Account-Based Verification

For projects which manage their own user databases

In the account-based verification flow, users are identified by server-generated unique identification strings. You should also manage your own user database, and keep it updated by fetching the latest user information using the Authento API upon receiving webhook notifications.

Account-based verification

Steps

1. Send us the list of IPs which should be granted dashboard/API access.

2. Configure the following on the Authento Dashboard under the Settings tab:

   • API key/secret

   • Webhook targetURL/secret

   • JWT secret

3. [Backend] Set up handlers for verification token requests.

4. [Backend] Set up handlers for verification webhooks.

Verification Tokens

Verification tokens are JSON web tokens (JWT) which contains information needed to initialize the account-based verification flows. They should be signed with the JWT secret configured on the Authento dashboard, and contain the following fields:

Key	Name	Description
iss	Issuer	Domain name, obtained from Authento Dashboard.
sub	Subject	User Identifier; server-generated string unique to each user. This is used to associate users with their verification results.
aud	Audience	This should always be "Authento".
iat	Issued at	Unix timestamp in seconds when token is issued.
vt	Verification type	Either "BASIC" or "POA"
ut	User type	(Optional) Either "INDIVIDUAL" or "CORPORATE
lang	Language	(Optional) ISO 639-1 language code, defaults to "en"

The user identifier assigned to each of your user must be persistent and unique.

The user type value, if provided, affects the following:

• Default user type - For new Authento users, their user type will be automatically set to the value specified in the token.

• Required user type - For existing Authento users, verification will only proceed if the user type is equal to the value specified in the token.

Verification tokens can be easily generated using standard JWT libraries. Here are some examples:

Node.js

import jwt from "jsonwebtoken";

const token = jwt.sign(
  {
    iss: CLIENT_NAME, // Obtained from Authento dashboard
    sub: USER_IDENTIFIER, // userIdentifier: identification string unique to each user
    aud: "Authento", // This should always be "Authento"
    ut: "INDIVIDUAL", // userType: "INDIVIDUA" | "CORPORATE"
    vt: "BASIC", // verificationType: "BASIC" | "POA"
    lang: "en", // (Optional) ISO 639-1 language code
  },
  AUTHENTO_JWT_SECRET // Obtained from Authento dashboard
);

Python

import jwt

encoded = jwt.encode(
  {
    "iss": CLIENT_NAME, # Obtained from Authento dashboard
    "sub": USER_IDENTIFIER, # userIdentifier: identification string unique to each user
    "aud": "Authento", # This should always be "Authento"
    "ut": "INDIVIDUAL", # userType: "INDIVIDUA" | "CORPORATE"
    "vt": "BASIC", # verificationType: "BASIC" | "POA"
    "lang": "en", # (Optional) ISO 639-1 language code
  },
  AUTHENTO_JWT_SECRET, # Obtained from Authento dashboard, 
  algorithm="HS256"
)

A list of Libraries for signing/verifying JWTs can be found here.

Backend examples for verification token generation can be found here.

To initialize a verification on the frontend using the generated token, you can either:

• (Recommended) Make use of the useTokenVerifyPopup hook from the Authento-react library as shown in this example

• Open a popup and redirect the user to app.authento.io/verify/token?jwt={generatedToken}

Webhooks Handling

In account-based verification, webhooks are sent to a preconfigured target URL upon occurrence of events such as initialization or completion of verifications. You can then fetch the latest user information from the appropriate endpoint and update your user records.

For more information, please refer to the webhooks section.