Mobbeel for developers

Mobbeel for developers

  • MobbScan
  • MobbID
  • MobbSign
  • Clients
  • FAQ

›MobbScan Gateway

MobbScan Gateway

  • Getting started
  • Quick Start Guide
  • Integration Guide
  • Full S2S Integration Guide
  • API Reference
  • FAQs
  • Glossary

API Reference

API Reference

The MobbScan API Gateway aims to simplify integration with MobbScan by abstracting the onboarding process from the integrator. This REST API allows you to:

  • Create a new onboarding process
  • Retrieve information about an onboarding process
  • Check the status of an onboarding process
  • Accept or reject an onboarding process
  • Obtain various evidence related to an onboarding process

Refer to the integration guide for more details on how to integrate MobbScan into your system.

Requests format

Unless stated otherwise, request formats should be sent in JSON format:

  "Content-type" : "application/json"

Authentication

The API Gateway uses token-based authentication (JWT Authentication).

To authenticate with the system, the integrator needs to provide the generated API_KEY and API_SECRET.

The obtained access token should be sent in the header of the requests made to the API Gateway.

If the access token is not included in the requests, an error code 401 Not authorized will be returned.

The configured expiration time for the access token is 15 minutes. The expiration time is configurable depending on the integrator's requirements.

Curl
C#
Java
Python
Node
PHP
curl --location 'https://{GATEWAY-HOST}/auth/token' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
"api_key": "API_KEY",
"api_secret": "API_SECRET"
}'

using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

class Program
{
static async Task Main()
{
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://{GATEWAY-HOST}/auth/token");
request.Headers.Add("Accept", "application/json");
var json = "{\"api_key\":\"API_KEY\",\"api_secret\":\"API_SECRET\"}";
request.Content = new StringContent(json, Encoding.UTF8, "application/json");

var response = await client.SendAsync(request);
var responseBody = await response.Content.ReadAsStringAsync();
Console.WriteLine(responseBody);
}
}
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URI;

public class Main {
public static void main(String[] args) throws Exception {
HttpClient client = HttpClient.newHttpClient();
String json = "{\"api_key\":\"API_KEY\",\"api_secret\":\"API_SECRET\"}";
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://{GATEWAY-HOST}/auth/token"))
.header("Accept", "application/json")
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(json))
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/auth/token"
headers = {
"Accept": "application/json",
"Content-Type": "application/json"
}
data = {
"api_key": "API_KEY",
"api_secret": "API_SECRET"
}

response = requests.post(url, json=data, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/auth/token';
const headers = {
'Accept': 'application/json',
'Content-Type': 'application/json'
};
const data = {
api_key: 'API_KEY',
api_secret: 'API_SECRET'
};

axios.post(url, data, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/auth/token";
$data = json_encode(["api_key" => "API_KEY", "api_secret" => "API_SECRET"]);

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Accept: application/json",
"Content-Type: application/json"
]);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

$response = curl_exec($ch);
curl_close($ch);
echo $response;
?>

The authentication endpoint can return the following responses:

CodeDescriptionComment
400Bad Request. Usually means one or more required parameters are missing or incorrect in the request.Check that all required parameters are included and formatted correctly in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect.Ensure you are using the correct credentials (API Key and Secret), and that the JWT token is valid and has not expired.
403Forbidden. The user does not have sufficient permissions to obtain the authentication token.Verify that the user or client has the necessary permissions. If the issue persists, contact support to review the permissions.

Generate onboarding process

Processes in the API Gateway are called Onboarding. Each onboarding process will be generated with a unique identifier called scanId, and a unique URL will be generated to redirect the user via iFrame or direct redirection to the onboarding process.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request Body

This endpoint allows configuring different parameters to customize the onboarding process. Below is an example of the request structure:

{
    "countryId": "string",
    "docSpecificType": "string",
    "docType": "string",
    "redirectUrl": "string",
    "scanId": "string",
    "userId": "string",
    "groupId": "string",
    "verificationExtraData": {
        "additionalProp1": "string",
        "additionalProp2": "string",
        "additionalProp3": "string"
  }
}

The following are the fields of the request:

FieldTypeDescriptionRequiredFormat
countryIdstringCountry identifier in ISO 3166-1 alpha-3 format (ESP, FRA, PRT, etc.).NoISO 3166-1 alpha-3
docTypestringDocument type. Possible values: IDCard, Passport, DrivingLicenseNoText
docSpecificTypestringSpecific document type in MobbScan. This parameter is used to send the specific document type (with MobbScan's nomenclature) directly without the need to send the country and type.NoText
redirectUrlstringURL to redirect the user to after completing the process.NoURL
scanIdstringUnique identifier for the onboarding process. This parameter allows the integrator to define the process identifier in the system. If not provided, the system will generate a new one. The format should be UUID.NoUUID
userIdstringA unique user identifier (for the enrollment in MobbID).NoText
groupIdstringThe identifier of the group to which the user will be added upon enrollement (in MobbID).NoText

⚠️ Important: If the use case has a full server-to-server integration, the docType and countryId parameters are mandatory and no docSpecificType should be sent.

Curl
C#
Java
Python
Node
PHP
curl --location --request POST 'https://{GATEWAY-HOST}/onboarding/token' \
--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
--header 'Content-Type: application/json' \
--data-raw '{
"countryId": "ESP",
"docType": "IDCard",
"redirectUrl": "https://example.com/redirect",
"scanId": "0e76e708-1dff-47d8-80fe-12b40043f86d",
"userId": "mobbid-example-id",
"groupId": "mobbid-example-group",
"verificationExtraData": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
}
}'
using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/onboarding/token";
string accessToken = "<YOUR_ACCESS_TOKEN>";

var jsonData = @"{
\"countryId\": \"ESP\",
\"docType\": \"IDCard\",
\"redirectUrl\": \"https://example.com/redirect\",
\"scanId\": \"0e76e708-1dff-47d8-80fe-12b40043f86d\",
\"userId\": \"mobbid-example-id\",
\"groupId\": \"mobbid-example-group\",
\"verificationExtraData\": {
\"additionalProp1\": \"string\",
\"additionalProp2\": \"string\",
\"additionalProp3\": \"string\"
}
}";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
var content = new StringContent(jsonData, Encoding.UTF8, "application/json");

HttpResponseMessage response = await client.PostAsync(url, content);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/onboarding/token";
String accessToken = "<YOUR_ACCESS_TOKEN>";
String jsonData = "{"
+ "\"countryId\": \"ESP\","
+ "\"docType\": \"IDCard\","
+ "\"redirectUrl\": \"https://example.com/redirect\","
+ "\"scanId\": \"xxxx-xxxx-xxxx-xxxx\","
+ "\"userId\": \"mobbid-example-id\","
+ "\"grouId\": \"mobbid-example-group\","
+ "\"verificationExtraData\": {"
+ "\"additionalProp1\": \"string\","
+ "\"additionalProp2\": \"string\","
+ "\"additionalProp3\": \"string\""
+ "}"
+ "}";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(jsonData))
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/onboarding/token"
access_token = "<YOUR_ACCESS_TOKEN>"

headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}

json_data = {
"countryId": "ESP",
"docType": "IDCard",
"redirectUrl": "https://example.com/redirect",
"scanId": "0e76e708-1dff-47d8-80fe-12b40043f86d",
"userId": "mobbid-example-id",
"groupId": "mobbid-example-group",
"verificationExtraData": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
}
}

response = requests.post(url, json=json_data, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/onboarding/token';
const accessToken = '<YOUR_ACCESS_TOKEN>';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
};

const jsonData = {
countryId: 'ESP',
docType: 'IDCard',
redirectUrl: 'https://example.com/redirect',
scanId: '0e76e708-1dff-47d8-80fe-12b40043f86d',
userId: "mobbid-example-id",
groupId: "mobbid-example-group",
verificationExtraData: {
additionalProp1: 'string',
additionalProp2: 'string',
additionalProp3: 'string'
}
};

axios.post(url, jsonData, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/onboarding/token";
$accessToken = "<YOUR_ACCESS_TOKEN>";

$data = [
"countryId" => "ESP",
"docType" => "IDCard",
"redirectUrl" => "https://example.com/redirect",
"scanId" => "0e76e708-1dff-47d8-80fe-12b40043f86d",
"userId" => "mobbid-example-id",
"groupId" => "mobbid-example-group",
"verificationExtraData" => [
"additionalProp1" => "string",
"additionalProp2" => "string",
"additionalProp3" => "string"
]
];

$headers = [
"Authorization: Bearer $accessToken",
"Content-Type: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request for generating an onboarding process will be a JSON object with the following structure:

{
    "token": "xxxx-xxxx-xxxx-xxxx",
    "scanId": "xxxx-xxxx-xxxx-xxxx",
    "onboardingUrl": "https://{GATEWAY-HOST}/ui/start?onboardingToken=xxxx-xxxx-xxxx-xxxx"
}

The following are the fields of the response:

FieldTypeDescriptionFormat
tokenstringAuthentication token for the onboarding process.UUID
scanIdstringUnique identifier for the onboarding process.UUID
onboardingUrlstringUnique URL to redirect the user to the onboarding process.URL

The onboarding process generation endpoint can return the following responses:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the onboarding process identifier, the authentication token, and the unique URL to redirect the user to the process.
400Bad Request. Usually means one or more required parameters are missing or incorrect in the request.Check that all required parameters are included and formatted correctly in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the requested resource.Ensure you are using the correct credentials (API Key and Secret), that the JWT token is valid and has not expired, and that the process is valid.

Get onboarding process information

This endpoint allows you to retrieve detailed information about a specific onboarding process. This data includes:

  • Process status
  • Creation date
  • Agent who reviewed the process
  • Reason for rejection (if applicable)
  • Information extracted from the document
  • Validations performed
  • URLs of the generated evidence
  • Additional process information

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request

The endpoint for retrieving onboarding process information requires the onboarding process identifier to be sent in the URL. Below is an example of the request structure:

GET /mobbscan-agent/getVerificationProcessData/verificationId HTTP/1.1
Host: {GATEWAY-HOST}
Authorization
Content-Type: application/json

The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
Curl
C#
java
Python
javascript
PHP
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/getVerificationProcessData/{verificationId}' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/getVerificationProcessData/{verificationId}";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.GetAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/getVerificationProcessData/{verificationId}";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/getVerificationProcessData/{verificationId}"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/getVerificationProcessData/{verificationId}';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.get(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/getVerificationProcessData/{verificationId}";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request for obtaining information about an onboarding process will be a JSON object with the following structure:

FieldTypeDescriptionFormat
scanIdstringUnique identifier for the onboarding process.UUID
verificationResultstringResult of the verification process.Text
licenseIdstringLicense identifier.Text
agentstringAgent who reviewed the process.Text
documentobjectInformation extracted from the document.Object
imagesarrayURLs of the generated images.Array
recordingsarrayURLs of the generated recordings.Array
extraParametersarrayAdditional process information.Array
extraImagesarrayURLs of additional generated images.Array
validationsobjectValidations performed.Object
pdfUrlstringURL of the generated PDF.URL
pdfChecksumstringChecksum of the generated PDF.Text
rejectionReasonstringReason for rejection.Text
commentstringComment.Text
creationTimestringCreation date of the process.Date
verificationTimestringVerification date of the process.Date
clientInfostringClient information.Text
certificatedZipUrlstringURL of the certified zip file.URL
attachmentsarrayList of attachments related to the onboarding process.Array

The document contains the following information:

FieldTypeDescriptionFormat
documentTypestringDocument type.Text
personalNumberstringPersonal number.Text
documentNumberstringDocument number.Text
namestringName.Text
surnamestringSurname.Text
firstSurnamestringFirst surname.Text
secondSurnamestringSecond surname.Text
genderstringGender.Text
nationalitystringNationality.Text
issuingStatestringIssuing state.Text
dateOfIssuingstringDate of issuance.Date
dateOfBirthstringDate of birth.Date
dateOfExpirystringExpiry date.Date
addressstringAddress.Text
citystringCity.Text
regionstringRegion.Text
cityOfBirthstringCity of birth.Text
regionOfBirthstringRegion of birth.Text
stateOfBirthNamestringName of the state of birth.Text
stateOfBirthIsoCodestringISO code of the state of birth.Text
facialMatchingScorestringFacial matching score.Text
facialLivenessScorestringFacial liveness score.Text
mrzstringMachine-readable zone information.Text

The endpoint for obtaining information about an onboarding process can return the following responses:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the detailed information of the onboarding process.
400Bad Request. Usually means one or more required parameters are missing or incorrect in the request.Check that all required parameters are included and formatted correctly in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the requested resource.Ensure you are using the correct credentials (API Key and Secret), that the JWT token is valid and has not expired, and that the process is valid.

Check onboarding process result

This endpoint allows you to check the status of an onboarding process. This endpoint allows you to verify if the onboarding process has been completed, is pending, or has been rejected.

Possible values for the verificationResult field are:

  • PENDING: The onboarding process is pending.
  • VERIFIED: The onboarding process has been accepted.
  • NOT_VERIFIED: The onboarding process has been rejected.
  • CANCELLED: The onboarding process has been canceled.
  • PENDING_VALIDATION: The onboarding process is pending validation.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request

The endpoint for retrieving onboarding process status requires the onboarding process identifier to be sent in the URL. Below is an example of the request structure:

GET /mobbscan-agent/checkVerificationProcessResult/verificationId HTTP/1.1
Host: {GATEWAY-HOST}
Authorization
Content-Type: application/json

The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
Curl
C#
java
Python
javascript
PHP
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/checkVerificationProcessResult/{verificationId}' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/checkVerificationProcessResult/{verificationId}";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.GetAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/checkVerificationProcessResult/{verificationId}";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/checkVerificationProcessResult/{verificationId}"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/checkVerificationProcessResult/{verificationId}';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.get(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/checkVerificationProcessResult/{verificationId}";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request for checking the status of an onboarding process will be a JSON object with the following structure:

{
    "code": "OK",
    "description": "CHECK_VERIFICATION_PROCESS_RESULT_SUCCESS",
    "verificationResult": "VERIFIED|NOT_VERIFIED|PENDING|CANCELLED|PENDING_VALIDATION",
    "comment": "Agent X verified the process.", // Optional
    "rejectionReason": "DOCUMENT EXPIRED" // Optional
}

The following are the fields of the response:

FieldTypeDescriptionFormat
codestringResponse code.Text
descriptionstringResponse description.Text
verificationResultstringResult of the verification process.Text
commentstringInformation about the verification. May be present only if the process is VERIFIED.Text
rejectionReasonstringInformation about why the process is not verified. May be present if the process is NOT_VERIFIED.Text

Get images of onboarding process

This endpoint allows you to obtain the images generated during the onboarding process. The URLs of the available evidence are located in the images field of the response from the onboarding process information endpoint. This service allows you to retrieve the generated images in various formats:

  • Plain text image in base64 format.
  • JSON with the image information.
  • Image in binary format.

Headers

Since the response from this endpoint can have different formats, you need to specify the desired format in the Accept header. Below are the available formats:

FormatDescription
application/jsonJSON with the image information.
image/jpegImage in binary format.
text/plainImage in plain text in base64 format.

Additionally, the authentication token must be sent in the Authorization header in the format Bearer <YOUR_ACCESS_TOKEN>

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
AcceptResponse format. You should select one of the three formats specified above.

Request

The endpoint for retrieving images of an onboarding process requires the onboarding process identifier to be sent in the URL. Below is an example of the request structure:

Curl
C#
Java
Python
Node
PHP
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/image/{imageType}' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/image/{imageType}";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.GetAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/image/{imageType}";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/image/{imageType}"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/image/{imageType}';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.get(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/image/{imageType}";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request for obtaining images of an onboarding process will depend on the format selected in the Accept header.

application/json
text/plain
image/jpeg
{
"timestamp": "2021-09-01T12:00:00Z",
"imageType": "",
"scanId": "xxxx-xxxx-xxxx-xxxx",
"image": "/9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQAAAABAAABAgABAA..."
}
/9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQAAAABAAABAgABAA...
binary data here

Get recording of onboarding process

This endpoint allows you to obtain the recordings generated during the onboarding process. The URLs of the available evidence can be found in the recordings field of the response from the get onboarding process information endpoint.
This service allows you to obtain the generated recordings in different formats:

  • Image in plain text in base64 format.
  • JSON with the image information.
  • Image in binary format.

Headers

Since the response from this endpoint can have different formats, it is necessary to specify the desired format in the Accept header. The available formats are shown below:

FormatDescription
application/jsonJSON with the image information.
image/jpegImage in binary format.
text/plainImage in plain text in base64 format.

Additionally, the authentication token must be sent in the Authorization header in the format Bearer <YOUR_ACCESS_TOKEN>.

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
AcceptResponse format. You must select one of the three formats specified above.

Request

The endpoint for obtaining images from an onboarding process requires the onboarding process identifier to be included in the URL. Below is an example of the request structure:

Curl
C#
Java
Python
Node
PHP
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/recording/{recordingType}' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/recording/{recordingType}";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.GetAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/recording/{recordingType}";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/recording/{recordingType}"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/recording/{recordingType}';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.get(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/{verificationId}/recording/{recordingType}";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request for obtaining images of an onboarding process will depend on the format selected in the Accept header.

application/json
text/plain
image/jpeg
{
"timestamp": "2021-09-01T12:00:00Z",
"imageType": "",
"scanId": "xxxx-xxxx-xxxx-xxxx",
"image": "/9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQAAAABAAABAgABAA..."
}
/9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQAAAABAAABAgABAA...
binary data here

Get certificated zip of onboarding process

This endpoint allows you to obtain the certificated zip file generated during the onboarding process. The certificated zip consists of the information extracted from the document, the images, and the recordings generated during the process all of which are signed and ensured their integrity.

The URL for the certificated zip file can be found in the certificatedZipUrl field of the response from the get onboarding process information endpoint. This zip file will only be available if the onboarding process has been successfully completed. To generate the certificated zip file, the integrator will need to request Mobbeel’s support team to enable this functionality.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
content-typeapplication/zip

Request

The endpoint for obtaining the certificated zip file of an onboarding process requires the onboarding process identifier to be included in the URL. Below is an example of the request structure:

Curl
C#
Java
python
Node
PHP
curl --location --request GET 'https://{GATEWAY-HOST}/api/zip/{verificationId}' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/api/zip/{verificationId}";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.GetAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/api/zip/{verificationId}";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/api/zip/{verificationId}"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/api/zip/{verificationId}';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.get(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/api/zip/{verificationId}";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request will be a certificated zip file containing the information of the onboarding process.


Get pdf of onboarding process

This endpoint allows you to obtain the PDF file generated during the onboarding process. The URL for the PDF file can be found in the pdfUrl field of the response from the get onboarding process information endpoint.

Headers

Since the response from this endpoint can have different formats, it is necessary to specify the desired format in the Accept header. The available formats are shown below:

FormatDescription
application/jsonJSON with the image information.
image/jpegImage in binary format.
text/plainImage in plain text in base64 format.

Additionally, the authentication token must be sent in the Authorization header in the format Bearer <YOUR_ACCESS_TOKEN>.

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
AcceptResponse format. You must select one of the three formats specified above.

Request

The endpoint for obtaining images from an onboarding process requires the onboarding process identifier to be included in the URL. Below is an example of the request structure:

Curl
C#
Java
Python
Node
PHP
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/api/pdf/{verificationId}' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/api/pdf/{verificationId}";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.GetAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/api/pdf/{verificationId}";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/api/pdf/{verificationId}"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.get(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/api/pdf/{verificationId}';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.get(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/api/pdf/{verificationId}";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

Response

The response to the request for obtaining images from an onboarding process will depend on the format selected in the Accept header.

application/json
text/plain
image/jpeg
{
"timestamp": "2021-09-01T12:00:00Z",
"scanId": "xxxx-xxxx-xxxx-xxxx",
"pdfDocument": "/9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQAAAABAAABAgABAA..."
}
/9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQAAAABAAABAgABAA...
binary data here

Accept onboarding process

This endpoint allows you to accept an onboarding process. Once an onboarding process is accepted, it will transition to the VERIFIED state and cannot be modified afterward. Additionally, the endpoint allows you to modify the user's information to send the updated details to the system. If the integrator only wants to modify a few fields, they can send only the fields they want to update.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request Body

Below are the fields of the request:

FieldTypeDescriptionMandatoryFormat
personalDataobjectUser's personal information.YesObject
typestringType of verification.YesText
verificationIdstringUnique identifier of the onboarding process.YesUUID

The personalData object contains the following information:

FieldTypeDescriptionMandatoryFormat
addressstringAddress.YesText
citystringCity.YesText
cityOfBirthstringCity of birth.YesText
countrystringCountry.YesText
countryDocumentTypestringDocument type of the country.YesText
curpstringCURP (Unique Population Registry Code).YesText
dateOfBirthstringDate of birth.YesDate
dateOfExpirystringExpiry date.YesDate
documentNumberstringDocument number.YesText
genderstringGender.YesText
mrzstringInformation from the machine-readable zone.YesText
namestringFirst name.YesText
personalNumberstringPersonal number.YesText
postCodestringPostal code.YesText
regionstringRegion.YesText
regionOfBirthstringRegion of birth.YesText
firstSurnamestringFirst surname.YesText
secondSurnamestringSecond surname.YesText
stateOfBirthstringState of birth.YesText
surnamestringLast name.YesText
Curl
C#
Java
Python
javascript
PHP
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/accept' \
--header 'Authorization: Bearer Token' \
--header 'Content-Type: application/json' \
--data-raw '{
"personalData": {
"address": "123 Fake Street",
"city": "Sampletown",
"cityOfBirth": "Sampletown",
"country": "USA",
"countryDocumentType": "Passport",
"curp": "ABC123XYZ",
"dateOfBirth": "1985-06-15",
"dateOfExpiry": "2030-12-31",
"documentNumber": "A1234567",
"gender": "M",
"mrz": "MRZDATAHERE",
"name": "John",
"personalNumber": "987654321",
"postCode": "56789",
"region": "Sample Region",
"regionOfBirth": "Sample Region",
"firstSurname": "Doe",
"secondSurname": "Smith",
"stateOfBirth": "Sample State",
"surname": "Doe"
},
"type": "AUTO",
"verificationId": "xxxx-xxxx-xxxx-xxxx"
}'
using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/accept";
string accessToken = "Token";
string jsonData = "{"
+ "\"personalData\": {"
+ "\"address\": \"123 Fake Street\","
+ "\"city\": \"Sampletown\","
+ "\"cityOfBirth\": \"Sampletown\","
+ "\"country\": \"USA\","
+ "\"countryDocumentType\": \"Passport\","
+ "\"curp\": \"ABC123XYZ\","
+ "\"dateOfBirth\": \"1985-06-15\","
+ "\"dateOfExpiry\": \"2030-12-31\","
+ "\"documentNumber\": \"A1234567\","
+ "\"gender\": \"M\","
+ "\"mrz\": \"MRZDATAHERE\","
+ "\"name\": \"John\","
+ "\"personalNumber\": \"987654321\","
+ "\"postCode\": \"56789\","
+ "\"region\": \"Sample Region\","
+ "\"regionOfBirth\": \"Sample Region\","
+ "\"firstSurname\": \"Doe\","
+ "\"secondSurname\": \"Smith\","
+ "\"stateOfBirth\": \"Sample State\","
+ "\"surname\": \"Doe\""
+ "},"
+ "\"type\": \"AUTO\","
+ "\"verificationId\": \"xxxx-xxxx-xxxx-xxxx\""
+ "}";


client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
HttpContent content = new StringContent(jsonData, Encoding.UTF8, "application/json");

HttpResponseMessage response = await client.PostAsync(url, content);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/accept";
String accessToken = "Token";
String jsonData = String jsonData = "{"
+ "\"personalData\": {"
+ "\"address\": \"123 Fake Street\","
+ "\"city\": \"Sampletown\","
+ "\"cityOfBirth\": \"Sampletown\","
+ "\"country\": \"USA\","
+ "\"countryDocumentType\": \"Passport\","
+ "\"curp\": \"ABC123XYZ\","
+ "\"dateOfBirth\": \"1985-06-15\","
+ "\"dateOfExpiry\": \"2030-12-31\","
+ "\"documentNumber\": \"A1234567\","
+ "\"gender\": \"M\","
+ "\"mrz\": \"MRZDATAHERE\","
+ "\"name\": \"John\","
+ "\"personalNumber\": \"987654321\","
+ "\"postCode\": \"56789\","
+ "\"region\": \"Sample Region\","
+ "\"regionOfBirth\": \"Sample Region\","
+ "\"firstSurname\": \"Doe\","
+ "\"secondSurname\": \"Smith\","
+ "\"stateOfBirth\": \"Sample State\","
+ "\"surname\": \"Doe\""
+ "},"
+ "\"type\": \"AUTO\","
+ "\"verificationId\": \"xxxx-xxxx-xxxx-xxxx\""
+ "}";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(jsonData, StandardCharsets.UTF_8))
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/accept"
access_token = "Token"
json_data = {
"personalData": {
"address": "123 Fake Street",
"city": "Sampletown",
"cityOfBirth": "Sampletown",
"country": "USA",
"countryDocumentType": "Passport",
"curp": "ABC123XYZ",
"dateOfBirth": "1985-06-15",
"dateOfExpiry": "2030-12-31",
"documentNumber": "A1234567",
"gender": "M",
"mrz": "MRZDATAHERE",
"name": "John",
"personalNumber": "987654321",
"postCode": "56789",
"region": "Sample Region",
"regionOfBirth": "Sample Region",
"firstSurname": "Doe",
"secondSurname": "Smith",
"stateOfBirth": "Sample State",
"surname": "Doe"
},
"type": "AUTO",
"verificationId": "xxxx-xxxx-xxxx-xxxx"
}

headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}

response = requests.post(url, json=json_data, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/accept';
const accessToken = 'Token';
const jsonData = {
personalData: {
address: "123 Fake Street",
city: "Sampletown",
cityOfBirth: "Sampletown",
country: "USA",
countryDocumentType: "Passport",
curp: "ABC123XYZ",
dateOfBirth: "1985-06-15",
dateOfExpiry: "2030-12-31",
documentNumber: "A1234567",
gender: "M",
mrz: "MRZDATAHERE",
name: "John",
personalNumber: "987654321",
postCode: "56789",
region: "Sample Region",
regionOfBirth: "Sample Region",
firstSurname: "Doe",
secondSurname: "Smith",
stateOfBirth: "Sample State",
surname: "Doe"
},
type: "AUTO",
verificationId: "{verificationId}"
};


axios.post(url, jsonData, {
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
}
})
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/accept";
$accessToken = "Token";
$jsonData = json_encode([
"personalData" => [
"address" => "123 Fake Street",
"city" => "Sampletown",
"cityOfBirth" => "Sampletown",
"country" => "USA",
"countryDocumentType" => "Passport",
"curp" => "ABC123XYZ",
"dateOfBirth" => "1985-06-15",
"dateOfExpiry" => "2030-12-31",
"documentNumber" => "A1234567",
"gender" => "M",
"mrz" => "MRZDATAHERE",
"name" => "John",
"personalNumber" => "987654321",
"postCode" => "56789",
"region" => "Sample Region",
"regionOfBirth" => "Sample Region",
"firstSurname" => "Doe",
"secondSurname" => "Smith",
"stateOfBirth" => "Sample State",
"surname" => "Doe"
],
"type" => "AUTO",
"verificationId" => "xxxx-xxxx-xxxx-xxxx"
], JSON_PRETTY_PRINT);
$headers = [ "Authorization: Bearer $accessToken", "Content-Type: application/json" ];
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonData);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
?>

Response

The response to the request to accept an onboarding process will be a JSON object with the following structure:

{
    "status": "VERIFICATION_ACCEPTED",
    "description": "Verification with id={verificationId} accepted successfully"
}

Below are the fields of the request:

FieldTypeDescriptionFormat
statusstringOutcome of the acceptance process.Text
descriptionstringDescription of the outcome of the acceptance process.Text

The possible responses to the onboarding process rejection request are as follows:

CodeDescriptionComment
200OK. The request has been completed successfully.The response will contain the result of the rejection process.
400Bad Request. This generally means that one or more required parameters are missing or incorrect.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect, or the user does not have access to the requested resource.Make sure to use the correct credentials (API Key and Secret), and that the JWT token is valid and hasn't expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Make sure the user has the necessary permissions to perform the action.
409Conflict. The onboarding process is not in a valid state to be accepted.Ensure that the onboarding process has not been previously accepted or rejected.

Reject onboarding process

This endpoint allows you to reject an onboarding process. When rejecting an onboarding process, it will move to the NOT_VERIFIED state and cannot be modified afterwards.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request Body

The following are the fields of the request:

FieldTypeDescriptionRequiredFormat
rejectionCommentstringReason for the rejectionYesText
typestringType of verification.YesText
verificationIdstringUnique identifier of the onboarding process.YesUUID
Curl
C#
Java
Python
Node
PHP
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/reject' \
--header 'Authorization: Bearer Token' \
--header 'Content-Type: application/json' \
--data-raw '{
"rejectionComment": "string",
"type": "AUTO",
"verificationId": "xxxx-xxxx-xxxx-xxxx"
}'
using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/reject";
string accessToken = "Token";
string jsonData = "{"
+ "\"rejectionComment\": \"string\","
+ "\"verificationId\": \"xxxx-xxxx-xxxx-xxxx\""
+ "}";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
HttpContent content = new StringContent(jsonData, Encoding.UTF8, "application/json");

HttpResponseMessage response = await client.PostAsync(url, content);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/reject";
String accessToken = "Token";
String jsonData = "{"
+ "\"rejectionComment\": \"string\","
+ "\"verificationId\": \"xxxx-xxxx-xxxx-xxxx\""
+ "}";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(jsonData, StandardCharsets.UTF_8))
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/reject"
access_token = "Token"
data = {
"rejectionComment": "string",
"type": "AUTO",
"verificationId": "xxxx-xxxx-xxxx-xxxx"
}

headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}

response = requests.post(url, json=data, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/reject';
const accessToken = 'Token';
const data = {
rejectionComment: "string",
type: "AUTO",
verificationId: "xxxx-xxxx-xxxx-xxxx"
};

axios.post(url, data, {
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
}
})
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/reject";
$accessToken = "Token";
$data = json_encode([ "rejectionComment" => "string", "type" => "AUTO", "verificationId" => "xxxx-xxxx-xxxx-xxxx" ]);
$headers = [ "Authorization: Bearer $accessToken", "Content-Type: application/json" ];
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
?>

Response

The following are the fields of the response:

FieldTypeDescriptionFormat
statusstringResult of the rejection process.Text
descriptionstringDescription of the result of the rejection process.Text

The possible responses to the rejection request of an onboarding process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the result of the rejection process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
409Conflict. The onboarding process is not in a valid state to be rejected.Ensure that the onboarding process has not been accepted or rejected previously.

Send onboarding process to review

The API allows setting up a process for automatic validation by the integrator. Based on these validations, the integrator will be able to accept, reject, or request manual review of the process. To do this, the integrator must notify the platform support team in advance to configure the automatic validations. In this case, the process will be in the PENDING_VALIDATION state until the integrator makes a decision. To send it for manual review, the integrator must call this endpoint.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request Body

The following are the fields of the request

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
Curl
C#
Java
Python
Node
php
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/pending' \
--header 'Authorization: Bearer Token' \
--header 'Content-Type: application/json' \
--data-raw '{
"personalData": {
"address": "123 Fake Street",
"city": "Sampletown",
"cityOfBirth": "Sampletown",
"country": "USA",
"countryDocumentType": "Passport",
"curp": "ABC123XYZ",
"dateOfBirth": "1985-06-15",
"dateOfExpiry": "2030-12-31",
"documentNumber": "A1234567",
"gender": "M",
"mrz": "MRZDATAHERE",
"name": "John",
"personalNumber": "987654321",
"postCode": "56789",
"region": "Sample Region",
"regionOfBirth": "Sample Region",
"firstSurname": "Doe",
"secondSurname": "Smith",
"stateOfBirth": "Sample State",
"surname": "Doe"
},
"verificationId": "xxxx-xxxx-xxxx-xxxx"
}'
using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/pending";
string accessToken = "Token";
string jsonData = "{"
+ "\"personalData\": {"
+ "\"address\": \"123 Fake Street\","
+ "\"city\": \"Sampletown\","
+ "\"cityOfBirth\": \"Sampletown\","
+ "\"country\": \"USA\","
+ "\"countryDocumentType\": \"Passport\","
+ "\"curp\": \"ABC123XYZ\","
+ "\"dateOfBirth\": \"1985-06-15\","
+ "\"dateOfExpiry\": \"2030-12-31\","
+ "\"documentNumber\": \"A1234567\","
+ "\"gender\": \"M\","
+ "\"mrz\": \"MRZDATAHERE\","
+ "\"name\": \"John\","
+ "\"personalNumber\": \"987654321\","
+ "\"postCode\": \"56789\","
+ "\"region\": \"Sample Region\","
+ "\"regionOfBirth\": \"Sample Region\","
+ "\"firstSurname\": \"Doe\","
+ "\"secondSurname\": \"Smith\","
+ "\"stateOfBirth\": \"Sample State\","
+ "\"surname\": \"Doe\""
+ "},"
+ "\"verificationId\": \"xxxx-xxxx-xxxx-xxxx\""
+ "}";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
HttpContent content = new StringContent(jsonData, Encoding.UTF8, "application/json");

HttpResponseMessage response = await client.PostAsync(url, content);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/pending";
String accessToken = "Token";
String jsonData = "{"
+ "\"personalData\": {"
+ "\"address\": \"123 Fake Street\","
+ "\"city\": \"Sampletown\","
+ "\"cityOfBirth\": \"Sampletown\","
+ "\"country\": \"USA\","
+ "\"countryDocumentType\": \"Passport\","
+ "\"curp\": \"ABC123XYZ\","
+ "\"dateOfBirth\": \"1985-06-15\","
+ "\"dateOfExpiry\": \"2030-12-31\","
+ "\"documentNumber\": \"A1234567\","
+ "\"gender\": \"M\","
+ "\"mrz\": \"MRZDATAHERE\","
+ "\"name\": \"John\","
+ "\"personalNumber\": \"987654321\","
+ "\"postCode\": \"56789\","
+ "\"region\": \"Sample Region\","
+ "\"regionOfBirth\": \"Sample Region\","
+ "\"firstSurname\": \"Doe\","
+ "\"secondSurname\": \"Smith\","
+ "\"stateOfBirth\": \"Sample State\","
+ "\"surname\": \"Doe\""
+ "},"
+ "\"verificationId\": \"xxxx-xxxx-xxxx-xxxx\""
+ "}";


HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Content-Type", "application/json")
.POST(HttpRequest.BodyPublishers.ofString(jsonData, StandardCharsets.UTF_8))
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/pending"
access_token = "Token"
json_data = {
"personalData": {
"address": "123 Fake Street",
"city": "Sampletown",
"cityOfBirth": "Sampletown",
"country": "USA",
"countryDocumentType": "Passport",
"curp": "ABC123XYZ",
"dateOfBirth": "1985-06-15",
"dateOfExpiry": "2030-12-31",
"documentNumber": "A1234567",
"gender": "M",
"mrz": "MRZDATAHERE",
"name": "John",
"personalNumber": "987654321",
"postCode": "56789",
"region": "Sample Region",
"regionOfBirth": "Sample Region",
"firstSurname": "Doe",
"secondSurname": "Smith",
"stateOfBirth": "Sample State",
"surname": "Doe"
},
"verificationId": "xxxx-xxxx-xxxx-xxxx"
}

headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}

response = requests.post(url, json=jsonData, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/pending';
const accessToken = 'Token';
const jsonData = {
personalData: {
address: "123 Fake Street",
city: "Sampletown",
cityOfBirth: "Sampletown",
country: "USA",
countryDocumentType: "Passport",
curp: "ABC123XYZ",
dateOfBirth: "1985-06-15",
dateOfExpiry: "2030-12-31",
documentNumber: "A1234567",
gender: "M",
mrz: "MRZDATAHERE",
name: "John",
personalNumber: "987654321",
postCode: "56789",
region: "Sample Region",
regionOfBirth: "Sample Region",
firstSurname: "Doe",
secondSurname: "Smith",
stateOfBirth: "Sample State",
surname: "Doe"
},
verificationId: "{verificationId}"
};

axios.post(url, jsonData, {
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
}
})
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/pending";
$accessToken = "Token";
$jsonData = json_encode([
"personalData" => [
"address" => "123 Fake Street",
"city" => "Sampletown",
"cityOfBirth" => "Sampletown",
"country" => "USA",
"countryDocumentType" => "Passport",
"curp" => "ABC123XYZ",
"dateOfBirth" => "1985-06-15",
"dateOfExpiry" => "2030-12-31",
"documentNumber" => "A1234567",
"gender" => "M",
"mrz" => "MRZDATAHERE",
"name" => "John",
"personalNumber" => "987654321",
"postCode" => "56789",
"region" => "Sample Region",
"regionOfBirth" => "Sample Region",
"firstSurname" => "Doe",
"secondSurname" => "Smith",
"stateOfBirth" => "Sample State",
"surname" => "Doe"
],
"verificationId" => "xxxx-xxxx-xxxx-xxxx"
], JSON_PRETTY_PRINT);

$headers = [ "Authorization: Bearer $accessToken", "Content-Type: application/json" ];
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonData);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
?>

Response

The response to the onboarding process acceptance request will be a JSON object with the following structure:

{
    "status": "UPDATED_VERIFICATION",
    "description": "Verification with id={verificationId} accepted successfully"
}

The response to the onboarding process rejection request will be a JSON object with the following structure:

FieldTypeDescriptionFormat
statusstringResult of the rejection process.Text
descriptionstringDescription of the result of the rejection process.Text

The possible responses to the request for rejecting an onboarding process are as follows:

CodeDescriptionComment
200OK. The request has been completed successfully.The response will contain the result of the rejection process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Check that all required parameters are included and correctly formatted in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret), that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
409Conflict. The onboarding process is not in a valid state to be rejected.Ensure that the onboarding process has not been accepted or rejected previously.

Delete onboarding process

This endpoint allows you to delete an onboarding process. Once the onboarding process is deleted, it cannot be recovered.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request

The endpoint for deleting onboarding process requires the onboarding process identifier to be sent in the URL. The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID

Below is an example of the request structure:

Curl
C#
java
Python
javascript
PHP
curl --location --request DELETE 'https://{GATEWAY-HOST}/mobbscan-agent/api/verification/d80a9694-3250-4a4c-9169-385fd95e06fb' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
using System;
using System.Net.Http;
using System.Threading.Tasks;

class Program
{
private static readonly HttpClient client = new HttpClient();

static async Task Main()
{
string url = "https://{GATEWAY-HOST}/mobbscan-agent/api/verification/d80a9694-3250-4a4c-9169-385fd95e06fb";
string accessToken = "Token";

client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Add("Accept", "application/json");

HttpResponseMessage response = await client.DeleteAsync(url);
string result = await response.Content.ReadAsStringAsync();

Console.WriteLine(result);
}
}
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

public class Main {
public static void main(String[] args) throws Exception {
String url = "https://{GATEWAY-HOST}/mobbscan-agent/api/verification/d80a9694-3250-4a4c-9169-385fd95e06fb";
String accessToken = "Token";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + accessToken)
.header("Accept", "application/json")
.GET()
.build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}
import requests

url = "https://{GATEWAY-HOST}/mobbscan-agent/api/verification/d80a9694-3250-4a4c-9169-385fd95e06fb"
access_token = "Token"

headers = {
"Authorization": f"Bearer {access_token}",
"Accept": "application/json"
}

response = requests.delete(url, headers=headers)
print(response.json())
const axios = require('axios');

const url = 'https://{GATEWAY-HOST}/mobbscan-agent/api/verification/d80a9694-3250-4a4c-9169-385fd95e06fb';
const accessToken = 'Token';

const headers = {
'Authorization': `Bearer ${accessToken}`,
'Accept': 'application/json'
};

axios.delete(url, { headers })
.then(response => console.log(response.data))
.catch(error => console.error(error));
<?php
$url = "https://{GATEWAY-HOST}/mobbscan-agent/api/verification/d80a9694-3250-4a4c-9169-385fd95e06fb";
$accessToken = "Token";

$headers = [
"Authorization: Bearer $accessToken",
"Accept: application/json"
];

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($httpCode >= 200 && $httpCode < 300) {
echo "Success: " . $response;
} else {
echo "Error: " . $response;
}
?>

Response

The following are the fields of the response:

FieldTypeDescriptionFormat
statusstringResult of the rejection process.Text
descriptionstringDescription of the result of the rejection process.Text

The possible responses to the rejection request of an onboarding process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the result of the rejection process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
409Conflict. The onboarding process is not in a valid state to be rejected.Ensure that the onboarding process has not been accepted or rejected previously.

Add attachment to onboarding process

This endpoint allows you to add an attachment to an onboarding process. The attachment can be any file that the integrator deems necessary for the verification process. The attachment must have a valid MIME type and must not exceed the size limit set by the platform. Below are the limits for the attachment:

FieldValue
Max File Size5 MB
Allowed file typespdf, jpg, jpeg, png, docx, doc, txt
Max Files per process3
File name restrictionsOnly alphanumeric characters, underscores, and hyphens are allowed. Spaces are not allowed.

For customized limits, please contact the platform support team.

NOTE: The attachments are located by their name in the onboarding process. If an attachment with the same name already exists, it will be replaced by the new one independently of the file type.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typemultipart/form-data

Request

The endpoint for adding an attachment to an onboarding process requires the onboarding process identifier to be sent in the URL. The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
attachmentfileFile to be attached to the onboarding process.YesFile
namestringName of the attachment.NoText

Below is an example of the request structure:

Curl
curl --location --request POST 'https://{GATEWAY-HOST}/api/attchachments/d80a9694-3250-4a4c-9169-385fd95e06fb' \
--header 'Authorization: Bearer Token' \
--form 'attachment=@/path/to/your/file.pdf' \
--form 'name=attachment_name'

Response

The response to the request to add an attachment to an onboarding process will be a JSON object with the following structure:

{
    "code": "OK",
    "description": "ATTACHMENT_UPLOADED_SUCCESSFULLY",
    "scanId": "xxxx-xxxx-xxxx-xxxx",
    "fileName": "attachment_name"
}

The response to the request to add an attachment to an onboarding process will be a JSON object with the following fields:

FieldTypeDescriptionFormat
codestringResult of the attachment upload process.Text
descriptionstringDescription of the result of the attachment upload process.Text
scanIdstringUnique identifier of the attachment scan.UUID
fileNamestringName of the uploaded attachment.Text

The possible responses to the request to add an attachment to an onboarding process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the result of the attachment upload process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request. It also means that the request is exceeding the limits set by the platform.Verify that all required parameters are included and have the correct format in the request, and that the attachment does not exceed the limits set by the platform.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
404Not Found. The onboarding process with the specified identifier does not exist.Ensure that the onboarding process identifier is correct and that the onboarding process exists.

Get attachments of onboarding process

This endpoint allows you to retrieve the attachments info of an onboarding process. The response will contain a list of attachments with their details.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Acceptapplication/json

Request

The endpoint for retrieving the attachments of an onboarding process requires the onboarding process identifier to be sent in the URL. The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID

Below is an example of the request structure:

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/api/attchachments/d80a9694-3250-4a4c-9169-385fd95e06fb' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'

Response

The response to the request to retrieve the attachments of an onboarding process will be a JSON object with the following structure:

{
    "attachments": [
        {
            "fileName": "file1",
            "url": "/api/attachments/xxxx-xxxx-xxxx-xxxx/file1",
            "date": "2025-07-15 15:17:07"
        },
        ...
    ]
}

The response to the request to retrieve the attachments of an onboarding process will be a JSON object with the following fields:

FieldTypeDescriptionFormat
attachmentsarrayList of attachments of the onboarding process. Each attachment contains the following fields:Array of objects
fileNamestringName of the attachment.Text
urlstringURL to download the attachment.Text
datestringDate when the attachment was uploaded.DateTime

The possible responses to the request to retrieve the attachments of an onboarding process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the list of attachments of the onboarding process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
404Not Found. The onboarding process with the specified identifier does not exist.Ensure that the onboarding process identifier is correct and that the onboarding process exists.

Download attachment of onboarding process

This endpoint allows you to download an attachment of an onboarding process. The response will contain the file content of the requested attachment.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Accept*/*

Request

The endpoint for downloading an attachment of an onboarding process requires the onboarding process identifier and the attachment name to be sent in the URL. The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
namestringName of the attachment to be downloaded.YesText

Below is an example of the request structure:

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/api/attchachments/d80a9694-3250-4a4c-9169-385fd95e06fb/file1' \
--header 'Authorization: Bearer Token' \
--header 'Accept: */*'

Response

The response to the request to download an attachment of an onboarding process will be the file content of the requested attachment.

binary data here

Add extra data to onboarding process

This endpoint allows you to add extra data to an onboarding process. The extra data can be any additional information that the integrator deems necessary for the verification process.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Content-Typeapplication/json

Request body

The body of the request to add extra data to an onboarding process will be a JSON object with the following structure:

{
    "verificationId": "xxxx-xxxx-xxxx-xxxx",
    "extraData": {
        "key1": "value1",
        "key2": "value2"
    }
}

The following are the fields of the request:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
extraDataobjectObject containing the extra data to be added to the onboarding process.YesJSON object

Below is an example of the request structure:

Curl
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/addExtraVerificationProcessData' \
--header 'Authorization: Bearer Token' \
--header 'Content-Type: application/json' \
--data-raw '{
"verificationId": "xxxx-xxxx-xxxx-xxxx",
"extraData": {
"key1": "value1",
"key2": "value2"
}
}'

Response

The response to the request to add extra data to an onboarding process will be a JSON object with the following structure:

{
    "status": "OK",
    "description": "EXTRA DATA ADDED SUCCESSFULLY"
}

The response to the request to add extra data to an onboarding process will be a JSON object with the following fields:

FieldTypeDescriptionFormat
statusstringResult of the extra data addition process.Text
descriptionstringDescription of the result of the extra data addition process.Text

The possible responses to the request to add extra data to an onboarding process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the result of the extra data addition process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
404Not Found. The onboarding process with the specified identifier does not exist.Ensure that the onboarding process identifier is correct and that the onboarding process exists.

Get extra data of onboarding process

This endpoint allows you to retrieve the extra data of an onboarding process. The response will contain the extra data added to the onboarding process.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Acceptapplication/json

Request

The endpoint for retrieving the extra data of an onboarding process requires the onboarding process identifier to be sent in the URL. The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID

Below is an example of the request structure:

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/getExtraVerificationProcessData/d80a9694-3250-4a4c-9169-385fd95e06fb' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'

Response

The response to the request to retrieve the extra data of an onboarding process will be a JSON object with the following structure:

[
   {
        "key": "key_name",
        "value": "value",
        "verificationId": "xxxx-xxxx-xxxx-xxxx"
    }
    ...
]

The response to the request to retrieve the extra data of an onboarding process will be a JSON object with the following fields:

FieldTypeDescriptionFormat
keystringKey of the extra data added to the onboarding process.Text
valuestringValue of the extra data added to the onboarding process.Text
verificationIdstringUnique identifier of the onboarding process.UUID

The possible responses to the request to retrieve the extra data of an onboarding process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the extra data of the onboarding process.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
404Not Found. The onboarding process with the specified identifier does not exist.Ensure that the onboarding process identifier is correct and that the onboarding process exists.

Delete attachment of onboarding process

This endpoint allows you to delete an attachment of an onboarding process. Once the attachment is deleted, it cannot be recovered.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Acceptapplication/json

Request

The endpoint for deleting an attachment of an onboarding process requires the onboarding process identifier and the attachment name to be sent in the URL. The fields of the request are detailed below:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
namestringName of the attachment to be deleted.YesText

Below is an example of the request structure:

Curl
curl --location --request DELETE 'https://{GATEWAY-HOST}/api/attchachments/d80a9694-3250-4a4c-9169-385fd95e06fb/file1' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'

Response

The response to the request to delete an attachment of an onboarding process will be a 204 No Content response, indicating that the attachment has been successfully deleted.

HTTP/1.1 204 No Content

The response to the request to delete an attachment of an onboarding process will not contain any content.

The possible responses to the request to delete an attachment of an onboarding process are the following:

CodeDescriptionComment
204No Content. The request has been successfully completed and the attachment has been deleted.The response will not contain any content.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.
404Not Found. The onboarding process with the specified identifier or the attachment with the specified name does not exist.Ensure that the onboarding process identifier and the attachment name are correct and that the onboarding process and the attachment exist.

Search onboarding processes

This endpoint allows you to search for onboarding processes based on various criteria such as status, document number, date range and even extra data. The response will contain a list of onboarding processes that match the search criteria.

Headers

HeaderDescription
AuthorizationAuthentication token in the format Bearer <YOUR_ACCESS_TOKEN>
Acceptapplication/json

Request

The endpoint for searching onboarding processes will receive the filters as request parameters in the URL. The integrator will be able to filter by any of the most relevant fields of the onboarding process. To make the search as flexible as possible, the integrator can use also any of the extra data added to the onboarding process. Each filter applied will be combined with an AND operator, so the more filters applied, the more specific the search will be.

Parameters requirements
⚠️ Important: all parameters must be URL-encoded.

This request accepts multiple types of parameters and they can be categorized into three types:

  • Filter parameters
  • Sorting criteria parameters
  • Pagination parameters
Filter parameters

Filter parameters define the criteria that the returned onboarding processes must meet. Each filter follows the structure <attributeId>[operator]=<value>, where:

  • attributeId is the name of the attribute to filter by (e.g., verificationId, creationTime).
  • [operator] specifies the type of filter and can be [eq] (equality), [in] (inclusion in a set), or [between] (range). If you omit this field the equality ([eq])operator will be used.
  • <value> is the value to match, which can be a number, text, or an ISO 8601 datetime string.

Examples:

  • Filter by a specific verificationStatus value: verificationStatus=ACTIVATED_MANUAL, or verificationStatus[eq]=ACTIVATED_MANUAL if you want to explicitly use the equallity filter.
  • Filter by multiple allowed verificationStatus statusses: verificationStatus[in]=ACTIVATED_AUTO&verificationStatus[in]=ACTIVATED_MANUAL.
  • Filter by a range of dates for the verificationTime attribute: verificationTime[between]=2024-01-1T13:30:45&verificationTime[between]=2025-01-1T13:30:45

There are two filters, creationTimeMax and creationTimeMin, that serve as an alias for creationTime[between]=<provided_datetime>&creationTime[between]=<provided_datetime>. You can use either of them.

Sorting parameters

Sorting parameters specify the ordering criteria that the server uses to return results. The format is sortingField=<attributeId>[ASC|DESC], where <attributeId> refers to the attribute used for sorting (e.g., verificationTime). [ASC] and [DESC] specify the direction: ascending or descending, respectively. If no direction is provided, descending order is assumed.

To resolve ties, you can specify additional sorting criteria. Regardless of the sorting fields you choose, you must include sorting by verificationId as the last sorting field to guarantee unique ordering and correct pagination.

⚠️ Important: The order in which you specify the sortingField parameters directly determines the order of the results.

Examples:

  • Sorting by ascending verificationId: sortingField=verificationId or sortingField=verificationId[ASC]
  • Sorting by ascending creationTime (older first) and verificationId: sortingField=creationTime&sortingField=verificationId
  • Sorting by verificationStatus, descending creationTime and verificationId: sortingField=verificationStatus&sortingField=creationTime[DESC]&sortingField=verificationId
Pagination parameters

Finally, pagination parameters specify how to retrieve subsequent onboarding processes. Use the pageSize=<value> parameter to set the number of results per page, where <value> must be between 10 and 100. By default, a page size of 100 is used. Pagination is managed using cursor=<value> parameters, which work together with sortingField parameters.

For example, if you sort results by creationTime and verificationId using sortingField=creationTime&sortingField=verificationId, to get the next page you must include a cursor parameter: sortingField=creationTime&cursor=yyyy-MM-ddTHH:mm:ss&sortingField=verificationId&cursor=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx. This will return only the onboarding processes created after the specified cursors values. In practice, set each cursor parameter to the value of the corresponding field from the last item in the previous response.

Summary
FieldTypeDescriptionRequiredFormat
creationTimeMaxstringMaximum creation date of the onboarding process. The date must be in ISO 8601 format (yyyy-MM-ddTHH:mm:ss).NoDateTime (yyyy-MM-ddTHH:mm:ss)
creationTimeMinstringMinimum creation date of the onboarding process. The date must be in ISO 8601 format (yyyy-MM-ddTHH:mm:ss).NoDateTime (yyyy-MM-ddTHH:mm:ss)
sortingFieldstringSpecify the field to use to order the results. Multiple parameters of this kind are acceptedNoText
cursorstringA cursor parameter accompanies each sortingField parameter to enable pagination. For the first page you do not need to specify it.NoText
filterParamstringThe value of a specific field to filter by.NoText, boolean, number, ISO 8601 DateTime

The following table shows some of the most relevant fields you can use to set filters.

Field identifierTypeExample
verificationIdstring (UUID)d80a9694-3250-4a4c-9169-385fd95e06fb
creationTimestring (DateTime)2025-02-07T09:54:28
verificationTimestring (DateTime)2025-02-07T09:54:28
verificationStatusstring (DateTime)ACTIVATED_MANUAL
personalNumberstring99999999R
documentNumberstringBAA000589
namestringCARMEN
surnamestringJOHN DOE
firstSurnamestringJOHN
secondSurnamestringDOE
countrystring (ISO 3166-1 alpha-3)ESP
licenseIdstring (UUID)a7366484-303f-4218-85bb-fec743f72011

For more specific queries regarding any other field, please consult the support team.

The attributes defined within the verificationExtraData part of the request of section Generate onboarding process can also be used as filters. Ensure you use the exact attribute names, respecting case sensitivity.

Basic examples

Request to obtain onboarding processes created between 2025-03-29T08:00:00 and 2026-03-29T08:00:00 that satify the requirement of having two verificationExtraData attributes, customerId and email, set to 123456789 and test@test.test, respectively.

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/api/verifications?creationTimeMin=2025-03-29T08:00:00&creationTimeMax=2026-03-29T08:00:00&customerId=123456789&email=test@test.test' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'

Request to obtain onboarding processes created between the datetimes 2025-03-29T08:00:00 and 2026-03-29T08:00:00 whose verificationStatus is either REJECTED_MANUAL or REJECTED_AUTO.

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/api/verifications?creationTimeMin=2025-03-29T08:00:00&creationTimeMax=2026-03-29T08:00:00&verificationStatus%5Bin%5D=REJECTED_MANUAL&verificationStatus%5Bin%5D=REJECTED_AUTO' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'
Example with custom sorting criteria and pagination

To retrieve onboarding processes sorted by both creationTime and verificationId, specify each field as a sortingField parameter. The last sortingField should always be verificationId because it guarantees uniqueness and, therefore, correct pagination:

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/api/verifications?sortingField=creationTime&sortingField=verificationId' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'

Use cursor parameters in your next request to retrieve subsequent onboarding processes. The first cursor value is the URL-encoded creationTime of the last verification from the previous response, and the second is its verificationId:

Curl
curl --location --request GET 'https://{GATEWAY-HOST}/mobbscan-agent/api/verifications?sortingField=creationTime&cursor=yyyyMM-ddTHH%3Amm%3Ass&sortingField=verificationId&cursor=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' \
--header 'Authorization: Bearer Token' \
--header 'Accept: application/json'

Response

The response to the request to search onboarding processes will be a JSON object with the following structure:

[
    {
        "verificationId":"xxxx-xxxx-xxxx-xxxx",
        "creationTime":"2025-08-05T12:04:27.000Z",
        "verificationTime":null,
        "verificationStatus":"PENDING_VERIFICATION"
    
    }
    ...
]

The response to the request to search onboarding processes will be a JSON object with the following fields:

FieldTypeDescriptionFormat
verificationIdstringUnique identifier of the onboarding process.UUID
creationTimestringDate and time when the onboarding process was created.DateTime (yyyy-MM-ddTHH:mm:ss.sssZ)
verificationTimestringDate and time when the onboarding process was verified.DateTime (yyyy-MM-ddTHH:mm:ss.sssZ)
verificationStatusstringStatus of the onboarding process. Possible values are: CREATED, PENDING, PENDING_VALIDATION, ACTIVATED_AUTO, ACTIVATED_MANUAL, REJECTED_AUTO, REJECTED_MANUAL.Text

The possible responses to the request to search onboarding processes are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the list of onboarding processes that match the search criteria.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The credentials used to obtain the authentication token are incorrect or the user does not have access to the required resource.Make sure to use the correct credentials (API Key and Secret) and that the JWT token is valid and has not expired, and that the process is valid.
403Forbidden. The user does not have permission to perform the action.Ensure that the user has the necessary permissions to perform the action.

Notification Status Change

The integrator can receive notifications of the status change of an onboarding process through a webhook. To do so, they need to configure the URL of their server where the notifications will be sent.

Request Body

The body of the status change notification request will be a JSON object with the following structure:

{
    "verificationId": "xxxx-xxxx-xxxx-xxxx",
    "status": "xxxx",
}

Below are the fields for the request:

FieldTypeDescriptionRequiredFormat
verificationIdstringUnique identifier of the onboarding process.YesUUID
statusstringNew status of the onboarding process.YesText

This webhook can include any headers that the integrator desires, such as Authorization, Content-Type, etc.

Below is an example of integrating a webhook on the integrator's server:

Flask
Spring Boot
Node
C#
PHP
from flask import Flask, request
app = Flask(__name__)

@app.route('/webhook', methods=['POST'])
def webhook():
data = request.json
verificationId = data['verificationId']
status = data['status']
print(f"Verification Id: {verificationId}")
print(f"Status: {status}")
return '', 204

if __name__ == '__main__':
app.run(port=5000)
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class WebhookController {

@PostMapping("/webhook")
public ResponseEntity<Void> webhook(@RequestBody WebhookRequest request) {
String verificationId = request.getVerificationId();
String status = request.getStatus();
System.out.println("Verification Id: " + verificationId);
System.out.println("Status: " + status);
return ResponseEntity.noContent().build();
}
}
const express = require('express');
const app = express();
app.use(express.json());

app.post('/webhook', (req, res) => {
const { verificationId, status } = req.body;
console.log(`Verification Id: ${verificationId}`);
console.log(`Status: ${status}`);
// send 204 No Content status
res.status(204).end();
});

app.listen(5000, () => {
console.log('Server running on port 5000');
});
using Microsoft.AspNetCore.Mvc;

[Route("api/[controller]")]
[ApiController]
public class WebhookController : ControllerBase
{
[HttpPost("webhook")]
public IActionResult Webhook([FromBody] WebhookRequest request)
{
string verificationId = request.VerificationId;
string status = request.Status;
Console.WriteLine("Verification Id: " + verificationId);
Console.WriteLine("Status: " + status);
return NoContent();
}
}

public class WebhookRequest
{
public string VerificationId { get; set; }
public string Status { get; set; }
}
<?php

namespace App\Http\Controllers;

use Illuminate\Http\Request;

class WebhookController extends Controller
{
public function webhook(Request $request)
{
$verificationId = $request->input('verificationId');
$status = $request->input('status');
\Log::info("Verification Id: " . $verificationId);
\Log::info("Status: " . $status);
return response()->noContent();
}
}

The possible states to which the integrator can subscribe are the following:

StateDescription
PENDING_VERIFICATIONThe onboarding process is pending verification.
PENDING_VALIDATIONThe onboarding process is pending validation by the integrator. This allows the integrator to decide whether to accept or reject the process automatically based on their defined criteria, before sending it for manual review if applicable.
VERIFIEDThe onboarding process has been successfully verified.
NOT_VERIFIEDThe onboarding process has been rejected.
VIDEO_AVAILABLEThe onboarding process video is available.

S2S Integration

This section describes the S2S (Server-to-Server) integration specific endpoints for the Mobbscan API. S2S integration allows integrators to fully control the user experience, from the UI to the data capture process, without relying on Mobbscan's frontend.

Authentication

To authenticate the scan, detect and identity verification requests to the Mobbscan API, you need to use the onboarding-token obtained from the create onboarding process[#create-onboarding-process] endpoint. This token is used to authenticate the scan process steps and must be included in the headers of each request.

Start Scan Process

This endpoint allows you to start a new scan process for an onboarding process. With this endpoint, the integrator will send the necessary parameters for configuring the scan process.

Headers

HeaderDescription
onboarding-tokenAuthentication token obtained from the create onboarding process endpoint in the format xxxx-xxxx-xxxx-xxxx
Acceptapplication/json

Request

The endpoint for scanning a document will receive the following fields in the request:

FieldTypeDescriptionRequiredFormat
scanIdstringUnique identifier of the scan process. The scanId is generated when creating the onboarding process.YesUUID
clientVersionstringVersion of the client that is making the request. This is used for logging and debugging purposes. This client version should contain the sdk version, platform, browser, and operating system information for making easier detecting issues or getting statistics.NoText

Below is an example of the request structure:

Curl
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/scan/start' \
--header 'onboarding-token: xxxx-xxxx-xxxx-xxxx' \
--header 'Accept: application/json' \
--form 'scanId="xxxx-xxxx-xxxx-xxxx"' \
--form 'clientVersion="sdk3.0.0_Web_PC_Chrome_111_Mac_10.15.7_Macintosh"'

Response

The response to the request to start a new scan process will be a JSON object with the following structure:

{
    "code": "OK",
    "description": "START_SCAN_SUCCESS",
    "scanId": "xxxx-xxxx-xxxx-xxxx",
}

The response to the request to start a new scan process will be a JSON object with the following fields:

FieldTypeDescriptionFormat
codestringResult of the scan process start. Possible values are: OK, ERROR.Text
descriptionstringDescription of the result of the scan process start. Possible values are: START_SCAN_SUCCESS, ERROR_START_SCAN_FAILED.Text
scanIdstringUnique identifier of the scan process. The scanId is generated when creating the onboarding process.UUID

The possible responses to the request to start a new scan process are the following:

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the result of the scan process start.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The token used to authenticate the request is incorrect or has expired.Make sure to use the correct token and that it has not expired.
500Internal Server Error. An error occurred on the server while processing the request.This is a generic error and can be caused by various issues on the server side.

Scan document

This endpoint allows you to scan a document for an onboarding process. The integrator should send both parties of the document (front and back) in the request (or just the back side in case of passports). The document will be scanned and the result will be returned in the response.

Headers

HeaderDescription
onboarding-tokenAuthentication token obtained from the create onboarding process endpoint in the format xxxx-xxxx-xxxx-xxxx
Acceptapplication/json

Request

The endpoint for scanning a document will receive the following fields in the request:

FieldTypeDescriptionRequiredFormat
scanIdstringUnique identifier of the scan process. The scanId is generated when creating the onboarding process.YesUUID
frontfileFront side of the document to be scanned. The file must be in PNG or JPEG format.YesImage file (PNG or JPEG)
backfileBack side of the document to be scanned. The file must be in PNG or JPEG format.YesImage file (PNG or JPEG)
isDocumentCroppedbooleanIndicates whether the document is cropped or not. If the document is cropped, the integrator should set this field to true. Recommended to set this field to false and let the MobbScan server crop the document automatically.YesBoolean (true or false)

Below is an example of the request structure:

Curl
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/scan' \
--header 'onboarding-token: xxxx-xxxx-xxxx-xxxx' \
--form 'scanId="xxxx-xxxx-xxxx-xxxx"' \
--form 'front=@"/path/to/front/image.png"' \
--form 'back=@"/path/to/back/image.png"' \
--form 'isDocumentCropped="true"'

Response

The response to the request to scan a document will be a JSON object with the following structure:

{
    "code": "OK",
    "description": "SCAN_DOCUMENT_SUCCESS",
    "scanId": "41191176-cc2b-433f-9950-685bad58fbbc",
    "document": {
        "personalNumber": "99999999R",
        "documentNumber": "BAA000431",
        "documentType": "ESPIDCardV3",
        "name": "CARMEN",
        "surname": "ESPAÑOLA ESPAÑOLA",
        "firstSurname": "ESPAÑOLA",
        "secondSurname": "ESPAÑOLA",
        "gender": "F",
        "dateOfExpiry": "01/01/2025",
        "dateOfBirth": "01/01/1980",
        "nationality": "ESP",
        "issuingState": "ESP",
        "mrz": "IDESPBAA000431599999999R<<<<<<8001010F2501018ESP<<<<<<<<<<<6ESPANOLA<ESPANOLA<<CARMEN<<<<<",
        "dateOfIssuing": null,
        "validationFrontAppearance": "NOT_VALID",
        "validationBackAppearance": "VALID",
        "validationBothSidesMatch": "VALID",
        "validationBothSidesMatchScore": "100",
        "validationMRZ": "NOT_VALID",
        "validationMRZCheckDocumentNumber": "VALID",
        "validationMRZCheckPersonalNumber": "VALID",
        "validationMRZCheckDateOfBirth": "NOT_VALID",
        "validationMRZCheckDateOfExpiry": "NOT_VALID",
        "validationMRZCheckComposite": "VALID",
        "validationDocumentNumber": "VALID",
        "validationPersonalNumber": "VALID",
        "validationMRZNameSurnameSeparator": "VALID",
        "validationMRZSurnameSeparator": "VALID",
        "validationSex": "VALID",
        "validationGender": "VALID",
        "validationNationality": "VALID",
        "validationFrontAppearanceScore": 0.0,
        "validationBackAppearanceScore": 100.0,
        "validationFacialMatchingScore": -1.0,
        "validationDateOfBirth": "VALID",
        "validationDateOfExpiry": "VALID",
        "validationDocumentNotExpired": "NOT_VALID",
        "validationLegalAge": "VALID",
        "validationAllowedIssuingState": "NOT_CHECKED",
        "validationIssuingState": "VALID",
        "validationFrontNotPhotocopy": "VALID",
        "validationBackNotPhotocopy": "VALID",
        "validationFrontPhotocopyScore": 0.0,
        "validationBackPhotocopyScore": 0.0,
        "validationDocument": "NOT_VALID",
        "validationDocumentContent": "NOT_VALID",
        "validationDocumentForensics": "NOT_CHECKED",
        "validationNotSpecimen": "NOT_VALID",
        "validationDateOfIssuing": "NOT_CHECKED",
        "validationDatesRelationship": "VALID",
        "mrzData": {
            "dateOfExpiry": "01/01/2025",
            "gender": "F",
            "nationality": "ESP",
            "surname": "ESPANOLA ESPANOLA",
            "documentNumber": "BAA000431",
            "name": "CARMEN",
            "dateOfBirth": "01/01/1980",
            "personalNumber": "99999999R"
        },
        "vizData": {
            "dateOfExpiry": "01/01/2025",
            "gender": "F",
            "nationality": "ESP",
            "surname": "ESPAÑOLA ESPAÑOLA",
            "documentNumber": "BAA000431",
            "name": "CARMEN",
            "dateOfBirth": "01/01/1980",
            "personalNumber": "99999999R"
        },
        "validationFaceLaserMarkScore": -1.0,
        "parents": "JUAN / CARMEN",
        "region": "MADRID",
        "regionOfBirth": "MADRID",
        "countryOfBirth": "ESPAÑA",
        "address": "DOMICIO",
        "city": "AVDA DE MADRID S-N",
        "cityOfBirth": "MADRID",
        "laserMark": null,
        "validationNameBothSidesMatch": "VALID",
        "validationSurnameBothSidesMatch": "VALID",
        "validationPersonalNumberBothSidesMatch": "VALID",
        "validationDocumentNumberBothSidesMatch": "VALID",
        "validationDateOfBirthBothSidesMatch": "VALID",
        "validationDateOfExpiryBothSidesMatch": "VALID",
        "validationSexBothSidesMatch": "VALID",
        "validationGenderBothSidesMatch": "VALID",
        "validationNationalityBothSidesMatch": "VALID",
        "validationPersonalNumberFormat": "VALID",
        "validationDocumentNumberFormat": "VALID",
        "validationNameNotEmpty": "VALID",
        "validationSurnameNotEmpty": "VALID",
        "validationLaserMark": "NOT_CHECKED",
        "validationNameBothSidesMatchScore": "100",
        "validationSurnameBothSidesMatchScore": "100"
    },
    "clientVersion": "sdk3.0.0_Web_PC_Chrome_111_Mac_10.15.7_Macintosh",
    "scanProcessValidationResult": {
        "enabledProcess": true,
        "scanProcessValidationResult": "NOT_VALID",
        "scanProcessFailedValidations": [
            "validationDocumentNotSpecimen",
            "validationMRZ",
            "validationDocumentNotExpired"
        ]
    }
}

The response to the request to scan a document will be a JSON object with the following fields:

FieldTypeDescriptionFormat
codestringResult of the scan process. Possible values are: OK, ERROR.Text
descriptionstringDescription of the result of the scan process. Possible values are: SCAN_DOCUMENT_SUCCESS, ERROR_SCAN_DOCUMENT_FAILED.Text
scanIdstringUnique identifier of the scan process. The scanId is generated when creating the onboarding process.UUID
documentobjectObject containing the scanned document data. The fields of the document object are detailed below.Object
clientVersionstringVersion of the client that is making the request. This is used for logging and debugging purposes. This client version should contain the sdk version, platform, browser, and operating system information for making easier detecting issues or getting statistics.Text
scanProcessValidationResultobjectObject containing the scan process validation result. The fields of the scan process validation result object are detailed below.Object

The fields of the document object are detailed below:

FieldTypeDescriptionFormat
personalNumberstringPersonal number of the document holder.Text
documentNumberstringDocument number of the document holder.Text
documentTypestringSpecific type of the document.Text
namestringName of the document holder.Text
surnamestringFull surname of the document holder.Text
firstSurnamestringFirst surname of the document holder.Text
secondSurnamestringSecond surname of the document holder.Text
genderstringGender of the document holder. Possible values are: M, F.Text
dateOfExpirystringDate of expiry of the document.DateTime (dd/MM/yyyy)
dateOfBirthstringDate of birth of the document holder.DateTime (dd/MM/yyyy)
nationalitystringNationality of the document holder.Text
issuingStatestringIssuing state of the document.Text
mrzstringMachine Readable Zone (MRZ) of the document.Text
dateOfIssuingstringDate of issuing of the document.DateTime (dd/MM/yyyy)
validationFrontAppearancestringValidation result of the front appearance of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationBackAppearancestringValidation result of the back appearance of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationBothSidesMatchstringValidation result of the both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationBothSidesMatchScorestringScore of the validation of the both sides match of the document.Text
validationMRZstringValidation result of the MRZ of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZCheckDocumentNumberstringValidation result of the MRZ document number check of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZCheckPersonalNumberstringValidation result of the MRZ personal number check of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZCheckDateOfBirthstringValidation result of the MRZ date of birth check of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZCheckDateOfExpirystringValidation result of the MRZ date of expiry check of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZCheckCompositestringValidation result of the MRZ composite check of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDocumentNumberstringValidation result of the document number of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationPersonalNumberstringValidation result of the personal number of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZNameSurnameSeparatorstringValidation result of the MRZ name surname separator of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationMRZSurnameSeparatorstringValidation result of the MRZ surname separator of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationSexstringValidation result of sex of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationGenderstringValidation result of gender of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationNationalitystringValidation result of nationality of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationFrontAppearanceScorenumberScore of the validation of the front appearance of the document.Number
validationBackAppearanceScorenumberScore of the validation of the back appearance of the document.Number
validationFacialMatchingScorenumberScore of the facial matching of the document. If the facial matching is not performed, the value will be -1.Number
validationDateOfBirthstringValidation result of the date of birth of the document holder. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDateOfExpirystringValidation result of the date of expiry of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDocumentNotExpiredstringValidation result of the document not expired. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationLegalAgestringValidation result of the legal age of the document holder. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationAllowedIssuingStatestringValidation result of the allowed issuing state of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationIssuingStatestringValidation result of the issuing state of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationFrontNotPhotocopystringValidation result of the front not photocopy of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationBackNotPhotocopystringValidation result of the back not photocopy of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationFrontPhotocopyScorenumberScore of the validation of the front photocopy of the document. If the document is not a photocopy, the value will be 0.Number
validationBackPhotocopyScorenumberScore of the validation of the back photocopy of the document. If the document is not a photocopy, the value will be 0.Number
validationDocumentstringValidation result of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDocumentContentstringValidation result of the document content. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDocumentForensicsstringValidation result of the document forensics. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationNotSpecimenstringValidation result of the document not being a specimen. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDateOfIssuingstringValidation result of the date of issuing of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDatesRelationshipstringValidation result of the dates relationship of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
mrzDataobjectObject containing the MRZ data of the document. The fields of the mrzData object are detailed below.Object
vizDataobjectObject containing the VIZ (visual) data of the document. The fields of the vizData object are detailed below.Object
validationFaceLaserMarkScorenumberScore of the validation of the face laser mark of the document. If the face laser mark is not present, the value will be -1.Number
parentsstringParents of the document holder.Text
regionstringRegion of the document holder.Text
regionOfBirthstringRegion of birth of the document holder.Text
countryOfBirthstringCountry of birth of the document holder.Text
addressstringAddress of the document holder.Text
citystringCity of the document holder.Text
cityOfBirthstringCity of birth of the document holder.Text
laserMarkstringLaser mark of the document. If the laser mark is not present, the value will be null.Text
validationNameBothSidesMatchstringValidation result of the name both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationSurnameBothSidesMatchstringValidation result of the surname both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationPersonalNumberBothSidesMatchstringValidation result of the personal number both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDocumentNumberBothSidesMatchstringValidation result of the document number both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDateOfBirthBothSidesMatchstringValidation result of the date of birth both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDateOfExpiryBothSidesMatchstringValidation result of the date of expiry both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationSexBothSidesMatchstringValidation result of the sex both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationGenderBothSidesMatchstringValidation result of the gender both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationNationalityBothSidesMatchstringValidation result of the nationality both sides match of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationPersonalNumberFormatstringValidation result of the personal number format of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationDocumentNumberFormatstringValidation result of the document number format of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationNameNotEmptystringValidation result of the name not being empty of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationSurnameNotEmptystringValidation result of the surname not being empty of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationLaserMarkstringValidation result of the laser mark of the document. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
validationNameBothSidesMatchScorestringScore of the validation of the name both sides match of the document.Text
validationSurnameBothSidesMatchScorestringScore of the validation of the surname both sides match of the document. From 0 to 100.Text

The fields of the mrzData object are detailed below:

FieldTypeDescriptionFormat
dateOfExpirystringDate of expiry of the document extracted from the MRZ.DateTime (dd/MM/yyyy)
genderstringGender of the document holder extracted from the MRZ. Possible values are: M, F.Text
nationalitystringNationality of the document holder extracted from the MRZ.Text
surnamestringFull surname of the document holder extracted from the MRZ.Text
documentNumberstringDocument number of the document holder extracted from the MRZ.Text
namestringName of the document holder extracted from the MRZ.Text
dateOfBirthstringDate of birth of the document holder extracted from the MRZ.DateTime (dd/MM/yyyy)
personalNumberstringPersonal number of the document holder extracted from the MRZ.Text

The fields of the vizData object are detailed below:

FieldTypeDescriptionFormat
dateOfExpirystringDate of expiry of the document extracted from the visual data.DateTime (dd/MM/yyyy)
genderstringGender of the document holder extracted from the visual data. Possible values are: M, F.Text
nationalitystringNationality of the document holder extracted from the visual data.Text
surnamestringFull surname of the document holder extracted from the visual data.Text
documentNumberstringDocument number of the document holder extracted from the visual data.Text
namestringName of the document holder extracted from the visual data.Text
dateOfBirthstringDate of birth of the document holder extracted from the visual data.DateTime (dd/MM/yyyy)
personalNumberstringPersonal number of the document holder extracted from the visual data.Text

Depending of the use case, the integrator can use the a personalized validation process to determine if the process is valid or not. For configuring the validation matrix, please contact with the MobbScan support team for analyzing the use case and configuring the validation matrix with the best validations for the use case.

If the validation matrix is configured, the integrator should check the scanProcessValidationResult field to get the result of the scan process validation. The scanProcessValidationResult field will contain the result of the scan process validation and the scanProcessFailedValidations field will contain the names of the validations that have failed in the scan process validation. With this information, the integrator can determine what to do next in the onboarding process.

The fields of the scanProcessValidationResult object are detailed below:

FieldTypeDescriptionFormat
enabledProcessbooleanIndicates whether the scan process matrix validation is enabled or not. If the scan process matrix validation is enabled, the integrator should check the scanProcessValidationResult field to get the result of the scan process validation.Boolean
scanProcessValidationResultstringResult of the scan process validation. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
scanProcessFailedValidationsarrayArray of strings containing the names of the validations that have failed in the scan process validation. If the scan process validation is NOT_VALID, this array will contain the names of the validations that have failed. If the scan process validation is VALID, this array will be empty.Array of strings

Possible Responses

CodeDescriptionComment
200OK. The request has been successfully completed.The response will contain the result of the document scan.
400Bad Request. Generally means that one or more required parameters are missing or incorrect in the request.Verify that all required parameters are included and have the correct format in the request.
401Unauthorized. The token used to authenticate the request is incorrect or has expired.Make sure to use the correct token and that it has not expired.
500Internal Server Error. An error occurred on the server while processing the request.This is a generic error and can be caused by various issues on the server side.

Identity verification

This endpoint allows you to verify the identity of an user against the scanned document and perform the liveness check. The integrator should send the scanId obtained from the scan document endpoint and a video of the user performing the liveness check. The video will be processed and the result will be returned in the response.

Headers

HeaderDescription
onboarding-tokenAuthentication token obtained from the create onboarding process endpoint in the format xxxx-xxxx-xxxx-xxxx
Acceptapplication/json

Request

The endpoint for verifying the identity will receive the following fields in the request:

FieldTypeDescriptionRequiredFormat
scanIdstringUnique identifier of the scan process. The scanId is generated when creating the onboarding process.YesUUID
livenessMethodintegerMethod to perform the liveness check. Possible values are: 0 -> Head Movement (deprecated), 1 -> No Movement.YesInteger
returnFaceImagesbooleanIndicates whether to return the face images or not. If the integrator wants to receive the face images, this field should be set to true.NoBoolean
videofileVideo of the user performing the liveness check. The file must be in MP4 format.YesVideo file (MP4)

Below is an example of the request structure:

Curl
curl --location --request POST 'https://{GATEWAY-HOST}/mobbscan-agent/identityVerification?scanId=xxxx-xxxx-xxxx-xxxx&livenessMethod=1&returnFaceImages=true' \
--header 'onboarding-token: xxxx-xxxx-xxxx-xxxx' \
--form 'video=@"/path/to/video.mp4"'

Response

The response to the request to verify the identity will be a JSON object with the following structure:

{
    "code": 0,
    "description": "Identity verification transaction finished successfully",
    "timestamp": "2025-09-16 16:13:15.063",
    "scanId": "22fc6001-ed8f-471f-a013-3ad1254852f0",
    "scores": {
        "liveness": 1.0,
        "faceMatching": 0.77,
        "identityVerification": 0.89
    },
    "validations": {
        "liveness": "VALID",
        "faceMatching": "VALID",
        "identityVerification": "VALID"
    },
    "faceDocument": "/9j/4AA...",
    "faceSelfie": "/9j/4AAQ...",
    "resultScanProcessValidation": {
        "enabledProcess": true,
        "scanProcessValidationResult": "VALID",
        "scanProcessFailedValidations": []
    },
    "mobbIdRegistration": {
        "result": "DISABLED_MOBB_ID_REGISTRATION",
        "completed": false
    }
}

The response to the request to verify the identity will be a JSON object with the following fields:

FieldTypeDescriptionFormat
codeintegerResult of the identity verification process. If the identity verification process was successful, the value will be 0. Otherwise, it will be a negative value indicating an error.Integer
descriptionstringDescription of the result of the identity verification process.Text
timestampstringTimestamp of the identity verification process.DateTime (yyyy-MM-dd HH:mm:ss.SSS)
scanIdstringUnique identifier of the scan process. The scanId is generated when creating the onboarding process.UUID
scoresobjectObject containing the scores of the identity verification process. The fields of the scores object are detailed below.Object
validationsobjectObject containing the validations of the identity verification process. The fields of the validations object are detailed below.Object
faceDocumentstringBase64 encoded image of the face extracted from the document. If the returnFaceImages parameter is set to true, this field will contain the face image extracted from the document. If the returnFaceImages parameter is set to false, this field will be empty.Base64 encoded string
faceSelfiestringBase64 encoded image of the face extracted from the selfie. If the returnFaceImages parameter is set to true, this field will contain the face image extracted from the selfie. If the returnFaceImages parameter is set to false, this field will be empty.Base64 encoded string
resultScanProcessValidationobjectObject containing the result of the scan process validation. The fields of the resultScanProcessValidation object are detailed below.Object
mobbIdRegistrationobjectObject containing the result of the MobbID registration process in case of being enabled. The fields of the mobbIdRegistration object are detailed below.Object

The fields of the scores object are detailed below:

FieldTypeDescriptionFormat
livenessnumberScore of the liveness check. The score is a value between 0 and 1, and the threshold can be configured depending on the use case.Number
faceMatchingnumberScore of the face matching. The score is a value between 0 and 1, and the threshold can be configured depending on the use case.Number
identityVerificationnumberScore of the identity verification. The score is a value between 0 and 1, and the threshold can be configured depending on the use case.Number

The fields of the validations object are detailed below:

FieldTypeDescriptionFormat
livenessstringValidation result of the liveness check. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
faceMatchingstringValidation result of the face matching. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
identityVerificationstringValidation result of the identity verification. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text

In the same way as in the scan document endpoint, the integrator can use a personalized validation process to determine if the identity verification is valid or not. For configuring the validation matrix, please contact with the MobbScan support team for analyzing the use case and configuring the validation matrix with the best validations for the use case.

The fields of the resultScanProcessValidation object are detailed below:

FieldTypeDescriptionFormat
enabledProcessbooleanIndicates whether the scan process matrix validation is enabled or not. If the scan process matrix validation is enabled, the integrator should check the resultScanProcessValidation field to get the result of the scan process validation.Boolean
scanProcessValidationResultstringResult of the scan process validation. Possible values are: VALID, NOT_VALID, NOT_CHECKED.Text
scanProcessFailedValidationsarrayArray of strings containing the names of the validations that have failed in the scan process validation. If the scan process validation is NOT_VALID, this array will contain the names of the validations that have failed. If the scan process validation is VALID, this array will be empty.Array of strings

The fields of the mobbIdRegistration object are detailed below:

FieldTypeDescriptionFormat
resultstringResult of the MobbID registration process. Possible values are: DISABLED_MOBB_ID_REGISTRATION, SUCCESSFUL_MOBB_ID_REGISTRATION, NOT_REACHED_MOBB_ID_REGISTRATION.Text
completedbooleanIndicates whether the MobbID registration process was completed or not. If the MobbID registration process was completed, this field will be true. If the MobbID registration process was not completed, this field will be false.
← Full S2S Integration GuideFAQs →
  • API Reference
    • Requests format
    • Authentication
    • Generate onboarding process
    • Get onboarding process information
    • Check onboarding process result
    • Get images of onboarding process
    • Get recording of onboarding process
    • Get certificated zip of onboarding process
    • Get pdf of onboarding process
    • Accept onboarding process
    • Reject onboarding process
    • Send onboarding process to review
    • Delete onboarding process
    • Add attachment to onboarding process
    • Get attachments of onboarding process
    • Download attachment of onboarding process
    • Add extra data to onboarding process
    • Get extra data of onboarding process
    • Delete attachment of onboarding process
    • Search onboarding processes
    • Notification Status Change
  • S2S Integration
    • Authentication
    • Start Scan Process
    • Scan document
    • Identity verification
Mobbeel for developers
Product Documentation
MobbIDMobbScanMobbSign
Connect
LinkedInFacebookX
More
FAQContact Us
Mobbeel Solutions SL
Copyright © 2025 Mobbeel Solutions SL