Authorization
Shufti Pro API uses API keys to authenticate requests. You can view and manage your API keys in your Shufti Pro Backoffice. Authorization to API is performed via HTTP Basic Auth. The verification request will fail without authorization.
BASIC AUTH
Shufti Pro API uses API keys to authenticate requests. You can view and manage your API keys in your Shufti Pro Backoffice. Authorization to API is performed via HTTP Basic Auth. The verification request will fail without authorization.
BASIC AUTH
- Http
- Javascript
- Php
- Python
- Ruby
- Java
//POST / HTTP/1.1 basic auth
//Host: ra.shuftipro.com/risk-api
//Content-Type: application/json
//Authorization: Basic NmI4NmIyNzNmZjM0ZmNlMTlkNmI4WJRTUxINTJHUw==
{
"reference" : "1234567",
"callback_url" : "http://www.example.com/",
"email" : "[email protected]",
"country" : "GB",
"language" : "EN",
"verification_mode" : "any",
"risk_assessment" : {
"risk_reference" : "123456",
"phone_number" : "+4400000000"
}
}
let payload = {
reference : `SP_REQUEST_${Math.random()}`,
callback_url : "https://yourdomain.com/profile/sp-notify-callback",
email : "[email protected]",
country : "GB",
language : "EN",
verification_mode : "any",
risk_assessment : {
risk_reference : "123456",
phone_number : "+4400000000"
}
}
var token = btoa("YOUR_CLIENT_ID:YOUR_SECRET_KEY");
fetch('https://ra.shuftipro.com/risk-api/', { method : 'post',
headers : {
'Accept' : 'application/json',
'Content-Type' : 'application/json',
'Authorization' : 'Basic ' +token
},
body: JSON.stringify(payload)}).then(function(response) {
return response.json();
}).then(function(data) { return data; });
<?php
$url = 'https://ra.shuftipro.com/risk-api/';
$client_id = 'YOUR-CLIENT-ID';
$secret_key = 'YOUR-SECRET-KEY';
$verification_request = [
"reference" => "ref-".rand(4,444).rand(4,444),
"callback_url" => "https://yourdomain.com/profile/notifyCallback",
"email" => "[email protected]",
"country" => "GB",
"language" => "EN",
"verification_mode" => "any",
"risk_assessment" => [
"risk_reference" => "123456",
"phone_number" => "+4400000000"
]
];
$auth = $client_id.":".$secret_key;
$headers = ['Content-Type: application/json'];
$post_data = json_encode($verification_request);
$response = send_curl($url, $post_data, $headers, $auth);
function send_curl($url, $post_data, $headers, $auth){
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERPWD, $auth);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$html_response = curl_exec($ch);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($html_response, 0, $header_size);
$body = substr($html_response, $header_size);
curl_close($ch);
return json_decode($body,true);
}
echo $response['verification_url'];
import requests, base64, json, hashlib
from random import randint
url = 'https://ra.shuftipro.com/risk-api/'
client_id = 'YOUR-CLIENT-ID'
secret_key = 'YOUR-SECRET-KEY'
verification_request = {
"reference" : "ref-{}{}".format(randint(1000, 9999), randint(1000, 9999)),
"callback_url" : "https://yourdomain.com/profile/notifyCallback",
"email" : "[email protected]",
"country" : "GB",
"language" : "EN",
"verification_mode" : "any",
"risk_assessment" : {
"risk_reference" : "123456",
"phone_number" : "+4400000000"
}
}
auth = '{}:{}'.format(client_id, secret_key)
b64Val = base64.b64encode(auth.encode()).decode()
response = requests.post(url,
headers={"Authorization": "Basic %s" % b64Val, "Content-Type": "application/json"},
data=json.dumps(verification_request))
json_response = json.loads(response.content)
print('Verification URL: {}'.format(json_response))
require 'uri'
require 'net/http'
require 'base64'
require 'json'
require 'open-uri'
url = URI("https://ra.shuftipro.com/risk-api/")
CLIENT_ID = "YOUR-CLIENT-ID"
SECRET_KEY = "YOUR-SECRET-KEY"
verification_request = {
reference: "Ref-"+ (0...8).map { (65 + rand(26)).chr }.join,
callback_url: "https://yourdomain.com/profile/notifyCallback",
email: "[email protected]",
country: "GB",
language: "EN",
redirect_url: "http://www.example.com",
verification_mode: "any",
risk_assessment: {
risk_reference: "123456",
phone_number: "+4400000000"
}
}
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
request = Net::HTTP::Post.new(url)
header_auth = Base64.strict_encode64("#{CLIENT_ID}:#{SECRET_KEY}")
request["Content-Type"] = "application/json"
request["Authorization"] = "Basic #{header_auth}"
request.body = verification_request.to_json
response = http.request(request)
puts response.read_body
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.net.ssl.HttpsURLConnection;
public class Main {
public static void main(String[] args) throws Exception {
String url = "ra.shuftipro.com/risk-api";
String CLIENT_ID = "CLIENT_ID";
String SECRET_KEY = "SECRET_KEY";
URL obj = new URL(url);
HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();
// Add request header
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json");
String basicAuth = "Basic " + Base64.getEncoder().encodeToString((CLIENT_ID + ":" + SECRET_KEY).getBytes(StandardCharsets.UTF_8));
con.setRequestProperty("Authorization", basicAuth);
String payload = "{\n \"reference\" : \"1234567\",\n \"callback_url\" : \"http://www.example.com/\",\n \"email\" : \"[email protected]\",\n \"country\" : \"GB\",\n \"language\" : \"EN\",\n \"verification_mode\" : \"any\",\n \"risk_assessment\" : {\n \"risk_reference\" : \"123456\"\,n \"phone_number\" : \"+4400000000\"\,n }\n}";
// Send post request
con.setDoOutput(true);
DataOutputStream wr = new DataOutputStream(con.getOutputStream());
wr.writeBytes(payload);
wr.flush();
wr.close();
int responseCode = con.getResponseCode();
System.out.println("\nSending 'POST' request to URL : " + url);
System.out.println("Payload : " + payload);
System.out.println("Response Code : " + responseCode);
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
System.out.println(in.toString());
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
// Print the response
System.out.println(response.toString());
}
}
Shufti Pro provides Authorization to clients through the Basic Auth header. Your Client ID will serve as your Username while the Secret Key will serve as your Password. The API will require this header for every request.
Fields | Required | Description |
---|---|---|
username | Yes | Enter Client ID as username. |
password | Yes | Enter your Secret Key as password. |
Request
Before getting started, make sure you have the following:
Common Parameters
The parameters mentioned below are applicable for onsite verifications in risk assessment service.
Parameters | Description |
---|---|
reference | Required: Yes Type: string Minimum: 6 characters Maximum: 250 characters Each request is issued a unique reference ID which is sent back to Shufti Pro’s client with each response. This reference ID helps to verify the request. The client can use this ID to check the status of already performed verifications. |
country | Required: No Type: string Length: 2 characters You may omit this parameter if you don't want to enforce country verification. If a valid country code is provided, then the proofs (images/videos) for document verification or address verification must be from the same country. Country code must be a valid ISO 3166-1 alpha-2 country code. Please consult Supported Countries for country codes. |
language | Required: No Type: string Length: 2 characters If the Shufti Pro client wants their preferred language to appear on the verification screens they may provide the 2-character long language code of their preferred language. The list of Supported Languages can be consulted for the language codes. If this key is missing in the request the system will select the default language as English. |
Required: Yes Type: string Minimum: 6 characters Maximum: 128 characters This field represents email of the end-user. | |
callback_url | Required: No Type: string Minimum: 6 characters Maximum: 250 characters A number of server-to-server calls are made to Shufti Pro’s client to keep them updated about the verification status. This allows the clients to keep the request updated on their end, even if the end-user is lost midway through the process. |
redirect_url | Required: No Type: string Minimum: 6 characters Maximum: 250 characters Once an on-site verification is complete, User is redirected to this link after showing the results. |
verification_mode | Required: No Type: string Accepted Values: any, image_only, video_only This key specifies the types of proof that can be used for verification. In a “video_only” mode, Shufti Pro’s client can only send “Base64” of videos wherein formats of proofs should be MP4 or MOV. “any” mode can be used to send a combination of images and videos as proofs for verification. |
show_consent | Required: No Type: string Accepted Values: 0, 1 Default Value: 1 If enabled, it shows the Shufti Pro terms and conditions to the user at the start of the verification. |
allow_na_ocr_inputs | Required: No Type: string Accepted Values: 0, 1 Default Value: 0 In onsite with ocr verification request, it allows the end-user to select N/A on the OCR form and the verification step will be accepted. |
allow_offline | Required: No Type: string Accepted Values: 0, 1 Default Value: 1 This parameter allows users to upload images or videos in case of non-availability of a functional webcam.If value: 0, users can capture photos/videos with the camera only. |
allow_online | Required: No Type: string Accepted Values: 0, 1 Default Value: 1 This parameter allows users to capture image or videos in real-time when internet is available. If value: 0 users can upload already captured images or videos. Note: if allow_offline: 0 priority will be given to allow_offline |
show_privacy_policy | Required: No Type: string Accepted Values: 0, 1 Default Value: 1 This parameter displays data privacy policy to end-user after the verification process is completed. If the value is set 1, the data privacy policy will be displayed to end-user. If the value is set 0, the data privacy policy will not be displayed. Under the GDPR, we acknowledge the end-users right to request for data deletion therefore the default value is 1 but you can set it to 0 if you’ve another alternative mechanism in place. |
ttl | Required: No Type: int Minimum: 60 Give a numeric value for minutes that you want the verification url to remain active. |
Onsite Verification
On-site verification means that Shufti Pro will be interacting directly with end-user and will be responsible for data collection in order to perform Identity verification. Shufti Pro customer will only be notified about the verification status via Shufti Pro Back Office.
Shufti Pro offers following services in On-site verification: Risk Assessment
Risk Assessment Service
Risk Assessment service sample
"risk_assessment": {
"risk_reference": "37rNhl",
"phone_number": "+4400000000"
}
Risk assessment service helps businesses in verifying onboarding customers via risk scores. These risk scores are provided by the client during the onboarding process.. The service enables you to select numerous checks to prevent fraud, create customized risk questionnaires, and configure journeys for consumers with Low, Medium, High, and Prohibited risk levels.
The four primary components of risk assessment are:
- Setting up risk ranges.
- Fraud prevention checks.
- Customising questionnaire.
- Setting up the customised verification journey.
The Risk Assessment Service includes two parts:
1. Creation of a Risk Assessment
2. Calling a Risk Assessment via API
1. Creation of a Risk Assessment
To create a risk assessment, the client needs to follow these steps:
- Setup the risk assessment title and risk ranges according to the business requirements.
- Select the checks from the fraud prevention - data points section to avoid fraud by checking the customer’s PhoneNo, IP, Email, and Velocity risk.
- Create multiple customized risk questionnaires with several answer types by adding scores against each answer option.
- Configure KYC journeys for consumers with Low, Medium, High, and Prohibited risk levels based on the defined risk ranges and requirements.
2. Calling a Risk Assessment via API
To use the risk assessment service and ask the end-users to fill in the risk assessment, clients need to send an API Request to the server with the following parameters:
Parameters | Description |
---|---|
risk_reference | Required: Yes Type: string Maximum: 6 characters The “risk_reference” parameter is a string that takes one risk_reference in the string to execute the risk assessment service for your end users. |
phone_number | Required: Yes Type: string Minimum: 6 characters Maximum: 64 characters The “phone_number” parameter is a string that takes one phone_number in the string along with risk_reference to execute the risk assessment service for your end users. |
Status Request
Status Request Sample
- Http
- Javascript
- Php
- Python
- Ruby
- Java
//POST /status HTTP/1.1
//Host: ra.shuftipro.com/risk-api/status
//Content-Type: application/json
//Authorization: Basic NmI4NmIyNzNmZjM0ZmNlMTlkNmI4WJRTUxINTJHUw==
//replace "Basic" with "Bearer in case of Access Token"
{
"reference" : "17374217"
}
var payload = {
reference : 'your_request_reference'
}
//Use your Shufti Pro account client id and secret key
var token = btoa("YOUR_CLIENT_ID:YOUR_SECRET_KEY"); //BASIC AUTH TOKEN
// if Access Token
//var token = "YOUR_ACCESS_TOKEN";
//Dispatch request via fetch API or with whatever else which best suits for you
fetch('https://ra.shuftipro.com/risk-api/status',
{
method : 'post',
headers : {
'Accept' : 'application/json',
'Content-Type' : 'application/json',
'Authorization' : 'Basic ' +token // if access token then replace "Basic" with "Bearer"
},
body: JSON.stringify(payload)
})
.then(function(response) {
return response.json();
}).then(function(data) {
return data;
});
<?php
$url = 'https://ra.shuftipro.com/risk-api/status';
//Your Shufti Pro account Client ID
$client_id = 'YOUR-CLIENT-ID';
//Your Shufti Pro account Secret Key
$secret_key = 'YOUR-SECRET-KEY';
//OR Access Token
//$access_token = 'YOUR-ACCESS-TOKEN';
$status_request = [
"reference" => "your_request_reference",
];
$auth = $client_id.":".$secret_key; // remove this in case of Access Token
$headers = ['Content-Type: application/json'];
// if using Access Token then add it into headers as mentioned below otherwise remove access token
// array_push($headers, 'Authorization : Bearer ' . $access_token);
$post_data = json_encode($status_request);
//Calling Shufti Pro request API using curl
$response = send_curl($url, $post_data, $headers, $auth); // remove $auth in case of Access Token
//Get Shufti Pro API Response
$response_data = $response['body'];
//Get Shufti Pro Signature
$exploded = explode("\n", $response['headers']);
// Get Signature Key from Hearders
$sp_signature = null;
foreach ($exploded as $key => $value) {
if (strpos($value, 'signature: ') !== false || strpos($value, 'Signature: ') !== false) {
$sp_signature=trim(explode(':', $exploded[$key])[1]);
break;
}
}
//Calculating signature for verification
// calculated signature functionality cannot be implement in case of access token
$calculate_signature = hash('sha256',$response_data.$secret_key);
if($sp_signature == $calculate_signature){
echo "Response : $response_data";
}else{
echo "Invalid signature : $response_data";
}
function send_curl($url, $post_data, $headers, $auth){ // remove $auth in case of Access Token
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERPWD, $auth); // remove this in case of Access Token
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); // remove this in case of Access Token
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$html_response = curl_exec($ch);
$curl_info = curl_getinfo($ch);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($html_response, 0, $header_size);
$body = substr($html_response, $header_size);
curl_close($ch);
return ['headers' => $headers,'body' => $body];
}
?>
import base64, requests, json, hashlib
from random import randint
'''
Python 2
--------
import urllib2
Python 3
--------
import urllib.request
urllib.request.urlopen(url).read()
'''
url = 'https://ra.shuftipro.com/risk-api/status'
# Your Shufti Pro account Client ID
client_id = 'YOUR-CLIENT-ID'
# Your Shufti Pro account Secret Key
secret_key = 'YOUR-SECRET-KEY'
# OR Access Token
# access_token = 'YOUR-ACCESS-TOKEN';
status_request = {
"reference" : "your_request_reference"
}
# Calling Shufti Pro request API using python requests
auth = '{}:{}'.format(client_id, secret_key)
b64Val = base64.b64encode(auth.encode()).decode()
# if access token
# b64Val = access_token
# replace "Basic with "Bearer" in case of Access Token
response = requests.post(url,
headers={"Authorization": "Basic %s" % b64Val, "Content-Type": "application/json"},
data=json.dumps(status_request))
# Calculating signature for verification
# calculated signature functionality cannot be implement in case of access token
calculated_signature = hashlib.sha256('{}{}'.format(response.content.decode(), secret_key).encode()).hexdigest()
# Convert json string to json object
json_response = json.loads(response.content)
sp_signature = response.headers.get('Signature','')
if sp_signature == calculated_signature:
print ('Response : {}'.format(json_response))
else:
print ('Invalid Signature: {}'.format(json_response))
require 'uri'
require 'net/http'
require 'base64'
require 'json'
url = URI("https://ra.shuftipro.com/risk-api/status")
# Your Shufti Pro account Client ID
CLIENT_ID = "YOUR-CLIENT-ID"
# Your Shufti Pro account Secret Key
SECRET_KEY = "YOUR-SECRET-KEY"
# if access token
# ACCESS_TOKEN = "YOUR-ACCESS-TOKEN"
post_data = {
reference: "your_request_reference"
}
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
request = Net::HTTP::Post.new(url)
header_auth = Base64.strict_encode64("#{CLIENT_ID}:#{SECRET_KEY}")
# if Access Token
# header_auth = ACCESS_TOKEN
request["Content-Type"] = "application/json"
request["Authorization"] = "Basic #{header_auth}" # replace "Basic" with "Bearer" in case of access token
request.body = post_data.to_json
response = http.request(request)
response_headers = response.instance_variable_get("@header")
response_data = JSON.parse(response.read_body)
sp_signature = !(response_headers['signature'].nil?) ? response_headers['signature'].join(',') : ""
# calculated signature functionality cannot be implement in case of access token
calculated_signature = Digest::SHA256.hexdigest response_data + SECRET_KEY
if sp_signature == calculated_signature
puts response_data
else
puts "Invalid signature"
end
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.net.ssl.HttpsURLConnection;
public class Main {
public static void main(String[] args) throws Exception {
String url = "ra.shuftipro.com/risk-api/status";
String CLIENT_ID = "CLIENT_ID";
String SECRET_KEY = "SECRET_KEY";
URL obj = new URL(url);
HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();
// Add request header
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json");
String basicAuth = "Basic " + Base64.getEncoder().encodeToString((CLIENT_ID + ":" + SECRET_KEY).getBytes(StandardCharsets.UTF_8));
con.setRequestProperty("Authorization", basicAuth);
String payload = "{\n \"reference\" : \"17374217\",\n }";
// Send post request
con.setDoOutput(true);
DataOutputStream wr = new DataOutputStream(con.getOutputStream());
wr.writeBytes(payload);
wr.flush();
wr.close();
int responseCode = con.getResponseCode();
System.out.println("\nSending 'POST' request to URL : " + url);
System.out.println("Payload : " + payload);
System.out.println("Response Code : " + responseCode);
BufferedReader in = new BufferedReader(
new InputStreamReader(con.getInputStream()));
System.out.println(in.toString());
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
// Print the response
System.out.println(response.toString());
}
}
Once a risk assessment request is completed, you may request at the status endpoint to get the verification status. You’ll have to provide the reference ID for the status request and you will be promptly informed about the status of that verification.
Parameter | Description |
---|---|
reference | Required: Yes Type: string Minimum: 6 characters Maximum: 250 characters This is the unique reference ID of request, which we will send you back with each response, so you can verify the request. |