Verification as a Service (VaaS) is CM.com's all-in-one solution for an easy and secure verification that customers can use to verify a user. VaaS uses a combination of CM.com's verification services: Mobile Identity and One Time Password (OTP).

CM.com's Verification as a Service is used exclusively through the API. A VaaS verification has up to 4 verification methods:

A VaaS verification begins with Mobile Identity's Number Verify service. This silently authenticates a user by having them load a web address using their mobile data. For more information regarding Number Verify, check the dedicated documentation, which can be found here.
In the event that a silent Number Verify authentication is not able to authenticate the user, VaaS will automatically failover to OTP. Specifically, a WhatsApp OTP. However, to include WhatsApp as an option, a separate WhatsApp Business Account subscription is required.
If WhatsApp is not configured, available, or simply unsuccessful during the sending of an OTP, another OTP will be sent via Smart Verification Routing (SVR). SVR involves sending the OTP through the best messaging channel based on the destination.
If the SVR OTP was not successful, and an email address was provided in the initial API request, a final OTP will be sent to the user's email.

It is also possible to exclude OTP channels when verifying a user. If a user would like to not be contacted on a specific channel, that channel can be excluded from the verification's OTP failover.

For complete technical documentation with specifications for all field types, JSON objects, and methods, you can consult our complete API reference: API reference

If you need technical assistance, please contact your account manager or support ([email protected])

Authentication

Before you can start using the API, you need API credentials. Credentials consist of a key ID and a secret. Contact your account manager to get production credentials. Credentials should be kept secret.

To authenticate you need to use your credentials to generate a JWT Bearer token. The JWT token has to be generated using the HS256 algorithm and your credentials. This JWT has to contain the following attributes: iat, nbf, and exp in the payload, as well as the attribute kid in the header of the JWT. This kid attribute needs to contain the Key ID of your credentials.

The generated token needs to be passed via the HTTP Authorization header:

Authorization: Bearer GENERATED_TOKEN_HERE

There are many libraries available for different programming languages that can help you to generate a JWT. See the Libraries tab on https://jwt.io.

Example

Assuming we want to create a token that is valid for 60 seconds and we have received the following credentials:

Key ID: 3b438437-04a4-40bb-8389-54bb02766fba
Secret: AC4Etykn7jusGR5FwLDAtILtQbiQbTMKedP31szXg4WlSbjGEXyNMZ

We need to create a JWT with the following properties:

JWT header:

{
    "alg": "HS256",
    "typ": "JWT",
    "kid": "3b438437-04a4-40bb-8389-54bb02766fba"
}

JWT payload:

{
    "iat": 1704067200,
    "nbf": 1704067200,
    "exp": 1704067260
}

iat: the time when the token was generated.
nbf: the time after which the token is valid, usually equal to iat.
exp: the time when the token will expire.

📘
Make sure these are UNIX timestamps in seconds

This results in the following token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjNiNDM4NDM3LTA0YTQtNDBiYi04Mzg5LTU0YmIwMjc2NmZiYSJ9.eyJpYXQiOjE3MDQwNjcyMDAsIm5iZiI6MTcwNDA2NzIwMCwiZXhwIjoxNzA0MDY3MjYwfQ.lTzOd4cKOan2rwL4fHjwOffc0dp3pwYjDdl4uM1WluU

Add this token to the Authorization header in the API request.

Authorization: Bearer GENERATED_TOKEN_HERE

The https://jwt.io website provides a way to inspect or validate JWT tokens.