Skip to main content
API docs by Redocly

Signicat MobileID API reference (1.0)

Download OpenAPI specification:Download

API Support: support@signicat.com URL: https://developer.signicat.com/support/

Introduction

Signicat's MobileID API offers a simple way to implement strong customer authentication on mobile devices.

The MobileID API is a RESTful API that uses the OAuth 2.0 protocol for authorisation. All request and response bodies are formatted in JSON.

Getting started

To use our MobileID API, you need to complete the following steps:

Before you start

  1. If you do not have an account already, then you need to sign up to Signicat.

  2. In the Signicat Dashboard, you must create an organisation and create an account.

Note: It is also possible to add a domain, but this is not required for MobileID.

  1. To authenticate against our APIs, you need to set up an API client. From this step, you will obtain a Client ID and a Client Secret.

  2. To use MobileID, you need to set the required permissions. Ensure that you select both MobileID API and MobileID Admin API as permissions.

Onboard to MobileID

You need to complete the onboarding of your account for MobileID. To do this, you can either:

Use the Signicat Dashboard

  1. Log in to the Signicat Dashboard.

  2. In the top navigation bar, use the dropdown menu next to your organisation name to select the account that you want to use MobileID on.

  3. In the left-side menu, select MobileID.

  4. Click the Create account button.

Use our MobileID Admin REST API

Make a request to the Add MobileID account endpoint in our MobileID Admin API.

Result of the onboarding

As a result of the onboarding, an account is added to the MobileID service. For each MobileID account, we will create an application configuration and an E2E key.

  • The application configuration is identified by an applicationId, and contains specific settings for you app. You can see all of the configurable properties in our application configuration feature documentation.

  • The E2E key is used to end-to-end encryption of all communication between our MobileID SDK and our service.

Configure the app

To configure the Authenticator App and the mobile SDK, you need the following:

Note: Our server URL is the same for both sandbox and production accounts.

To get your Application ID (applicationId) and Public E2E key (publicKey), you can either:

Use the Signicat Dashboard

  1. Log in to the Signicat Dashboard.

  2. In the top navigation bar, use the dropdown menu next to your organisation name to select the account that you have onboarded to MobileID.

  3. In the left-side menu, select MobileID.

  4. Use the tabs for Account and E2E keys to see your Application ID and Public key.

Use our MobileID Admin REST API

  • Make a request to the Get MobileID account endpoint in our MobileID Admin API to fetch your applicationId.

  • Make a request to the Get E2E keys endpoint in our MobileID Admin API to fetch your publicKey.

Get started with MobileID

  1. For the MobileID account, you will be able to create users.

  2. Each user can register one or more devices.

  3. The devices can then be used to perform authentication and authorisation operations.

Using this API

Authorisation

This API uses OAuth 2.0 for authorisation. OAuth 2.0 is an open protocol to allow secure authorisation in a simple and standardised manner.

For more information on how to access the MobileID API, see the Accessing Signicat API products guide in our developer documentation.

Callback

Callback enables you to receive the result of a completed operation automatically from Signicat, at a specified notification URI.

  • To receive callback for MobileID events, you must subscribe to them using the Events service in the Signicat Dashboard.

  • You will automatically receive the operation results for the events that your account has subscribed to.

  • The operation result that you receive through callback is the same as the result obtained by polling, but wrapped in a callback event object. It is passed in the eventData field.

For more information about events and how to use the events service, see our Events and webhooks documentation.

When to use callback

We strongly advise that you always set up callback for production. This offers the best usability and responsiveness through reduced latency, and means that you do not need to conduct additional polling calls.

Regardless of whether callback is set up or not, you can fetch the result of a completed operation from Signicat by polling. You can do this by running get<resource> API calls, but it should only be reserved for testing and development use.

What events can I subscribe to?

You can see the full list of supported MobileID event types when you create a new subscription in the Signicat Dashboard.

To find out how to see this, see our documentation on Event types.

Set up callback

To set up callback for MobileID events, you need to:

  1. Get started with the Events service.

  2. Add a subscription for the MobileID events that you would like to receive callback for.

Now, when an operation is complete, Signicat's callback framework will send the callback event object to your configured notification URI if you are subscribed to that event.

Errors

MobileID returns an error object to you as a response when an error occurs. You can cross-reference the details provided in the error object with the table of error IDs below. From this, you can determine how to diagnose and resolve the error.

Note: Some of the errors illustrated are 'Generic errors', and can describe a number of possible issues. If you require support, you can contact us at support@signicat.com.

Error object

For MobileID, the error object can be made up from the following 7 fields:

Field name Description Type/format requirement
type URI to the documentation that describes the error. String
title A summary of the error type (this does not change between occurrences of the error). String
code A machine-readable string, indicating the error code. This is a constant. String
status The HTTP status code generated by the origin server (specific to this occurrence of the error). HTTP status code
traceId The unique identifier of the request in the tracing system. This makes it possible for us to trace the history of the request in detail. String
detail An explanation of the error (specific to this occurrence of the error). String
invalidParams List of request parameters that have failed the validation. Contains the parameter name and the reason for validation failure. String


Example 1: Response with error object

An example response with error object from MobileID: 

{
    "type": "https://api.signicat.com/mobileid/core/openapi.json",
    "title": "User entity does not exist",
    "code": "user_entity_does_not_exist",
    "status": 404,
    "traceId": "4bf239c088089f2bca77d3a413909f1d",
    "detail": "Failed fetching user with user ID : 90e1b3e5-93a7-458e-b42b-d1b57e65e26a and account ID : a-sdge-Abcdefghijk123456789."
}

In this example, we can determine that the user entity (referred to by the userId in the request) does not exist.

The detail describes which user ID and account ID this refers to, so that you can take action accordingly.


Example 2: Response with error object

An example response with error object from MobileID, containing multiple invalid request parameters: 

{
    "type": "https://api.signicat.com/mobileid/core/openapi.json",
    "title": "Invalid request parameter",
    "code": "invalid_request_parameter",
    "status": 400,
    "traceId": "4bf239c088089f2bca77d3a413909f1d",
    "detail": "Your request body parameters have failed validation."
    "invalidParams": [
        {
            "name": "userId"
            "reason": "userId cannot be null or empty"
        },
        {
            "name": "deviceId"
            "reason": "deviceId cannot be null or empty"
        }
    ]
}

In this example, we can determine that multiple request parameters have failed the validation.

The invalidParams describes which request parameters have failed the validation, so that you can modify them to pass the validation.

Error IDs

Error code Status (HTTP) Error description
access_token_missing 401 The access token is missing from the request.
internal_error 500 Internal error that requires no action from you. In the rare case that this error persists, please contact our support at support@signicat.com.
internal_subsystem_error 4xx/50x Internal error that requires no action from you. In the rare case that this error persists, please contact our support at support@signicat.com.
invalid_request 400/404/405/406/415 Generic error to indicate that the request being made is invalid.

There are a number of possible causes for this error, such as:
  • If a required query parameter is missing.
  • If the wrong HTTP operation type is sent.
request_parsing_error 400 Error when parsing the request, due to invalid JSON formatting.
unknown_property 400 The property being passed in the request is either incorrect or misspelled.

You will also receive this error if the property being passed is correct, but its placement in the request is incorrect.
missing_identifier 400 When the device ID (deviceId) or user ID (userId) are missing in the resource path.
missing_request_parameter 400 When device object, device ID (deviceId), or user ID (userId) are missing in the request payload.
invalid_request_parameter 400/404 Generic error to indicate that the request being made contains an invalid parameter, or that no parameter has been supplied.

There are a number of possible causes for this error, such as:
  • If no parameter is supplied when you are resolving the external reference with an API call (externalRef = null).
  • If the enumerated values being passed are not valid (if they are incorrect, or do not belong to the allowed set of values).
invalid_identifier 400/404 The supplied identifier uses an invalid character.

For globally unique identifiers (GUIDs):
  • User ID (userId)
  • Device ID (deviceId)
The allowed character set is:
REGEX = "^[a-z0-9][a-z0-9\-]*$";

For other identifiers:
  • External reference (externalRef)
  • Attribute name (attrName)
The allowed character set is:
REGEX = "^[a-z_0-9][a-z_0-9~\.\-:@]*$";
identifier_too_long 400 The supplied identifier exceeds the maximum character length.

Maximum character lengths for the identifiers are as follows:
  • External reference (externalRef): 128 characters
  • Attribute name (attrName): 128 characters
  • Attribute value (attrValue): 256 characters
  • Any globally unique identifier (GUID): 36 characters
user_entity_does_not_exist 404 The user entity referred to by the user ID (userId) does not exist.
user_entity_is_locked 409 The user entity referred to by the user ID (userId) does exist, but is in a LOCKED state, and is therefore invalid for the requested operation.
user_entity_already_exists 409 A new user entity cannot be added, as the user entity with that external reference (externalRef) already exists for this account.
device_does_not_exist 404 The device referred to by the device ID (deviceID) does not exist.
device_is_locked 400 The device referred to by the device ID (deviceID) does exist, but is in a LOCKED state, and is therefore invalid for the requested operation.
transaction_id_does_not_exist 404 The transaction (with the transaction ID specified for this get<Resource> API call) cannot be found.
invalid_operation 400/403/404/ The operation cannot be cancelled, as the session for this operation does not exist.
exceeding_user_attribute_limit 400 The maximum limit for the number of user attributes (100) has been exceeded.
exceeding_user_device_limit 400 The maximum limit for the number of user devices (30) has been exceeded.
exceeding_sandbox_device_limit 405 The maximum limit for the number of sandbox devices (100) has been exceeded.
passportscan_not_enabled 424 Passport scan is not enabled.
passportscan_cannot_be_cancelled 422 The passport scan cannot not be cancelled.
multiple_pending_proofings 500 Multiple pending proofings.
user_proofing_does_not_exist 404 The user proofing does not exist.

Response headers

All MobileID responses set the following headers:

Header name DescriptionType
X-TRACE-ID The unique identifier of the request in the tracing system. This makes it possible for us to trace the history of the request in detail.String

Common concepts

Authentication levels

Possible values to use for the authentication level.

Authentication level Description
ONE_FACTOR One factor authentication.
TWO_FACTOR Two factor authentication.

App Attest statuses

App Attest statuses Description
VERIFIED Attestation verification was successful.
FAILED_CLIENT_APPLE_SERVER_UNAVAILABLE Attestation failed because the Apple App Attest server was unavailable.
FAILED_CLIENT_NOT_SUPPORTED Attestation failed because Apple App Attest is not supported on the device.
FAILED_CLIENT_UNEXPECTED_ERROR Attestation failed because of an unexpected error; you can find further details in the error message.
FAILED_CLIENT_TIMEOUT Attestation failed because the request took longer than the configured timeout.
FAILED_VALIDATION_EXCEPTION Validation of the attestation object failed because the integrity check failed.

Authentication methods

Possible values to use for the authentication method.

Authentication method Description
DEVICE Device.
DEVICE_PIN PIN code.
DEVICE_IOS_FACE_ID Face ID for iOS.
DEVICE_STRONG_TOUCH_ID Touch ID for iOS, where the registered fingerprints at activation time cannot be updated.
DEVICE_ANDROID_BIOMETRIC_PROMPT Biometric ID for Android.
DEVICE_ANDROID_FINGERPRINT Deprecated: Fingerprint for Android.

Note: Android deprecated fingerprint in Android 9, which was released in 2018. We have now also deprecated this method (DEVICE_ANDROID_FINGERPRINT), and it will be removed in an upcoming release.

Please use DEVICE_ANDROID_BIOMETRIC_PROMPT for biometric authentications on Android.

Geofencing client statuses

Possible values for the geofencing clientStatus field.

Status Description
OK The country code was obtained.
LOCATION_NOT_ENABLED Either:
  • The location was not requested by the SDK.
  • The end-user declined access to location services for the SDK on their device.
LOCATION_TIMEOUT The device did not obtain a location within the configured accuracy before timeout.
LOCATION_MOCKED Android devices only

The location of the device was mocked.

This is based on the location methods isFromMockProvider() and isMock(), which indicate whether this location is marked as a mock location.

Note: To test faking the GPS location of the device, you can download and install a mock location app, then enable it in the Developer options on the device.
GEOCODER_NOT_SUPPORTED Android devices only

Geocoder is not supported on the device.
GEOCODER_NETWORK_ERROR Either:
  • The geocoder network or service is not available.
  • Too many requests have been made to the geocoder service (offered by Apple or Google), as it is rate-limited for each app.
GEOCODER_UNEXPECTED_ERROR An unexpected geocoder error occurred.
GEOCODER_TIMEOUT The geocoder call did not finish within time the limit.
GEOCODER_NO_RESULT_FOUND The reverse geocode request yielded an empty result for the current location.

Geofencing server boundary validation statuses

Possible values for the geofencing serverBoundaryValidation field.

Status Description
SUCCESS The evaluation of the country against the allowed region succeeded.
FAILURE The evaluation of the country against the allowed region failed.

Hardware-protected key client statuses

Possible values for the hwKeyClientStatus attribute.

Status Description Operation
OK_KEY_PROVIDED Activation of hardware-protected keys was successful on the client. Registration
OK_SIGNED_SUCCESS The authentication challenge was successfully signed with the hardware-protected key on the client. Authentication, Signature
INFO_NO_HARDWARE_SUPPORT The client device does not have Secure Enclave, or it is running in a simulator.

Note: This is only applicable for iOS.		 Registration
INFO_NO_OPERATING_SYSTEM_SUPPORT The client operating system does not support hardware-protected keys.
It is supported on:
  • Android 6 (most devices)
  • Android 7 or later (all devices)
  • iOS 10 or later (devices with Secure Enclave)
 Registration
INFO_NOT_ACTIVATED_WITH_HW_KEY The registration was not activated with hardware-protected keys support, because the device hardware does not support hardware crypto-protected keys. Authentication, Signature
ERR_KEY_GENERATION_FAILED There was an unexpected error during the generation of a keypair on the client. Registration
ERR_RETRIEVE_PUBLIC_KEY_FAILED There was an unexpected error retrieving the public key.

Note: This is only applicable for iOS.		 Registration
ERR_RETRIEVE_PRIVATE_KEY_REF_FAILED There was an unexpected error when retrieving the reference to the private key. Registration, Authentication, Signature
ERR_SIGN_OPERATION_FAILED There was an unexpected error when generating the signature. Registration, Authentication, Signature

Hardware-protected key server results

Possible values for the hwKeyServerResult attribute.

Status Description Validation strategy
SIGNATURE_VERIFICATION_SUCCESS Verification of the hardware-protected key signature was successful. The operation will be successful in both validation strategies (SUPPORTED, RISK_PARAMS).
SIGNATURE_VERIFICATION_FAILED Verification of the hardware-protected key signature failed. The operation will fail if using the SUPPORTED validation strategy.
NOT_ACTIVATED_WITH_HW_KEY The signature could not be verified because the registration was not activated with hardware-protected keys.

Note: This is only applicable for authentication.		 The operation will not fail, regardless of which validation strategy is used (SUPPORTED, RISK_PARAMS).
NOT_PROVIDED_BY_CLIENT The client is on an Encap version that does not support the hardware-protected keys feature.

Note: This is only applicable for registration.		 The operation will not fail, regardless of which validation strategy is used (SUPPORTED, RISK_PARAMS).

The device will be activated without hardware-protected keys. The device will be able to perform all operations, but will not be able to use the hardware-protected keys feature.

To enable this feature, the client must use Encap version 3.8 or newer.

Lock reason

Lock reason Description
OPEN The device is unlocked.
DEVICE_OR_PIN_VERIFICATION_FAILED The device is locked due to a failed authentication, caused by use of the wrong device and/or a second-factor error (incorrect PIN code or biometrics).
LOCKED_BY_ADMIN The device is locked by administrative operation.
DEVICE_VERIFICATION_FAILED The device is locked due to a failed authentication with the wrong device.
PIN_VERIFICATION_FAILED The device is locked due to a failed authentication, caused by a second-factor error (incorrect PIN code or biometrics).
INCORRECT_SALT_KEY_ID The device is locked because it provided an incorrect Salt-key ID.
HW_KEY_VERIFICATION_FAILED The device is locked because it failed the verification of the hardware-protected key (the key provided was incorrect).
APPATTEST_VERIFICATION_FAILED The device is locked because it failed the verification of the App Attest attestation.
PLAYINTEGRITY_VERIFICATION_FAILED The device is locked because it failed the verification of the Play Integrity attestation.

Operation context maximum character length

The maximum character length that the operation context content (content) can be for the different MobileID operations.

Property name Registration Authentication Signature
Pre-operation context content (content) Not applicable. 5000 characters. 20000 characters.
Post-operation context content (content) 5000 characters. 5000 characters. 5000 characters.

Operation error codes

Operation error code Description
CANCELLED_BY_DEVICE The operation failed because the session was cancelled by the device.
CANCELLED_BY_SP The operation failed because the session was cancelled by the service provider.
CANCELLED_AUTH_METHOD_DEACTIVATED The operation failed because the session was cancelled by the device. The device started a deactivation of authentication method(s).
CANCELLED_NEW_ACTIVATION The operation failed because the session was cancelled when a new activation was started.
EXPIRED The operation failed because the session has expired.
LOCKED The operation failed because the device is locked.
LOCKED_BY_ADMIN The operation failed because the device is locked by admin.
LOCKED_DEVICE_VERIFICATION_FAILED The operation failed because the device is locked by device verification.
LOCKED_PIN_VERIFICATION_FAILED The operation failed because the device is locked by PIN verification.
LOCKED_INCORRECT_SALT_KEY_ID The operation failed because the device is locked by incorrect Salt-key ID.
CALLBACK_FAILED The operation failed because the session callback failed. Legacy value from synchronous callback model.
LOCKED_HW_KEY_VERIFICATION_FAILED The operation failed because the device provided incorrect signed challenge.
LOCKED_INTERMEDIATE_PUSH_VERIFICATION_FAILED The operation failed because the intermediate push attestation validation failed.
CANCELLED_INTERMEDIATE_PUSH_REQUIRED The operation failed because of missing intermediate push attestation details.
AUTHORIZATION_TOKEN_VERIFICATION_FAILED The operation failed because authorisation token validation failed.
CANCELLED_PERFORM_RECOVERY_STARTED The operation failed because the session was cancelled when recovery was started.
FAILED_RECOVERY_DOES_NOT_EXIST The operation failed because the recovery does not exist.
LOCKED_PERFORM_RECOVERY_FAILED The operation failed because the recovery is locked.
GEOFENCING_FAILED The operation failed because the geofencing validation failed.
LOCKED_APPATTEST_VERIFICATION_FAILED The operation failed because the App Attest validation failed.
CANCELLED_APPATTEST_REQUIRED The operation failed because of missing App Attest attestation details.
LOCKED_PLAYINTEGRITY_VERIFICATION_FAILED The operation failed because the Play Integrity attestation validation failed.

Operation states

The state of the operation. The state and the values that are returned in the response depend on the API call you are executing.

Operation status Description
PENDING The operation has been successfully initiated, and is waiting for the device to complete the operation.
COMPLETED The operation has been completed.
FAILED The operation has failed. The response contains an errorCode, and the cause of the error is given in the errorDescription. See operation error codes for possible values.

Operation types

Operation type Description
REGISTRATION The operation type is registration.
RE_REGISTRATION The operation type is re-registration.
AUTHENTICATION The operation type is authentication.
SIGNING The operation type is signing.
PASSPORT_SCAN The operation type is passport scan.
RECOVERY An existing recovery has been used to perform a recovery for a new device.
AUTH_AND_ACTIVATE An additional authentication method is activated for an existing device.
AUTH_AND_DEACTIVATE An authentication method is deactivated for an existing device.
ADD_OR_UPDATE_RECOVERY A recovery is set up for an existing device.

Passport scan states

The status of the passport scan.

Passport scan status Description
ACCEPTED The passport verification was successful.
REJECTED The passport verification has failed.
INCONCLUSIVE It was not possible to finish the passport scan operation. There are multiple reasons why a verification may fail, therefore the end-user should retry 1-2 more times.
FAILED The operation has failed.

Play Integrity statuses

Play Integrity attestation status for the device.

Play Integrity status Description
VERIFIED Attestation verification was successful.
FAILED_INTEGRITY_CHECK Attestation failed because the integrity check failed.
FAILED_UNRECOGNIZED_PLAY_APP Attestation failed because the Google Play app is unrecognized.
FAILED_UNLICENSED_PLAY_APP Attestation failed because the Google Play app is unlicensed.
FAILED_INCORRECT_PACKAGE_NAME Attestation failed because of incorrect package name.
FAILED_INVALID_JWS Attestation failed because of invalid JWS format.
FAILED_CLIENT_API_FAILURE Attestation failed because Google Play Integrity returned an API exception.
FAILED_CLIENT_TIMEOUT Attestation failed due to request taking longer than the configured timeout.
FAILED_INCORRECT_NONCE Attestation failed because of incorrect nonce.
FAILED_MISSING_JWS Attestation failed because of missing JWS.
FAILED_MISSING_STATUS Attestation failed because of missing status returned from the client.
FAILED_INVALID_TIMESTAMP Attestation failed because the timestamp is not within the lifetime of the Encap server session.
FAILED_CLIENT_PLAY_SERVICES_OUT_OF_DATE Attestation failed due to client doesn't have Google Play or the version is too old.

Recovery statuses

Recovery status Description
ACTIVATED Recovery has been set up for the device and is ready to be used.
DEACTIVATED Recovery has been deactivated.
RECOVERED Recovery has been used to recover the device.
LOCKED Recovery has been locked.

Risk attributes

The risk attributes that can be collected for the device.

You can configure which attributes are collected in the application configuration.

  • Risk attributes marked with Yes in the Always configured column are always collected, for debugging purposes.

  • Risk attributes marked with No in the Always configured column are only collected if configured in the application configuration.

    Risk attribute    Type Description Always collected
    operationSystemFingerprint String A fingerprint of the operating system. You can use this to detect whether the device is running a custom ROM or operating system. Yes
    operatingSystemVersion String The operating system version.

    Examples: 4.1.2, 6.0.1     		Yes
    inputMethod String The input method that was used to enter text in the application. You can use this to detect when a custom keyboard is being used on the device.

    You can find more information about input methods in the Android developer documentation.     		No
    isDebuggable Boolean Indicates whether the application running can be debugged using a source-level debugger, either by manifest entry or in emulator. No
    isDebugEnabled Boolean Indicates whether debug is enabled on the device, either by user setting (USB-debugging enabled) or when running in emulator (debugging enabled by default). No
    isDebuggerConnected Boolean Indicates whether a debugger is connected to the application. No
    isEmulator Boolean Indicates whether the application is running in an emulator. No
    isRootAvailable Boolean Indicates whether the device has been rooted/jail-broken.
    For iOS, this value has to be passed to Encap using the setRiskParameter API.
    If the application is using Shield, the callback value can be passed to Encap.     		No
    isSecureScreenLockEnabled Boolean Indicates whether the device has secure screen enabled or not. No
    isUnknownSourcesEnabled Boolean Indicates whether the device allows installation of applications outside of the application store. No
    serverClientIp String The host address that the request originated from.
    It will contain the value of X-Forwarded-For (XFF) header from the request, and can contain multiple IP addresses depending on proxy and load balancers.

    If XFF is not present, we will use the remote address of the request. It can be either the IP of the client or the last proxy that sent the request. It is specified by the value of the Common Gateway Interface (CGI) variable REMOTE_ADDR.     		No
    signerHashes Base64 A SHA-256 hash of the public key, of the certificate, of the application signer. If there are more signers, each hash is comma separated. This can be used for detecting whether the application has been re-signed. No
    userAgent String HTTP User agent from smart device application. No
    deviceHash Base64 SHA256 hash of the unique hardware device ID, of the client device. Yes
    deviceManufacturer String The manufacturer of the device.

    Examples: "Apple", "Samsung"     		Yes
    deviceModel String The device's model.

    Examples: "iPad2,2", "Nexus S"     		Yes
    operatingSystemType String Indicates the operating system type of the device; either Android or iOS. Yes
    applicationHash Base64 SHA256 hash of the application name. The server can use this for detecting re-packaging. No
    clientSideIp JSON An array containing the client network interfaces.

    This includes the type of the network and the IP address. The list can contain multiple interfaces if the user's device is connected to more than one at the time of the transaction.

    Examples: [{"Type":"Cellular","IPAddress":"123.123.123.123"},
    {"Type":"Wifi","IPAddress":"124.124.124.124"}]     		No
    hwKeyClientStatus String The status of the hardware protected key signature preformed by the Encap client SDK.

    See Hardware-protected key client statuses for possible values.     		No
    hwKeyServerResult String The result of the hardware protected key signature verification on the Encap server.

    See Hardware-protected key server results for possible values.     		No
    batteryLevel Integer Indicates the battery level of the device. No
    isPowerConnected Boolean Indicates whether the device is being charged/connected to a charger. No

User

The MobileID user API provides you with operations related to creating and managing users (sometimes referred to as identities) for MobileID.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

Most operations in the MobileID service require a MobileID user, which is identified by a valid user ID (userId).

A user may optionally contain attributes such as an address or phone number, in the form of key-value pairs.

A MobileID user can have two different states:

User stateDescription
ACTIVEAn active state represents a normal MobileID user which is successfully registered.
LOCKEDA locked state represents a MobileID user which has been locked.

You cannot perform any device operations on a MobileID user in a locked state.

Create user

The Create user operation creates a valid MobileID user with an active (ACTIVE) user state (state).

Once the user is successfully created, a unique user ID (userId) is generated. This userId is then used to identify the user in all subsequent MobileID operations.

Request Body schema: application/json
required
externalRef
string

An identifier generated by you (the customer), that points to the user ID (userId) generated by MobileID when a new user is created.

The identifier must

  • be unique in the scope of the account
  • have a max length of 128 characters.
segment
string

An optional parameter, used for segmentation of end-users and their corresponding transactions.

It can have any value, but it cannot exceed the maximum possible length of 128 characters.

object

The user attributes, given as key-value pairs.

The keys must:

  • Start with a letter (a-z), digit or an underscore (_).
  • Contain only digits, lowercase letters (a-z), or certain special characters (-._~:@).
  • Have a max length of 128 characters.
The values must have a max length of 256 characters.

Responses

Request samples

Content type
application/json
{
  • "externalRef": "Empl10300469",
  • "segment": "SE",
  • "attributes": {
    }
}

Response samples

Content type
application/json
{
  • "externalRef": "Empl10300469",
  • "segment": "SE",
  • "id": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "created": "2022-08-23T12:28:57.123Z",
  • "state": "ACTIVE",
  • "attributes": {
    }
}

Resolve external reference

The Resolve external reference operation resolves a specified external reference for an end-user and returns the associated user ID (userId) to use for subsequent MobileID operations.

Request Body schema: application/json
required
externalRef
string

An identifier generated by you (the customer), that points to the user ID (userId) generated by MobileID when a new user is created.

The identifier must

  • be unique in the scope of the account
  • have a max length of 128 characters.

Responses

Request samples

Content type
application/json
{
  • "externalRef": "Empl10300469"
}

Response samples

Content type
application/json
{
  • "externalRef": "Empl10300469",
  • "userId": "0e99b25c-abde-4553-973b-8d94d49cd87e"
}

Get user

The Get user operation retrieves detailed information for a MobileID user, specified by the user ID (userId).

path Parameters
userId
required
string
Example: 0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) as generated upon user creation, in a valid UUID format.

Responses

Response samples

Content type
application/json
{
  • "externalRef": "Empl10300469",
  • "segment": "SE",
  • "id": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "created": "2022-08-23T12:28:57.123Z",
  • "state": "ACTIVE",
  • "attributes": {
    }
}

Delete user

The Delete user operation deletes a MobileID user, specified by the user ID (userId).

Only user entities in a locked (LOCKED) user state (state) can be deleted.

path Parameters
userId
required
string
Example: 0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) as generated upon user creation, in a valid UUID format.

Responses

Response samples

Content type
application/json
{}

Update user

The Update user operation updates the attributes of a MobileID user, specified by the user ID (userId).

To do this, you must specify the key-value pairs that you want to add, update or remove. If an attribute is not mentioned, it will stay the same.

In summary, this means that:

  • If the attribute in the list does not exist, then the new attribute will be added.
  • If the attribute in the list already exists, then the existing attribute will be updated (patched).
  • If the attribute in the list already exists and null is specified, then the existing attribute will be removed.
  • If the attribute in the list does not exist and null is specified, then no action will occur.

Example

If the following attributes were given in the Create user operation:

{
    "externalRef":"test1",
    "attributes": {
        "abc": "123",
        "def": "456",
        "ghi": "789"
    }
}

And the following attributes were given in the Update user operation:

{
    "abc": "example1",
    "xxx": "example2",
    "ghi": null
}

Then the result would be the following attributes:

{
    "abc": "example1",
    "def": "456",
    "xxx": "example2"
}
path Parameters
userId
required
string
Example: 0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) as generated upon user creation, in a valid UUID format.

Request Body schema: application/json
required
externalRef
string

An identifier generated by you (the customer), that points to the user ID (userId) generated by MobileID when a new user is created.

The identifier must

  • be unique in the scope of the account
  • have a max length of 128 characters.
segment
string

An optional parameter, used for segmentation of end-users and their corresponding transactions.

It can have any value, but it cannot exceed the maximum possible length of 128 characters.

state
string
Enum: "ACTIVE" "LOCKED"

The state of the user.

This is returned as an enum, and can be either ACTIVE or LOCKED.

object

The user attributes, given as key-value pairs.

The keys must:

  • Start with a letter (a-z), digit or an underscore (_).
  • Contain only digits, lowercase letters (a-z), or certain special characters (-._~:@).
  • Have a max length of 128 characters.
The values must have a max length of 256 characters.

Responses

Request samples

Content type
application/json
{
  • "segment": "NO",
  • "attributes": {
    }
}

Response samples

Content type
application/json
{
  • "externalRef": "Empl10300469",
  • "segment": "NO",
  • "id": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "created": "2021-01-21T22:47:27.123Z",
  • "lastUsed": "2021-01-21T22:47:27.123Z",
  • "state": "ACTIVE",
  • "attributes": {
    }
}

Get transactions for user

The Get transactions for user operation returns a list of device transactions for an end-user's devices.

Note: The list contains device transactions from all of their available devices.

path Parameters
userId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

query Parameters
deviceId
string
Example: deviceId=20874199-f4d1-4e9d-86ee-dd4a46030acb

An optional parameter that you should only pass if you get an error due to a broadcast operation.

limit
string
Example: limit=10

An optional parameter that determines the number of objects (device transactions) that are shown on each page.

It must be a whole number ranging from 1 to 100.

If not provided, the the default value of 100 will be used.

offset
string
Example: offset=0e99b25c-abde-4553-973b-8d94d49cd87e

An optional parameter that determines the ID of the first transaction to include in the operation response, specified by the transaction ID (transactionId).

If not provided, then the result will start with the first transaction in the device history.

Responses

Response samples

Content type
application/json
{
  • "previous": "/users/d910994d-80b2-4125-a6b1-062b5b2f43ba/transactions?limit=1&offset=39277b72-53c2-4780-ad56-a8c8d8a33542",
  • "next": "/users/d910994d-80b2-4125-a6b1-062b5b2f43ba/transactions?limit=1&offset=a1c66944-e5e3-46e3-ba36-750622205ef3",
  • "limit": 1,
  • "transactions": [
    ]
}

Get proofings for user

The Get proofings for user operation returns a list of proofings for an end-user, from the stored proofing data.

The list of proofings contains:

  • The proofing operation.
  • The proofing state.
  • The expiry time.
path Parameters
userId
required
string
Example: 0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) as generated upon user creation, in a valid UUID format.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Registration

The MobileID registration API provides you with operations related to registering devices for MobileID.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

All registration operations return a registration response containing an operation state.

Registration modes

There are two registration modes (registrationMode) for creating and updating a registration:

Registration mode Description
REGISTRATION Registration (REGISTRATION) is the default registration mode, and will be set automatically if no registration mode is specified in the request for the Start registration operation.

You can also set this manually by specifying REGISTRATION as the registration mode.
RE_REGISTRATION In re-registration (RE_REGISTRATION) mode, users can be re-registered and create new login credentials on the same device ID (deviceId), given that they are using the same device that they were originally enrolled on. This allows you to reuse the same device ID, instead of creating a new one.

To trigger a re-registration, you must set RE_REGISTRATION as the registration mode in the Start registration operation.

Operation context

When you perform a registration, you can use our post-operation context (postOperationContext).

To learn more, see our operation context feature documentation.

Start registration

The Start registration operation initiates a registration for the end-user's device.

The operation response is returned with an operation state (state) set to PENDING, as the end-user now has to complete the operation on their device.

The operation response contains:

  • A transaction ID (transactionId) that will be used for subsequent operations, such as checking the status of the operation.
  • An activation code (activationCode) which is to be used for registration of the device in the app.
Request Body schema: application/json
required
userId
required
string

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

object (DeviceRequest)

An object that contains the properties of the device to be used for this operation.

For registration:

  • When a REGISTRATION is executed, this object is optional. If specified, you can only supply the device name, since the device id is generated by this operation.
  • When a RE_REGISTRATION of the existing device is executed, then this object is mandatory and the id field must be specified.

For authentication or signing

  • The device object is mandatory except if broadcast is enabled.
  • If broadcast is enabled, then then the device object does not need to be supplied.
  • See the broadcast (broadcast) operation property for details.
tags
Array of strings

Used to tag callback event to enable filtering.

object (RegistrationOperationPropertiesRequest)

An object that describes the properties used to carry out the operation.

Responses

Request samples

Content type
application/json
{
  • "userId": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "device": {
    },
  • "operationProperties": {
    }
}

Response samples

Content type
application/json
{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "operationProperties": {
    },
  • "created": "2021-01-21T22:47:27.123Z",
  • "device": {
    },
  • "user": {
    }
}

Get state of ongoing registration

The Get state of ongoing registration operation returns the registration response with an operation state for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
Example

Response sample of when a registration is in progress.

{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "operationProperties": {
    },
  • "created": "2021-01-21T22:47:27.123Z",
  • "device": {
    },
  • "user": {
    }
}

Cancel ongoing registration

The Cancel ongoing registration operation allows you to cancel the ongoing registration for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
{
  • "code": "missing_permission",
  • "detail": "The subject with ID 'dev-ghastly-thread-446' does not have the required permission 'mobileid:user:read' on the target resource 'a-sdge-c2z0wgHkZjpBnS7uB621'",
  • "status": 403,
  • "traceId": "4bf239c088089f2bca77d3a413909f1c",
  • "title": "You do not have the required permission to perform this operation on the target resource",
  • "type": "https://developer.signicat.com/errors?code=missing_permission"
}

Authentication

The MobileID authentication API provides you with operations related to authentication and authorisation for MobileID.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

All authentication operations return an authentication response containing an operation state.

Operation context

When you perform an authentication, you can use our pre-operation context (preOperationContext) and post-operation context (postOperationContext).

To learn more, see our operation context feature documentation.

Start authentication

The Start authentication operation initiates an authentication on the end-user's device.

The operation response is returned with an operation state (state) set to PENDING, as the end-user now has to complete the operation on their device.

The operation response contains a transaction ID (transactionId) that will be used for subsequent operations, such as checking the status of the operation.

Request Body schema: application/json
required
userId
required
string

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

object (DeviceRequest)

An object that contains the properties of the device to be used for this operation.

For registration:

  • When a REGISTRATION is executed, this object is optional. If specified, you can only supply the device name, since the device id is generated by this operation.
  • When a RE_REGISTRATION of the existing device is executed, then this object is mandatory and the id field must be specified.

For authentication or signing

  • The device object is mandatory except if broadcast is enabled.
  • If broadcast is enabled, then then the device object does not need to be supplied.
  • See the broadcast (broadcast) operation property for details.
tags
Array of strings

Used to tag callback event to enable filtering.

object (AuthenticationOperationPropertiesRequest)

An object that describes the properties used to carry out the operation.

Responses

Request samples

Content type
application/json
Example

The device is specified.

{
  • "userId": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "device": {
    },
  • "operationProperties": {
    },
  • "tags": [
    ]
}

Response samples

Content type
application/json
Example

The device is specified.

{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "operationProperties": {
    },
  • "created": "2022-08-19T06:01:37.123Z",
  • "device": {
    },
  • "user": {
    },
  • "tags": [
    ]
}

Get state of ongoing authentication

The Get state of ongoing authentication operation returns the authentication response with an operation state for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
Example

Response sample of when an authentication is in progress.

{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "operationProperties": {
    },
  • "created": "2022-08-19T06:01:37.123Z",
  • "device": {
    },
  • "user": {
    },
  • "tags": [
    ]
}

Cancel ongoing authentication

The Cancel ongoing authentication operation allows you to cancel the ongoing authentication for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
{
  • "code": "missing_permission",
  • "detail": "The subject with ID 'dev-ghastly-thread-446' does not have the required permission 'mobileid:user:read' on the target resource 'a-sdge-c2z0wgHkZjpBnS7uB621'",
  • "status": 403,
  • "traceId": "4bf239c088089f2bca77d3a413909f1c",
  • "title": "You do not have the required permission to perform this operation on the target resource",
  • "type": "https://developer.signicat.com/errors?code=missing_permission"
}

Signature

The MobileID signature API provides you with operations related to signing for MobileID.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

All signature operations return a signature response containing an operation state.

Operation context

When you perform a signing, you can use our pre-operation context (preOperationContext) and post-operation context (postOperationContext).

To learn more, see our operation context feature documentation.

About the signed JWT

The signing operation is similar to the authentication operation, however, we also return a signed JSON Web Token (JWT) of the transaction to you. This signed JWT can be stored; giving you a record of the user's transaction, which you can then validate using the Signicat signing certificate.

Note: The scope of this documentation is to describe the parameters and structure of a JWT in the context of MobileID.

The process for correctly validating a signed JWT is beyond the scope of this API reference documentation, but is well documented in external resources such as the respective RFC publications.

Signed JWT certificate options

You can determine how much of the signing certificate chain is embedded in the JWT by setting the required enumerated value from the table below. MobileID embeds the public key into the signature if you have specified the SINGLE or CHAIN signing certificate options.

Certificate option Description
NONE No certificate is embedded into the JWT.

There is no x5c (X.509 certificate chain) parameter in the JWT header.

Note: If you wish to verify the signature in this option, you will need to obtain the certificate externally and store it somewhere safe.

You can contact us at support@signicat.com to obtain the certificate.
SINGLE Only the signing certificate is embedded into the JWT.

The x5c parameter in the JWT header contains the X.509 public key certificate.
CHAIN The entire certificate chain will be embedded into the JWT:
  • The certificate from the certificate authority.
  • All intermediate certificates.
  • The signing certificate.
The x5c parameter in the JWT header contains the x.509 certificate chain corresponding to the key used to digitally sign the JSON Web Signature (JWS).

Note: You can conduct a full certificate verification (verify that the certificate embedded was the one used to sign the certificate that encrypted the JWT), as this is a self-contained package.

However, this produces a large amount of documentation, and therefore requires greater storage capacity.
JWT header

The MobileID JWT header is comprised of either 2 or 3 parts, depending on which signing certificate option is specified.

Parameter Description
x5t#S256 X.509 certificate SHA-256 thumbprint.

This is a Base64-URL-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate.

Note: 'Certificate thumbprints' are sometimes referred to as 'certificate fingerprints', and are used to identify specific certificates.
x5c X.509 certificate chain.

Contains a chain of one or more PKIX certificates. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a Base64-encoded.

MobileID supplies the public key in this parameter when certificate options SINGLE or CHAIN have been specified.
alg The algorithm intended for use with the key.

MobileID uses RS256 (RSA Signature with SHA-256). With this signing algorithm, you must use a public key to validate the JWT signature.

Example 1: JWT header

JWT header when the certificate option is NONE.

{
    "x5t#S256": "0456779b6966effdfc2d6d769edd3de25a7c295d27bdcc100efc8cf50f2a5372",
    "alg": "RS256",
}

Example 2: JWT header

JWT header when the certificate option is SINGLE.

{
    "x5t#S256": "0456779b6966effdfc2d6d769edd3de25a7c295d27bdcc100efc8cf50f2a5372",
    "x5c": [
        "MIIFwTCCA6mgAwIBAgIKcDEIzY8CWLQVtzANBgkqhkiG9w0BAQ0FADBqMQswCQYDVQQGEwJOTzEYMBYGA1UEYQwPTlRSTk8tOTgzMTYzMzI3MRMwEQYDVQQKDApCdXlwYXNzIEFTMSwwKgYDVQQDDCNCdXlwYXNzIENsYXNzIDMgVGVzdDQgUm9vdCBDQSBHMiBTVDAeFw0yMDExMDUxNzMwMThaFw00NTExMDUxNzMwMThaMGoxCzAJBgNVBAYTAk5PMRgwFgYDVQRhDA9OVFJOTy05ODMxNjMzMjcxEzARBgNVBAoMCkJ1eXBhc3MgQVMxLDAqBgNVBAMMI0J1eXBhc3MgQ2xhc3MgMyBUZXN0NCBSb290IENBIEcyIFNUMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp5iPrsAqUNhggKgFKR9zummTTLthRtAwQ4FhqGJFavswFQJKHR27duFq3ctwdyr3JTUORpusJz8laX0PLH9m6yKpP4KUSEjPe9Ws2Qg/iEyt75TiaEu+xplZW3F7Fp09H9/WZOxhGm2z5gt/YDtot4mBbHbjh/MMj/z1mplRwyBIhOFgttwg9jUIlcmkJ0Udg+M+vaBfBY4xL7Q1m6VOZ5/BdUB6doeqWa3yBCEQekbWvaG6zeEXk2JQ/2OTQ7gKXNObgsuSO1jYphHG+i4+2H/RgNINTQMGf4RrvbO5A0VurWoibFL8H0IoC+DzRHgTddswz8iV3aO9BK57HjjHMgbzqR1m+Z1JhUn6gUo6uE4heHW00wlgnbVxGNl7VrNdPGFED/gxtzYDKHcyeJxc7EPpPasN+aWEGcooq6CE+GP/KGD3Wwrh316ydh6dfbtp50pZabZ+2EXc303MyVlyErrSUvHn5Hxv2Ekq1QRPY4aD/mZx3yl222oYXUCxHX5F1nQTdabDz70EtdQGUjRzv9aqZUZpKM0RU+kb2E2MTVb2Q7lBRbefDLl0pJA8R6IN2LOE/ICDZpD0tihB71rBTEABFoBPDokGioolqJ+F8l2w8B7HNg4sVxu872PDyGmwa2oR+1b9tIBCkjx681euWYdzxM3gZ2JCK5WovlEagm8CAwEAAaNpMGcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUULP5PaDHJmWb2qiHb+kiPaJeaz8wDgYDVR0PAQH/BAQDAgEGMCUGCCsGAQUFBwEDBBkwFzAVBggrBgEFBQcLAjAJBgcEAIvsSQECMA0GCSqGSIb3DQEBDQUAA4ICAQAggOvmP9+CKPK1ghJfGShHXnx52vy9X8h81ODnvpvOJfbb7iB1+R//hUvtfcAB0DnRSSUEvXE0bkym2a85VsR2SizFrcHOSMBc5ZZHKB61V+s3F7cFLtk1qetcVsEY9jo7pa7elHB56jILHh4ivfVpXlrNifwtwVMGNH7fNkrVz1xLfeaYhgv63pdUL+XsZjbB4+EkYU5C3ZERsD5nnf0+g/14W17ktUMbuddwl4pMAcPuVd+aPD+LFfRC5mLB+/E/rZSutYPwGo31cDJAeLpm1D5t8WWZxMfGP77dHoGzEWDVB5od3e1S5cIhbLOUIZ2az00SzJ3i4HNj6GWDD4p8HzvBFZ3DA6oyC+ZyCpwMAQb+5JZbv5cOxlr4JqxtAPrs1oGO9H7qc0isvvWcTiP6F/WqvYoyQZWl28O7oqSv/GAmK2g/oXDQ+mjzQS6MIQGNdfb9ZN+i7E/XMCZ4N28Wk0V7jNpZz7R2O1FGJUfGn1z1ZByJQC+Og6dKQvwpj2E41qE1pYEYy4hpVxudLpuCUGSxkC0CcEV+7xL+BW04GpZn5TxAqN44/FpPCCW73Apk3cYd8LvfzKme5Z26jDNwp2ZDqru1zsQ5Mky/3F9ALB8CCu+5LZbmLHzsCDJoMnYDsfs0SweN2BqsZYi8eJcAErw76aunuR0F4g51KKlJtQ=="
    ],
    "alg": "RS256",
}
JWT payload

The JWT we produce contains the following claims:

Claims Description
iss The 'issuer' claim, which is Signicat AS.
transactionData A custom claim named 'transaction data', which is a Base64-encoded version of the whole response.
sub The 'subject' claim, for which we use the userId.
iat The 'issued at' claim, which is the time when the JWT was issued.
jti The 'JWT ID' claim, which is a unique identifier for the JWT.

Example: JWT payload

An example of a signed JWT, which is returned Base64-encoded in the operation response.

{
    "iss": "Signicat AS",
    "transactionData": "eyJ0cmFuc2FjdGlvbklkIjoiZWUxMmEyYTktYzIzYS00NjczLWEyZjgtNDU1MzI1OTczZGNiIiwiYWNjb3VudElkIjoiYS1zZGdlLU4yN0dqUFN6WE84SkxjZjhHMUFOIiwic3RhdGUiOiJDT01QTEVURUQiLCJvcGVyYXRpb25Qcm9wZXJ0aWVzIjp7ImF1dGhMZXZlbCI6IlRXT19GQUNUT1IiLCJjb3JyZWxhdGlvbklkIjoiM2VhZTU4MzAtM2VlMi00ZTJjLWEzNGYtMTczYmRhOTg1ZDU5IiwiYXV0aE1ldGhvZCI6IkRFVklDRV9BTkRST0lEX0JJT01FVFJJQ19QUk9NUFQiLCJzZW5kUHVzaCI6ZmFsc2UsInByZU9wZXJhdGlvbkNvbnRleHQiOnsidGl0bGUiOiJDb25zZW50IFNpZ24iLCJjb250ZW50IjoibG9rbyIsIm1pbWVUeXBlIjoidGV4dC9wbGFpbiJ9LCJwdXNoU2VudCI6ZmFsc2UsInNlc3Npb25FeHBpcnlUaW1lIjoiMjAyMi0xMS0xMFQxMzozNDo0MC4wNDBaIiwic2lnbmVkSnd0Q2VydGlmaWNhdGVPcHRpb24iOiJOT05FIn0sInJpc2tBdHRyaWJ1dGVzIjp7fSwiY3JlYXRlZCI6IjIwMjItMTEtMTBUMTM6MzM6MDkuOTExWiIsImNvbXBsZXRlZCI6IjIwMjItMTEtMTBUMTM6MzM6MTYuMDM1WiIsImRldmljZSI6eyJpZCI6ImM3NDNiNTg4LWY1N2UtNGZhYy04OWMyLTZmYWMyMDU4OTc2OCIsIm5hbWUiOiJzYW1wbGVEZXZpY2UiLCJzdGF0ZSI6IkFDVElWRSIsImxhc3RPcGVyYXRpb25UeXBlIjoiU0lHTklORyIsImxhc3RVc2VkIjoiMjAyMi0xMS0xMFQxMzozMzoxNi4wMDhaIiwiY3JlYXRlZCI6IjIwMjItMTEtMTBUMTI6MDk6MDQuMDkyWiJ9LCJ1c2VyIjp7ImV4dGVybmFsUmVmIjoiZGV2NSIsImlkIjoiZTY5N2ExMzEtMGZlMy00MDgyLTljNWItOTk0MTE3MDMyOWQyIiwiY3JlYXRlZCI6IjIwMjItMTEtMTBUMTI6MDg6NTQuMjQ4WiIsImxhc3RVc2VkIjoiMjAyMi0xMS0xMFQxMzozMzoxNS45ODZaIiwic3RhdGUiOiJBQ1RJVkUifX0=",
    "sub": "e697a131-0fe3-4082-9c5b-9941170329d2",
    "iat": "1668087196",
    "jti": "ab993e6b-6788-47cb-803e-38fc5413b8ae",
}

Start signing

The Start signing operation initiates a signing on the end-user's device.

The operation response is returned with an operation state (state) set to PENDING, as the end-user now has to complete the operation on their device.

The operation response contains a transaction ID (transactionId) that will be used for subsequent operations, such as checking the status of the operation.

Request Body schema: application/json
required
userId
required
string

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

object (DeviceRequest)

An object that contains the properties of the device to be used for this operation.

For registration:

  • When a REGISTRATION is executed, this object is optional. If specified, you can only supply the device name, since the device id is generated by this operation.
  • When a RE_REGISTRATION of the existing device is executed, then this object is mandatory and the id field must be specified.

For authentication or signing

  • The device object is mandatory except if broadcast is enabled.
  • If broadcast is enabled, then then the device object does not need to be supplied.
  • See the broadcast (broadcast) operation property for details.
tags
Array of strings

Used to tag callback event to enable filtering.

object (SignatureOperationPropertiesRequest)

An object that describes the properties used to carry out the operation.

Responses

Request samples

Content type
application/json
{
  • "userId": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "device": {
    },
  • "operationProperties": {
    }
}

Response samples

Content type
application/json
{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "operationProperties": {
    },
  • "created": "2022-08-19T06:03:23.123Z",
  • "device": {
    },
  • "user": {
    }
}

Get state of ongoing signing

The Get state of ongoing signing operation returns the signing response with an operation state for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
Example

Response sample of when a signing is in progress.

{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "operationProperties": {
    },
  • "created": "2022-08-19T06:03:23.123Z",
  • "device": {
    },
  • "user": {
    }
}

Cancel ongoing signing

The Cancel ongoing signing operation allows you to cancel the ongoing signing for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
{}

Device management

The MobileID device management API provides you with operations related to device management for MobileID.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

All device management operations require:

  • A MobileID user, identified by a user ID (userID).
  • A registered device, identified by a device ID (deviceID).

Get recovery lock

You can use the Get recovery lock operation to check whether the MobileID account recovery feature is locked or not for a given end-user's device, specified by the device ID (deviceID).

If the account recovery feature is enabled in the application configuration, then all devices can use account recovery by default, and the recovery lock (recoveryLock) parameter will have value false.

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Responses

Response samples

Content type
application/json
{
  • "recoveryLock": false
}

Update recovery lock

You can use the Update recovery lock operation to disable the MobileID account recovery feature for a given end-user's device, specified by the device ID (deviceID).

This is done by updating the recovery lock (recoveryLock) parameter to true. This means that recovery operations cannot be performed.

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Request Body schema: application/json
required
recoveryLock
boolean

A setting for a user's device which indicates whether the account recovery feature is enabled or not.

  • When false, the account recovery feature is enabled and recovery operations can be performed.
  • When true, the account recovery feature is disabled and recovery operations can not be performed.

Responses

Request samples

Content type
application/json
{
  • "recoveryLock": true
}

Response samples

Content type
application/json
{
  • "recoveryLock": true
}

Get geofencing settings

Retrieve geofencing configuration for the given device.

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Responses

Response samples

Content type
application/json
{
  • "mode": "OPTIONAL",
  • "allowedContinents": "EU",
  • "allowedCountries": "CT",
  • "deniedCountries": "RU"
}

Update geofencing settings

Update geofencing configuration for the given device

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Request Body schema: application/json
required
mode
string

The geofencing mode.

This can be either OFF, OPTIONAL, or REQUIRED.

allowedContinents
string

Comma-separated list of continents where authentication is allowed for a specific device, in a two-letter continent code format.

This can be either AF, NA, OC, AN, AS, EU, or SA.

allowedCountries
string

Comma-separated list of countries where authentication is allowed for a specific device, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.

You can find a list of countries and corresponding codes at GeoNames.

deniedCountries
string

Comma-separated list of countries where authentication is not allowed for a specific device, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.

You can find a list of countries and corresponding codes at GeoNames.

Responses

Request samples

Content type
application/json
{
  • "mode": "OPTIONAL",
  • "allowedContinents": "EU",
  • "allowedCountries": "CT",
  • "deniedCountries": "RU"
}

Response samples

Content type
application/json
{
  • "mode": "OPTIONAL",
  • "allowedContinents": "EU",
  • "allowedCountries": "CT",
  • "deniedCountries": "RU"
}

Delete geofencing settings

Delete geofencing configuration for the given device

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Responses

Response samples

Content type
application/json
{}

Get device

The Get device operation retrieves detailed information for an end-user's device, specified by the device ID (deviceId).

You can use the detailed (detailed) query parameter to return a more extensive set of device information in the operation response.

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

detailed
string
Example: detailed=true

Control whether the device details object (deviceDetails) is returned in the response.

To return this object, you must set this parameter to true.

Responses

Response samples

Content type
application/json
Example

The default response, when detailed is not set to 'true'.

{
  • "id": "20874199-f4d1-4e9d-86ee-dd4a46030acb",
  • "name": "sampleDevice",
  • "state": "ACTIVE",
  • "lastOperationType": "AUTHENTICATION",
  • "lastUsed": "2021-01-21T22:47:27.123Z",
  • "created": "2021-01-21T22:47:27.123Z"
}

Delete device

The Delete device operation deletes an end-user's device, specified by the device ID (deviceId).

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Responses

Response samples

Content type
application/json
{}

Update device

The Update device operation updates the properties of an end-user's device, specified by the device ID (deviceId).

Update properties such as:

  • The device name.
  • The device state (whether the device is locked or not).
  • The device lock reason (pass information about why the device is locked).
path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Request Body schema: application/json
required
name
string

The new name for the end-user's device.

The device name must:

  • Start with a letter (a-zA-Z), digit or an underscore (_).
  • Only contain digits, letters (a-zA-Z), spaces or certain special characters (-._~:@).
  • Have a max length of 128 characters.
state
string

The new state of the end-user's device.

This is returned as an enum, and can be either ACTIVE or LOCKED.

lockReason
string

Information about why the device is locked.

This can be added if the device is in a locked (LOCKED) state.

Responses

Request samples

Content type
application/json
{
  • "name": "My New iPhone",
  • "state": "LOCKED",
  • "lockReason": "Admin operation"
}

Response samples

Content type
application/json
{
  • "id": "20874199-f4d1-4e9d-86ee-dd4a46030acb",
  • "name": "My New iPhone",
  • "state": "LOCKED",
  • "lockReason": "Admin operation",
  • "lastOperationType": "AUTHENTICATION",
  • "lastUsed": "2021-01-21T22:47:27.123Z",
  • "created": "2021-01-21T22:47:27.123Z"
}

Get devices

The Get devices operation retrieves the list of devices for a MobileID user, specified by the user ID (userId).

query Parameters
states
string
Example: states=ACTIVE,LOCKED

A comma-separated list of the device states to fetch.

If not provided, then devices in both ACTIVE and LOCKED states are listed.

userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get device transactions

The Get device transactions operation returns a list of device transactions for an end-user's device, specified by the device ID (deviceId).

path Parameters
deviceId
required
string
Example: 20874199-f4d1-4e9d-86ee-dd4a46030acb

The ID of the user's device (deviceId), as returned upon registration.

query Parameters
userId
required
string
Example: userId=0e99b25c-abde-4553-973b-8d94d49cd87e

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

limit
string
Example: limit=10

An optional parameter that determines the number of objects (device transactions) that are shown on each page.

It must be a whole number ranging from 1 to 100.

If not provided, the the default value of 100 will be used.

offset
string
Example: offset=0e99b25c-abde-4553-973b-8d94d49cd87e

An optional parameter that determines the ID of the first transaction to include in the operation response, specified by the transaction ID (transactionId).

If not provided, then the result will start with the first transaction in the device history.

Responses

Response samples

Content type
application/json
{
  • "previous": "/devices/d910994d-80b2-4125-a6b1-062b5b2f43ba/transactions?limit=1&offset=39277b72-53c2-4780-ad56-a8c8d8a33542&userId=6f29e1d4-6b36-4b80-9187-52dfc61c4a51",
  • "next": "/devices/d910994d-80b2-4125-a6b1-062b5b2f43ba/transactions?limit=1&offset=a1c66944-e5e3-46e3-ba36-750622205ef3&userId=6f29e1d4-6b36-4b80-9187-52dfc61c4a51",
  • "limit": 1,
  • "transactions": [
    ]
}

Passport scan

The MobileID passport scan API provides you with operations for our MobileID passport scan feature.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

All passport scan operations return a passport scan response containing an operation state.

Get started with passport scan

To use our passport scan feature, we need to set up and configure all necessary properties for you. You can request this by contacting us at support@signicat.com.

You can find more information about passport scan in our feature documentation.

Start passport scan

The Start passport scan operation initiates a passport scan for the end-user's device.

The operation response is returned with an operation state (state) set to PENDING, as the end-user now has to complete the operation on their device.

The operation response contains a transaction ID (transactionId) that will be used for subsequent operations, such as checking the status of the operation.

Request Body schema: application/json
required
userId
required
string

The ID of the user (userId) that will carry out the operation, in a valid UUID format.

object (DeviceRequest)

An object that contains the properties of the device to be used for this operation.

For registration:

  • When a REGISTRATION is executed, this object is optional. If specified, you can only supply the device name, since the device id is generated by this operation.
  • When a RE_REGISTRATION of the existing device is executed, then this object is mandatory and the id field must be specified.

For authentication or signing

  • The device object is mandatory except if broadcast is enabled.
  • If broadcast is enabled, then then the device object does not need to be supplied.
  • See the broadcast (broadcast) operation property for details.
tags
Array of strings

Used to tag callback event to enable filtering.

redirectMessage
string

The message that is displayed in the app, once the passport scan is complete.

Responses

Request samples

Content type
application/json
{
  • "userId": "0e99b25c-abde-4553-973b-8d94d49cd87e",
  • "device": {
    },
  • "redirectMessage": "Please proceed connecting to <URL>"
}

Response samples

Content type
application/json
{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "created": "2021-01-21T22:47:27.123Z",
  • "proofingId": "xyz4c1f2c-da1e-4a23-9372-1yfgc0dd0f72",
  • "sessionExpiryTime": "2021-01-21T22:52:27.654Z",
  • "redirectMessage": "Please proceed connecting to <URL>",
  • "device": {
    },
  • "user": {
    }
}

Get state of ongoing passport scan

The Get state of ongoing passport scan operation returns the passport scan response with an operation state for a specified transaction ID (transactionId

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
Example

Response sample of when a passport scan is in progress.

{
  • "transactionId": "7daa489e-6b35-46ca-83a4-1bba2ea35f68",
  • "accountId": "a-sdge-Abcdefghijk123456789",
  • "state": "PENDING",
  • "created": "2021-01-21T22:47:27.123Z",
  • "proofingId": "xyz4c1f2c-da1e-4a23-9372-1yfgc0dd0f72",
  • "sessionExpiryTime": "2021-01-21T22:52:27.654Z",
  • "redirectMessage": "Please proceed connecting to <URL>",
  • "device": {
    },
  • "user": {
    }
}

Cancel ongoing passport scan

The Cancel ongoing passport scan operation allows you to cancel the ongoing passport scan for a specified transaction ID (transactionId).

path Parameters
transactionId
required
string
Example: 7daa489e-6b35-46ca-83a4-1bba2ea35f68

The ID of the transaction.

Responses

Response samples

Content type
application/json
{
  • "code": "missing_permission",
  • "detail": "The subject with ID 'dev-ghastly-thread-446' does not have the required permission 'mobileid:user:read' on the target resource 'a-sdge-c2z0wgHkZjpBnS7uB621'",
  • "status": 403,
  • "traceId": "4bf239c088089f2bca77d3a413909f1c",
  • "title": "You do not have the required permission to perform this operation on the target resource",
  • "type": "https://developer.signicat.com/errors?code=missing_permission"
}

Get final result of the passport scan

The Get final result of the passport scan operation returns the final result of an executed passport scan for a specified proofing ID (proofingID).

The proofingId is returned in the operation response of the Start passport scan and Get state of ongoing passport scan operations.

This operation is only available when the verification has been completed, and when the passport scan state (passportScanState) is ACCEPTED.

The final result is returned as a JSON body.

Unlike the full final result, images of the passport are not included in the final result.

The JSON body contains information about the passport contents that can be retrieved from Electronic Machine Readable Travel Documents (eMRTD), in addition to information about the verification process.

path Parameters
proofingId
required
string
Example: a54aa489e-6b35-46ca-83a4-001ba2ea35f68

The ID of the passport scan.

Responses

Response samples

Content type
application/json

Response sample of when a passport scan is in progress.

{
  • "id": "b87486f4-3894-4bb1-8c5c-769e2fe625c1",
  • "provider": "readid",
  • "status": "ACCEPTED",
  • "processType": "sdk",
  • "createdAt": "2023-01-11T14:42:27Z",
  • "updatedAt": "2023-01-11T14:54:11Z",
  • "providerSpecific": {
    },
  • "finalResult": {
    },
  • "depictions": [
    ]
}

Get full final result of the passport scan

The Get full final result of the passport scan operation returns the full final result of an executed passport scan for a specified proofing ID (proofingID).

The proofingId is returned in the operation response of the Start passport scan and Get state of ongoing passport scan operations.

This operation is only available when the verification has been successfully completed, and when the passport scan state (passportScanState) is ACCEPTED.

The full final result is returned as a ZIP file, which typically consists of:

  • The portrait picture in the passport.
  • The picture that was taken of the data page during the scan.
  • A JSON file containing information about the passport contents that can be retrieved from Electronic Machine Readable Travel Documents (eMRTD), in addition to information about the verification process.
path Parameters
proofingId
required
string
Example: a54aa489e-6b35-46ca-83a4-001ba2ea35f68

The ID of the passport scan.

Responses

Response samples

Content type
application/json
{
  • "code": "missing_permission",
  • "detail": "The subject with ID 'dev-ghastly-thread-446' does not have the required permission 'mobileid:user:read' on the target resource 'a-sdge-c2z0wgHkZjpBnS7uB621'",
  • "status": 403,
  • "traceId": "4bf239c088089f2bca77d3a413909f1c",
  • "title": "You do not have the required permission to perform this operation on the target resource",
  • "type": "https://developer.signicat.com/errors?code=missing_permission"
}

Account recovery

The MobileID account recovery API provides you with operations for our MobileID account recovery feature.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

The operations in this API require the session ID (session_id) of the recovery.

This is returned as the transaction ID (transactionId) in the device transactions.

To find the session_id, you need to:

  1. Use the Get device transactions endpoint to see all device transactions for a specified device.
  2. Look for transactions with operation type (operationType) as RECOVERY.
  3. Locate the transactionId in this response. This is what you should use as the session_id for operations in this API.

Get details of account recovery

The Get details of account recovery operation returns the details of the recovery that is carried out for a specific device.

These recovery details give you:

  • The state of the recovery.
  • Access to risk data and all other attributes created as part of the recovery process, if the operation is finished.

To use this endpoint, you need the session ID (session_id) of the recovery. You can find out how to obtain this in the Useful information section for this API.

path Parameters
sessionId
required
string
Example: 1daa489e-6b35-46ca-83a4-1bba2ea35f69

The ID of the transaction.

Responses

Response samples

Content type
application/json

Sample response when account recovery has been completed successfully.

{
  • "transactionId": "a75064fe-c528-478d-81d3-0a7b404b84b9",
  • "accountId": "a-ppge-abcd1234ABCDxxxxxxx",
  • "state": "COMPLETED",
  • "device": {
    },
  • "user": {
    },
  • "created": "2024-06-25T06:18:23.000UTC",
  • "operationProperties": {
    },
  • "riskAttributes": [
    ]
}