Configure Ditto ID to Send KYC Requests
⚙️ Configure Ditto ID to Send KYC Requests
This guide walks you through the configuration required in the Ditto ID Gateway Management Console to enable the transmission of KYC identity data to your backend system.
🧭 Configuration Overview
You will need to:
- Enable the KYC challenge in the user activation flow.
- Set the API endpoint configuration in the Module Config Management.
- Optionally configure encryption or bearer token authentication.
🔐 Step 1: Enable KYC Challenge in Activation Flow
- Login to the Gateway Management Console.
- Navigate to Authentication Management.
- Edit the "First time activation" flow.
- Add the challenge
RELID-IDV-KYCbeforeRELID-IDV-BiometricOptIn. - Save and restart the Blaze-Server.
This ensures the KYC API is triggered immediately after successful ID scan and face match.
🌐 Step 2: Set KYC API Endpoint
Navigate to Module Config Management and configure the following:
- Component Name:
IDV Server - Config Name:
kyc.service.api.config - Config Value: JSON as shown below
{
"method": "POST",
"url": "https://127.0.0.1:9005/kyc",
"headers": [{
"headerName": "Content-Type",
"headerValue": "application/json"
}, {
"headerName": "apiversion",
"headerValue": "v2"
}
],
"requestEncryption": {
"enable": <true/false>,
"algorithm": "AES",
"key": "<Encryption AES Key>",
"ivParamSpec": "<Encryption IV Parameters>",
"cipherSpec": "<Encryption Cipher Spec>",
"blockSizeBytes": <Encryption Block size>
},
"responseDecryption": {
"enable": <true/false>,
"algorithm": "AES",
"key": "<Decryption AES Key>",
"ivParamSpec": "<Decryption IV Parameters>",
"cipherSpec": "<Decryption Cipher Spec>",
"blockSizeBytes": <Decryption Block size>
},
"requestBody": "",
"responseBody": {
"resultLocator": "result",
"referenceNumberLocator": "reference_number",
"userIdLocator": "user_id",
"primaryUserIdLocator": "",
"loginIdsLocator": "",
"statusCodeLocator": "",
"statusMessageLocator": "",
"forUserIdLocator": "",
"orchestrationUseCaseLocator": ""
},
"accessTokenEndpoint": {
"url": "https://127.0.0.1:9005/kyc-service-access-token-endpoint",
"headers": [{
"name": <Header name>,
"value": <Header value>
}
],
"method": <GET or POST>,
"postParameters": [{
"name": <Parameter name>,
"value": <Parameter value>
}
],
"bodyParameter": <raw data to be sent in body >
"accessTokenLocator": <access token locator>
}
}🔧 Top-Level Attributes
| Attribute | Description |
|---|---|
method | HTTP method used for the KYC API call. Only POST is supported. |
url | URL endpoint of the enterprise's KYC API which receives the identity verification data. Must be HTTPS. |
headers | Array of HTTP headers (name-value pairs) to include in the KYC request. May include custom headers or OAuth2 tokens. |
🔐 requestEncryption
requestEncryptionControls if the KYC request should be AES encrypted.
| Field | Description |
|---|---|
enable | Boolean flag to enable request encryption. |
algorithm | Encryption algorithm (AES only). |
key | AES encryption key. |
ivParamSpec | Initialization Vector. Overrides blockSizeBytes if present. |
cipherSpec | Cipher mode and padding (e.g., AES/CBC/PKCS5Padding). |
blockSizeBytes | Block size to use if ivParamSpec is not provided. |
🔓 responseDecryption
responseDecryptionControls if the KYC API response should be decrypted.
| Field | Description |
|---|---|
enable | Boolean flag to enable response decryption. |
algorithm | Decryption algorithm (AES only). |
key | AES decryption key. |
ivParamSpec | Initialization Vector for decryption. |
cipherSpec | Cipher mode and padding used during encryption. |
blockSizeBytes | Block size to use if IV not provided. |
📦 requestBody
requestBody| Field | Description |
|---|---|
requestBody | Custom body format. Use "" to send default JSON. Use macro __REQUEST_BODY_PAYLOAD__ to wrap the KYC payload. |
Example Usages
| requestBody | requestEncryption.enable | Behavior |
|---|---|---|
"" | false (default) | Sends plain JSON |
"" | true | Sends Base64-encoded AES-encrypted JSON |
{ "kyc_data": "__REQUEST_BODY_PAYLOAD__" } | false | Sends KYC data in a key |
{ "kyc_data": "__REQUEST_BODY_PAYLOAD__" } | true | Sends AES-encrypted KYC data in a key |
📥 responseBody
responseBodyDescribes how to extract values from the KYC API response.
| Field | Description |
|---|---|
resultLocator | JSON path for result (true/false). |
referenceNumberLocator | Path to reference number from KYC API. |
userIdLocator | Path to user ID from KYC API (mandatory). |
primaryUserIdLocator | Optional path for primary user ID. |
loginIdsLocator | Optional path for multiple login IDs. |
statusCodeLocator | Optional response code path. |
statusMessageLocator | Optional message string path. |
forUserIdLocator | Optional path for additional user ID context. |
orchestrationUseCaseLocator | Optional use case path. |
🔄 accessTokenEndpoint
accessTokenEndpointUsed to retrieve a dynamic OAuth2 Bearer token for Authorization header.
| Field | Description |
|---|---|
url | Access token endpoint URL. |
headers | Array of headers for token request. |
method | HTTP method (GET or POST). |
postParameters | Parameters for token POST request. |
bodyParameter | Raw body content (alternative to postParameters). |
accessTokenLocator | JSON path to extract token from response. |
Use eitherpostParametersorbodyParameter, not both. If both are provided,postParameterstake precedence.
🔒 Supported Ciphers
| Key Size | Cipher Modes |
|---|---|
| 128/192/256 bits with IV (16 bytes) | AES/CFB/PKCS5Padding, AES/CBC/PKCS5Padding, AES/GCM/NoPadding, etc. |
| 128/192/256 bits with IV (32 bytes) | AES/ECB/PKCS5Padding, AES/GCM/NoPadding, etc. |
🚦 Testing and Restart
- After updating the config, click Restart on the IDV Server component.
- Test activation flow on the Ditto ID mobile app.
- Monitor logs to ensure KYC API is triggered and response is parsed.
Updated 4 months ago