search
UIDAI

App Intiated Credential Exchange Journey

This page covers App initiated credential exchange journey.

Credential intent flow enables verifier apps to perform verifcation of the ANH (proof of presence) and request VC from the aadhaar app.

hashtag
1.1. Implementation Details

  1. Create a JWT payload with the required parameters

  2. Sign the JWT using the RSA private key with the RS256 algorithm

  3. Encode the JWT in Base64url format

  4. Invoke the wallet to transmit the JWT

hashtag
1.2. Sample Request(JWT)

hashtag
JWT Header Structure

{
  "alg": "RS256",
  "typ": "credential-req+jwt",  
  "kid": "did:myaadhaarstage.uidai.gov.in:123#1"
}

hashtag
JWT Decoded Payload

{
    "txn": "94f63917-708a-4e58-9001-fce56d839948",
    "i": "credential",
    "lang": "<langauge code>",
    "sc": "1110001110001110000001110001110001110001111",
    "pop" : 1,
    "m" : 1,
    "aid": "com.example.myaadhaarstage"
    "ac": "1a2f",
    "sa": "00b1",
    "asig" : "JKSAGDJKASGASCASC",
    "cb": "https://myaadhaarstage.uidai.gov.in/v1/submit-credential",
    "aud": "https://myaadhaarstage.uidai.gov.in",
    "iss": "https://myaadhaarstage.uidai.gov.in/v1/esignet",
    "exp": exp,
    "iat": 1516239022,
    "ht": "Name of the person",
    "jti": "8a9d7c2b-b932-4131-9e36-43f22a019be5"
}

hashtag
1.3 Request Params

Element

M/O

Type

Description

txn

M

String

A unique transaction ID that serves as a nonce to prevent replay attacks. It ensures that each request is unique, and the same request cannot be processed multiple times.

i

M

String

Indicates the action to be performed by the aadhaar app. For the CREDENTIAL request, the value would be CREDENTIAL

lang

O

String

This filed provides hint to the aadhaar app to change app language as per input (en:English, hi:Hindi, bn:Bengali, mr:marathi, kn:Kannada, ml:Malayalam, or:Oriya, ta:Tamil, te:Telugu)

sc

O

String

Scope enables verifier app to only request claim that it needs. It is 48bit bitmap, where in each bit indicates a potential claim.

m

O

Integer

0 : For Offline 1 : For Online Face Authentication

pop

O

Integer

1 : Not Required 1 : Required

ac

M

String

– A unique code for the AUA which is assigned by UIDAI. This is an alpha-numeric string having maximum length 10

sa

O

String

– A unique code for the subAUA which is assigned by UIDAI. This is an alpha-numeric string having maximum length 10

asig

O

String

Application Signature encoded as base64 string

cb

M

String

The callback URL where the pid response will be sent after the transaction is processed.

aud

M

String

The audience claim indicates the intended recipient of the pid request or the Authorization Server.

iss

M

String

The issuer claim identifies the Authorization Server or the entity issuing the request. In this case, it specifies the e-signature service endpoint of UIDAI.

exp

M

String

The expiration time of the request, specified as a Unix timestamp (in seconds). This ensures that the request is valid only for a certain period of time. After the expiration time, the request is no longer valid.

iat

M

String

The issued at claim indicates the time at which the request was created, also in Unix timestamp format.

ht

O

String

Hint to trigger the selction of the profile from the aadhaar app. This has to be name of the person.

jti

M

String

The JWT ID (jti) is a unique identifier for the token. It helps to uniquely identify the request and prevent replay attacks (i.e., the same request being submitted multiple times).

hashtag
1.4 Intent Response

Alternatively,

hashtag
1.5 Response Params

Attribute

M/O

Type

Description

txn

M

String

txn id from the request.

response

M

String

SD-JWT encoded as base64 string

dateTime

M

String

Date and time of the local match in YYYYMMDD’T’hhmmss format.

errCode

M

Integer

For more details see below Error Codes.

errInfo

M

String

For more details see below Error Codes.

hashtag
1.6 Supported Credential Claims

The following table shows the mapping between bit positions in the "sc" field and the corresponding credential claims:

Sr No
Bit Position
Claim
Selectable
Remarks

1

1

"credentialIssuingDate"

N

2

2

"enrolmentDate"

N

3

3

"enrolmentNumber"

N

4

4

"isNRI"

N

5

5

"residentImage"

Y

6

6

"residentName"

Y

7

7

"localResidentName"

N

Included along with Resident name

8

8

"ageAbove18"

Y

9

9

"ageAbove50"

Y

10

10

"ageAbove60"

Y

11

11

"ageAbove75"

Y

12

12

"dob"

Y

13

13

"gender"

Y

14

14

"careOf"

N

15

15

"localCareOf"

N

16

16

"building"

N

17

17

"localBuilding"

N

18

18

"locality"

N

19

19

"localLocality"

N

20

20

"street"

N

21

21

"localStreet"

N

22

22

"landmark"

N

23

23

"localLandmark"

N

24

24

"vtc"

N

25

25

"localVtc"

N

26

26

"subDistrict"

N

27

27

"localSubDistrict"

N

28

28

"district"

N

29

29

"localDistrict"

N

30

30

"state"

N

31

31

"localState"

N

32

32

"poName"

N

33

33

"LocalpoName"

N

34

34

"pincode"

N

35

35

"address"

Y

Y

36

36

"localAddress"

N

Included along with Address

37

37

"mobile"

N

38

38

"maskedMobile"

N

39

39

"email"

N

40

40

"maskedEmail"

N

41-63

Padding

N

hashtag
1.7 Language Support

The API supports 23 languages specified in the lang field (English, Hindi, Tamil, etc.)

hashtag
1.7.1 Supported Languages

The API supports multiple languages as specified in the "lang" field of the payload. Language must be passed as a numeric code.

hashtag
1.7.2 Language Mapping

Language Code
Language Name
ISO Standard
ISO Code

1

Assamese

Asm

as_in

2

Bengali

Ben

bn_in

3

Bodo

--

brx_in

4

Dogri

Doi

doi_in

5

Gujarati

Guj

gu_in

6

Hindi

Hin

hi_in

7

Kannada

Kan

kn_in

8

Kashmiri

Kas

ks_in

9

Konkani

Kok

kok_in

10

Maithili

Mai

mai_in

11

Malayalam

Mal

ml_in

12

Manipuri

Mni

mni_in

13

Marathi

Mar

mr_in

14

Nepali

Nep

ne_in

15

Oriya

Ori

or_in

16

Punjabi

Pan

pa_in

17

Sanskrit

San

sa_in

18

Santhali

--

sat_in

19

Sindhi

Snd

sd_in

20

Tamil

Tnd

ta_in

21

Telegu

Tel

te_in

22

Urdu

Urd

ur_in

23

Other language (English)

Eng

en_in

hashtag
1.8 API Contract

hashtag
1.9 Invocation

Notes:

  1. Activities of aadhaar app should be started using startActivityForResult() expecting result in onActivityResult for given request-code.

  2. Please refer to the sample reference project for any help in integrating with the headless apps.

hashtag
1.10. Response Processing

hashtag
1.10.1 SD-JWT Verification and Decoding

On receipt of the SD-JWT through the callback by the aadhaar app, the verifier app must perform following steps to consume the SD-JWT.

  • Verifier portal or the backend validates the SD-JWT signature using the UIDAI public key. The UIDAI public key is available at www.uidai.gov.in. Optionally, verifiers may verify the device signature.

  • Verifier app or backend validates the disclosure hashes against the `_sd` field in the JWT.

  • Optionally, the verifier app or backend may verify the shared data by matching hashes present at the end of SD-JWT.

  • The verified shared data is displayed and stored securely by the Verifier App.

hashtag
1.10.2 Sample SD-JWT document of the UIDAI is as shown below:-

eyJhbGciOiJSUzI1NiIsInR5cCI6InNkLUpXVCJ9.eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvbnMvY3JlZGVudGlhbHMvdjEiXSwiaXNzdWVyIjoiVUlEQUkiLCJpZCI6ImQzNmIyMWMwLThhYzgtNDZhMy05YzkyLTFjZmU3NjdjNjE4NiIsIl9zZF9hbGciOiJTSEEyNTYiLCJfc2QiOlsiaDV5S01oZkstSHg5RUtnVTBvRWVUeG1SY3A4RHJ6NF9iYnVQSGtxZDFxVSIsInlvOThiUjdsM1ZZMmxZU093aU1wOUI3eUVMU25STnJZbEhzOXBZcmdXZHciLCIzRmV4bXpVUTdJT3dhM1JWTmxfdTBYdzRfRVZsaVhKYVA3alFndFQxdnNrIiwiUjZoMEVoeHE5bC1BbFFnLWpYUkhJcDc3R0hZLWFFaXFIOGZ0WnJhbVFaMCIsIlVQY01URDcwYTBITUdPRnZKLTJfdEpOY0tNZEtsQU9hT2t4RmxSdjk3eVEiLCJJc2lvYUY4bjdZOEllenBuOWREek52YVRtZnVORzl2TWtpYW9lQ0tyOW5BIiwiMnJCU19yS1d5SkVEMVo4TDNpM0FhYmtNYVhsX0tKMk9ydWM1anhfclFYayIsInZKTEZpM2RzT09CeUN5Ty1pWTlHWldDdlhJUFFBeDZBRjNoTFdWLU1KejQiLCJBTXd3LWpuNTBBLVpOWTI1OVAzTXVJYXN0eTFiZldhX0RNOFpMSG1TZ3lVIiwiVk1FUENmNXpnX0p5cEhmakg2Y1ZUNVNkWHZpOURmWl84eTVNYVRZRGFURSIsImU5NERrbm1SUkdKbzlZRlZMcGIxdk1fLWxaTVc1aUNnNGJtLXF5SGUwbkUiLCJIcjRaUHI5X3Qzak9LTzVLM09yejZnR003Vy1VbUxIY2lWcF80YTlRWUJ3Iiwic253YXIzOGdTUmY5ZWN2b0sxcHF6TkFUaGdsTUVLaGtGWnZyY2FnWGptSSIsIll1UFE2SnBNc01BMWhtbjBWbE5INWJzblRuMkY2UFJGN1Z6U1pvbm4yQU0iLCI5czNQMnNfblY5dV9SaXRFZExnVEFnOVdkVVBHUFRySlFtT2hrUnBSTWNvIiwiWWpNV3ZLa2lsOWJ6T3BTUS1zZmJNVGRKb1hRYTBXNVFNZkRYWlFtMGp0USIsInBDZFZhdmw1VWRYNnJwamFWN240M0FNUzFLTWY2RWZZUTF0d2s5QlJXMGsiLCJpbHRoaHR3U1JSVTc0VVAtMXVwaVZLdWlNLXVxaVZvaXh5SVY5UmY4a1FRIiwiQXB4OEw4SC1aWGdFVm1YU2tQVFUxQ3FTQ09nUy0xU3JUSXFvWmJtSUt2YyIsIm1OZGZJRFlsdEtSM05CMXdhY092ZXU5MGNfOXpiQ3hra192ZEpNRjZOOXMiLCJzMTc3WXVrLXUxYkI1QWVMTVBfeVdoTjZpeTNRblpuTVlTcm1VZ0N6dFRVIiwia1FfbUU1dGR2YlFtaVhqSFlzV3FsYWZwZFM1QmdadDhiZkwtRVY5cGE1USIsIklQODZua3Viak05dGtlaGx2Z01ERE9UQjE0UzRBYzJEbENEMDJVTXlWZlkiLCJrUTM1bmFwU2VZWTROeF9fRWo2YTB0bFRiWk9PR0s1djBTdWdQaU1qbGJ3IiwiVmY3NDY0N05rT0MxWVFJS0tGc1kyMFdKdG45U1pWQ2lZTlo3MGYwYm1HZyIsInA4VkV6bDA2YmMza0ZlN1pkMzA1UG9xLVR2N1NxZkZtOUgzd19DNUFRbEUiLCJkTTcxZWhOdndfUnNJa1YtTzFOd0x3RHVHTWY4YlRoXzVlZHBlRDd5ZlJnIiwiWXBLSG9HWmJobzIwRDlaOGZmMFZoeS16c2dtTVNRN2JuVThldERNM0xXYyIsIjRUd2lJRW9sVzdJSVJIa05sTG10MUZNeXMzd0QxYmFLeXhCX1l2X1FhZ3ciLCJYT1hCeUU4TU9mTFVQVF9WUkZEUU16VmlYTVJEc0dfcXJralF2am1OTzBnIiwiOWlkNFRXVHpLbVktSXJWM2lKMkFWSkdaazlPT3hDMWh1elA0VzN4a2RtZyIsIkZvSXV3dzNzMFZOWEhTZ1VuYWRDSzVQMXVFZTlYWTJQNmZwQmlnMGREWFkiLCJVY0JxTTdIM3JjVXA0ZWpVdnh2UVpZV1lEUEdYMTR5dkNOWVE1eVV5VW1vIiwiQmRaZTlNemJwaWwtakRtd2hQZWpXaWgwRzdnd242U1Y2RktzX1ZTem5RUSIsIlNJRUQyQ2UzLV9aVWtQSnhWNDNQMkVpVGpPb25KNW9FaGFqbm01OGdIVDgiLCJ1dnk2WFRJVzFmM19LbS1BcFNjakNoZTlDcFhLZU1xZURCNUs4RE1BTVM0IiwiaGZuVlNvQXNKbDFvUTVYNTBGaWlVWWtCYTNQSk5DanZMdC0tenlPLWVVayIsIlFpTFl5YjFtWHVjeUlTc3VPckhZVUYwYmFrTWNkMklXUl9PS3JNUktiU3ciLCJyWk8yUEJOdlV5R0VYMEpCcEJqM3RrVFNWbThnTzZrcmhtc2w1NzA1MXljIiwiVlVnRUlYa2hNY0lDaXRhTXFKZ2NpMm03dnotZjMwSTNkMmZpX1M0SHpkVSIsImppZ2hIX1NSM3RiM2xObnhYbU5jZjdYUDZtQjNOQkJqejlETm5QbmIzc2ciXX0.HU2zr5nrSJ68bxrl7SPte3wQb4ZyrlWQLvcNFTNPLzYJjKbh4le0N6zxgRKi-MmptX4SjudiPu5ggScgy6NAfnYKCRPNg0clWRl_6nn7SNcLQGZMeSWR_Uk60kFBHqCbs24caJ-1w_0FhPy6UFCuVjJ1MqwpHeBvWb6OiwIG-nufD7YBCIQwXS7ys8XYuUf4yc6m3SZNZda_BEWROXGdXzsFEooeJj1ktaqoXHwUUMT3tI7Ly3Pf6VxtsuK6dvkS-wCXaalyAVva7ceH84TuYg5iGDgUcuSJfdDAGqV1tH_d60T1xcJt__VlqTlDvqenrwrHpRDGraGUqZSe0FyY9g~WyI4YmJiM2YzNS01ODY3LTQxNGUtOTM3MC1lNGNjMDIwMjgzZjciLCJDcmVkZW50aWFsSXNzdWluZ0RhdGUiLCIyMDI1LTAzLTE5VDE5OjAzOjMxIl0

hashtag
1.11. Security Considerations

hashtag
1.11.1 Best Practices

The following are some of the security best practices recommended for implementation by the Verifier.

  • Protection of the Personally Identifiable Information (PII) data to be handled as per the provisions of the Aadhaar Act.

  • The private key used by the Verifier for signing the JWT must be securely stored. Recommended to use any CloudHSM/Local HSM or USB Device to store the Private Key.

  • Only a valid Private Key is to be used to sign the JWT request.

  • Private keys are to be rotated as per the provisions of the CCA.

  • The JWT token must be set with a reasonable expiry time (exp). Typically, a duration of 5 minutes is recommended.

  • Verifier must validate JTI claim to prevent replay attacks.

  • For cross-device flow, verifiers must always validate the audience claim (aud) and Issuer (iss) claim.

PreviousCross Device Facial Image Capture JourneyNextPortal Initiated Credential Exchange Journey

Last updated