Getting started
Verification as a Service (VaaS) is CM.com's all-in-one solution for an easy and secure verification that customers can use to verify a user. VaaS uses a combination of CM.com's verification services: Mobile Identity and One Time Password (OTP).
CM.com's Verification as a Service is used exclusively through the API. A VaaS verification has up to 4 verification methods:
- A VaaS verification begins with Mobile Identity's Number Verify service. This silently authenticates a user by having them load a web address using their mobile data. For more information regarding Number Verify, check the dedicated documentation, which can be found here.
- In the event that a silent Number Verify authentication is not able to authenticate the user, VaaS will automatically failover to OTP. Specifically, a WhatsApp OTP. However, to include WhatsApp as an option, a separate WhatsApp Business Account subscription is required.
- If WhatsApp is not configured, available, or simply unsuccessful during the sending of an OTP, another OTP will be sent via Smart Verification Routing (SVR). SVR involves sending the OTP through the best messaging channel based on the destination.
- If the SVR OTP was not successful, and an email address was provided in the initial API request, a final OTP will be sent to the user's email.
It is also possible to exclude OTP channels when verifying a user. If a user would like to not be contacted on a specific channel, that channel can be excluded from the verification's OTP failover.
For complete technical documentation with specifications for all field types, JSON objects, and methods, you can consult our complete API reference: API reference
If you need technical assistance, please contact your account manager or support ([email protected])
Authentication
Before you can start using the API, you need API credentials. Credentials consist of a key ID and a secret. Contact your account manager to get production credentials. Credentials should be kept secret.
To authenticate you need to use your credentials to generate a JWT Bearer token. The JWT token has to be generated using the HS256
algorithm and your credentials. This JWT has to contain the following attributes: iat
, nbf
, and exp
in the payload, as well as the attribute kid
in the header of the JWT. This kid
attribute needs to contain the Key ID of your credentials.
The generated token needs to be passed via the HTTP Authorization header:
Authorization: Bearer GENERATED_TOKEN_HERE
There are many libraries available for different programming languages that can help you to generate a JWT. See the Libraries tab on https://jwt.io.
Example
Assuming we want to create a token that is valid for 60 seconds and we have received the following credentials:
Key ID: 3b438437-04a4-40bb-8389-54bb02766fba
Secret: AC4Etykn7jusGR5FwLDAtILtQbiQbTMKedP31szXg4WlSbjGEXyNMZ
We need to create a JWT with the following properties:
JWT header:
{
"alg": "HS256",
"typ": "JWT",
"kid": "3b438437-04a4-40bb-8389-54bb02766fba"
}
JWT payload:
{
"iat": 1704067200,
"nbf": 1704067200,
"exp": 1704067260
}
iat
: the time when the token was generated.nbf
: the time after which the token is valid, usually equal toiat
.exp
: the time when the token will expire.
Make sure these are UNIX timestamps in seconds
This results in the following token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjNiNDM4NDM3LTA0YTQtNDBiYi04Mzg5LTU0YmIwMjc2NmZiYSJ9.eyJpYXQiOjE3MDQwNjcyMDAsIm5iZiI6MTcwNDA2NzIwMCwiZXhwIjoxNzA0MDY3MjYwfQ.lTzOd4cKOan2rwL4fHjwOffc0dp3pwYjDdl4uM1WluU
Add this token to the Authorization
header in the API request.
Authorization: Bearer GENERATED_TOKEN_HERE
The https://jwt.io website provides a way to inspect or validate JWT tokens.
Updated 3 months ago