHECK_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List checks

GET

https://api.onfido.com/v2/applicants/{applicant_id}/checks/

Returns all checks for an applicant in the form: {"checks": [<LIST_OF_CHECK_OBJECTS>]}.

By default, individual check objects returned will contain an array of strings (reports), referencing the IDs of individual reports in the check.

You can expand the reports value to return an array of the report objects in the response, instead of the default array of strings of report IDs.

Query string parameters

expand=reports (Optional)

List all checks associated with an applicant

1GET /v2/applicants/<APPLICANT_ID>/checks/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Resume check

POST

https://api.onfido.com/v2/checks/{check_id}/resume

Resumes a paused check. If successful, returns a 204 No Content response.

A check is paused if all the reports that it contains are in the paused state.

When a Standard check gets resumed, all its reports will start processing immediately if the applicant has already submitted the form. The check status will automatically change to in_progress. Otherwise, the check will remain as awaiting_applicant and the reports will only start processing after the applicant submits the form.

Resume a paused check

1GET /v2/checks/<CHECK_ID>/resume HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Reports

In the Onfido API, checks are composed of one or more reports.

Please note: When integrating with Onfido Studio workflows, the results of reports are managed by workflow run output and can be retrieved by making a call to the Retrieve Workflow Run endpoint, with results returned in the output attribute. Report endpoints are only applicable for implementations where reports are part of checks created with the explicit SDK configuration of verification steps.

Report object

The report object will differ depending on which report it concerns (see "About reports" above).

Attribute	Description
id	string The unique identifier for the report.
created_at	datetime The date and time at which the report was first initiated.
name	string Report type string identifier.
href	string The API endpoint to retrieve the report.
status	string The current state of the report in the checking process.
result	string The result of the report.
sub_result	string The sub_result of the report. It gives a more detailed result for Document reports only, and will be `null` otherwise.
variant	string Report variant string identifier. Some reports have sub-types, which are identified by this field.
options	array Report options usable with Watchlist Full reports.
breakdown	object The details of the report. This is specific to each type of report.
properties	object The properties associated with the report, if any.
documents	array The document ids that were processed. Populated for Document reports, otherwise an empty array.

The breakdown object differs for each report type. For example, for Document reports.

Report status

Status	Description
awaiting_data	Onfido has made a request to one of its data providers and we are waiting on their reply.
awaiting_approval	Report is undergoing manual review.
cancelled	Report has been cancelled using the cancel report endpoint.
complete	Report is done.
withdrawn	Report has been automatically withdrawn by the system. For example, due to missing data.
paused	Report is paused until you, i.e. the client, switch it on manually. Special case used by clients who want to collect data and run the reports when they want and not immediately.

Report results

The result field indicates the overall result of a report. The possible values of this field are:

Report result
clear	If all underlying verifications pass, the overall result will be `clear`.
consider	If the report has returned information that needs to be evaluated, the overall result will be `consider`.
unidentified	Identity report (`standard` variant only) - this is returned if the applicant fails an identity check. This indicates there is no identity match for this applicant on any of the databases searched.

Sub results (Document reports)

The sub_result field indicates a more detailed result and is unique to Document reports.

Report sub_result
clear	If all underlying verifications pass, the overall sub result will be `clear`.
rejected	If the report has returned information where the check cannot be processed further (poor quality image or an unsupported document).
suspected	If the document that is analysed is suspected to be fraudulent.
caution	If any other underlying verifications fail but they don't necessarily point to a fraudulent document (such as the name provided by the applicant doesn't match the one on the document).

Retrieve report

GET

https://api.onfido.com/v2/checks/{check_id}/reports/{report_id}

Retrieves a single report. Returns a report object.

Retrieve a single report

1GET /v2/checks/<CHECK_ID>/reports/<REPORT_ID> HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

List reports

GET

https://api.onfido.com/v2/checks/{check_id}/reports/

Lists all reports belonging to a particular check. Returns data in the form: {"reports": [<LIST_OF_REPORT_OBJECTS>]}.

List all reports associated with a check

1GET /v2/checks/<CHECK_ID>/reports/ HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Resume report

POST

https://api.onfido.com/v2/checks/{check_id}/reports/{report_id}/resume

Resumes a single paused report. If successful, returns a 204 No Content response.

When an individual report gets resumed in a Standard check, it will start processing immediately if the applicant has already submitted the form. The report status will automatically change from paused to awaiting_data. Otherwise, the status change will happen but the report processing will only start after the applicant submits the form.

Note that you can resume all reports within a check by resuming the check itself.

Resume a single paused report

1POST /v2/checks/<CHECK_ID>/reports/<REPORT_ID>/resume HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Cancel report

POST

https://api.onfido.com/v2/checks/{check_id}/reports/{report_id}/cancel

Cancels single paused reports. If successful, returns a 204 No Content response.

When a report gets cancelled in a Standard check, its status will change from paused to cancelled and the report will never get processed.

Cancel a single paused report

1POST /v2/checks/<CHECK_ID>/reports/<REPORT_ID>/cancel HTTP/1.1
2Host: api.onfido.com
3Authorization: Token token=<YOUR_API_TOKEN>

Responsible Disclosure

Responsible Disclosure Policy

Security is a top priority for Onfido and we value the work done by researchers in improving the security of our products and services. We encourage responsible vulnerability research and disclosure and if you discover a vulnerability in any of our systems, please let us know about it so we can address it as quickly as possible. We are committed to working with the community to verify, reproduce, and respond to all the submissions in a timely manner.

Our full policy can be found at the following URLs:

Reporting a Vulnerability

If you believe you’ve discovered a security vulnerability, please let us know by submitting a report at https://vdp.onfido.com/p/Send-a-report

Onfido highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services.

Bug Bounty

Onfido currently operates a private bug bounty on the YesWeHack platform. If you want to actively participate in the program, please let us know and contact us at bugbounty@onfido.com. You can find more information here.

Contact

Please submit any vulnerability reports at https://vdp.onfido.com/p/Send-a-report. If you aren’t sure whether a system or an issue is in scope or not, contact us at bugbounty@onfido.com.

Developers

Overview

Get started (API v2)

Request, response format

Token authentication

API tokens

API token rotation

SDK tokens

Sandbox testing

Sandbox and live differences

Sample document, photo

Pre-determined responses

Pre-determined 'consider' results

Pre-determined 'consider' and 'clear' results

Pre-determined responses for Document reports

Breakdowns and sub-breakdowns

Pre determined document types

Sub-results

Pre-determined responses for Facial Similarity reports

Breakdowns and sub-breakdowns

Pre-determined responses for Repeat Attempts

Go live

API client libraries

OpenAPI specification

Rate limits

Regions

Versioning policy

Changelog

Upcoming maintenance

Errors

Example error object

Error codes and what to do

Core Resources

Applicants

Applicants with Sanctioned Documents

Applicant object

ID number object

Addresses object

Forbidden characters

Create applicant

Request body parameters

Retrieve applicant

Update applicant

Delete applicant

Restore applicant

List applicants

Query string parameters

Link header

Documents

Document object

Document types

Identity documents

Upload document

Request body parameters

Image quality

Retrieve document

List documents

Query string parameters

Download document

Path parameters

Live photos

Live photo object

Upload live photo

Request body parameters

Retrieve live photo

List live photos

Query string parameters

Download live photo

Live videos

Live video object

Upload live video

Retrieve live video

List live videos

Query string parameters

Download live video

Download live video frame

Unsuccessful frame extraction

Frame extraction failed

Frame extraction unavailable

Report Types

Breakdowns which map to `caution`

Breakdowns which map to `suspected`

Breakdowns which map to `rejected`