Developer's Guide: Reusable KYC with OAuth 2.0 and OIDC

Streamlined OnboardingIntegrating Reusable KYC with OAuth 2.0 and OIDC significantly reduces user friction by allowing verified identities to be reused across multiple applications, eliminating redundant verification steps.

Enhanced Security and ComplianceLeveraging these standards ensures robust security protocols for identity data sharing and helps maintain compliance with regulations like eIDAS2 and AML/KYC requirements.

Developer-Friendly IntegrationOAuth 2.0 and OIDC provide a standardized, secure framework for identity and access management, making the integration of shared KYC data more predictable and efficient for developers.

Didit's Modular SolutionDidit offers an AI-native, modular platform with clean APIs for Reusable KYC, enabling developers to easily implement secure, compliant, and user-centric identity verification without setup fees, including a Free Core KYC tier.

The Challenge of Traditional KYC and the Promise of Reusable KYC

In today's digital economy, Know Your Customer (KYC) processes are essential for regulatory compliance and fraud prevention. However, traditional KYC often involves repetitive and cumbersome steps, requiring users to submit documents and undergo verification every time they sign up for a new service. This leads to significant user drop-off rates and increased operational costs for businesses. Reusable KYC emerges as a transformative solution, allowing users to verify their identity once and securely reuse that verification across multiple applications. This not only dramatically improves the user experience but also accelerates onboarding and reduces the burden on businesses.

The core concept is simple: once a user's identity is verified by a trusted entity, that verification status and relevant data can be securely shared with other service providers, with the user's explicit consent. This paradigm shift requires robust technical frameworks to ensure security, privacy, and interoperability. This is where standards like OAuth 2.0 and OpenID Connect (OIDC) become indispensable.

Leveraging OAuth 2.0 and OIDC for Secure Identity Sharing

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account. OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0, providing a simple identity layer that allows clients to verify the identity of the end-user based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.

When integrating Reusable KYC, OAuth 2.0 and OIDC serve as the secure plumbing:

• Authentication: OIDC handles the initial user authentication with the identity provider (where the KYC was first performed).
• Authorization: OAuth 2.0 grants the requesting application (the new service) authorization to access specific, verified identity data from the identity provider, without ever exposing the user's credentials.
• Consent: Both standards inherently support explicit user consent, ensuring that users have control over what information is shared and with whom.

This architecture is critical for maintaining user trust and adhering to privacy regulations. Didit's Reusable KYC functionality is built to align with such industry standards, providing a secure and compliant way to share verified identity data.

The Technical Flow: Sharing and Importing Verified Sessions

Implementing Reusable KYC with OAuth 2.0/OIDC typically involves a two-step process: sharing a verified session and importing it. Let's break down the technical interactions:

1. Initial Verification: A user completes their KYC process with a service (e.g., Partner A) using Didit's ID Verification and Passive & Active Liveness checks. This verification data is encrypted and stored in the user's Didit ID, compliant with regulations like eIDAS2.

2. Sharing the Session: When the user wishes to onboard with a new service (Partner B), Partner A (the initial verifying entity) initiates the sharing process. Partner A calls Didit's Share Session API (POST /v3/session/{sessionId}/share/). This API call generates a time-limited share_token, specifying the target application ID (Partner B's application ID) and a Time-To-Live (TTL) for the token. This token is a secure, temporary credential that encapsulates the verified session's data references.

3. User Consent and Redirection: Partner A securely transmits this share_token to Partner B, often via a secure redirect or direct API call. The user is then redirected to Partner B's platform. At this point, Partner B can present the user with a consent screen, explaining what data will be shared and asking for explicit permission.

4. Importing the Shared Session: Upon receiving the share_token and user consent, Partner B calls Didit's Import Shared Session API (POST /v3/session/import-shared/). This API takes the share_token, Partner B's workflow_id, and a trust_review flag. If trust_review is true, the session is imported as approved; otherwise, it enters an 'In Review' state for Partner B's manual checks. Didit then returns the verified KYC information instantly to Partner B, completing the onboarding without the need for re-verification.

5. Biometric Re-authentication: For an added layer of security, Didit can enforce a quick facial recognition check (1:1 Face Match) during the reuse process to confirm the user's identity, ensuring that only the legitimate user can access and share their verified data.

Security and Compliance in a Reusable KYC World

The security of shared identity data is paramount. Didit's Reusable KYC is designed with enterprise-grade security and compliance at its core:

• End-to-End Encryption: All stored and transferred data is protected with end-to-end encryption, safeguarding sensitive personal information.
• Biometric Re-authentication: As mentioned, facial recognition can be required for every reuse, preventing unauthorized access even if a share_token were compromised.
• Regulatory Compliance: Didit's platform is eIDAS2 compliant and supports various AML/KYC requirements, providing businesses with the necessary tools to meet their regulatory obligations across jurisdictions. This includes features like AML Screening & Monitoring for financial crime prevention.
• Consent Management: The entire process is built around user consent, giving individuals control over their data sharing preferences, which is crucial for GDPR and other privacy regulations.
• Audit Trails: A complete audit trail of every sharing and import event is maintained, providing transparency and accountability.

By adhering to these stringent security measures, Didit ensures that businesses can confidently leverage Reusable KYC without compromising data integrity or regulatory standing.

How Didit Helps

Didit simplifies the complex task of integrating Reusable KYC by providing an AI-native, modular identity platform. Our developer-first approach means clean APIs and an instant sandbox for quick integration. Businesses can leverage Didit's Reusable KYC feature to significantly reduce onboarding friction and improve conversion rates. Our platform ensures that verification data, including insights from ID Verification, Passive & Active Liveness, and 1:1 Face Match, is securely managed and shared. Didit's modular architecture allows businesses to compose verification workflows precisely to their needs, while our Free Core KYC offering and pay-per-successful check model, with no setup fees, make advanced identity verification accessible to businesses of all sizes. Didit's commitment to global design and compliance, including eIDAS2 support, ensures that your Reusable KYC strategy is robust and future-proof, allowing users to verify once and use anywhere, with full control over their data.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.