Server SDK
This is a lightweight TypeScript SDK that lets your company act as one or more
Before you begin: You need to be registered as an Unum ID customer, and you need to register at least one issuer or verifier. (You can register zero to many of each, depending on your use case.) You'll receive issuer and verifier API keys to use with this SDK.
note
More detailed but less styled documentation can be found here. This serves as a useful technical reference.
Overview#
The Server SDK uses the UnumDto type to facilitate handling many response body types, while providing a reliable structure to access the result body (and, importantly, the rolling JWT authToken).
Authentication#
Every request detailed below requires a bearer authToken as a first parameter. This is used to authenticate requests to the Unum ID cloud. This auth token is updated on every subsequent function call and should be read via the authToken attribute and persisted accordingly for later requests.
Errors#
Errors returned by the Unum ID cloud will also be wrapped in the UnumDto object so that the potentially updated authToken can be retrieved. Validation errors, which are created prior to any calls to Unum ID, will be of type Error and are thrown. Because in this case a network call is never made, there's no potential new authToken to pass back. For this reason, we recommend wrapping all SDK calls in a try/catch.
Distribution#
This project is open source and publicly published on the official npm registry. For example it can be pulled with:
or
Global Dependencies#
Logging#
The default logs level is info. You can change this to debug for more information (set the environment variable LOG_LEVEL = debug). The logs default to stdout, so you can easily aggregate them from disk using the log provider of your choice.
We use standard NPM log levels. Learn more about these here.
Issuer#
You can use the Server SDK to act as an
Jump to:
registerIssuer#
Register an
An issuer is a role a company can play to issue credentials to subjects (users). An issuer also change credential statuses, for example to revoke credentials.+ More...issuer (corresponding to your customer UUID and issuer API key).
As a customer, you can register as many issuers as you like (or none at all), depending on your use case. Note, however, that you'll need a unique issuer API key for each one.
important
danger
The DID and public keys are nonsensitive, but you should store the private keys securely and never share them.
Parameters#
Response Body: RegisteredIssuer#
issueCredential#
Issue a
A credential is a collection of data about a person. It's issued by a company (i.e. created and sent to a user) and stored in the company's app, on that user's device.+ More...credential to a+ More...subject.
You need to provide:
- your issuer A DID (or decentralized identifier) identifies a participant in the Unum ID ecosystem. A participant is an issuer, subject, or verifier.+ More...DID
- your issuer signing private key
- credential type
- data about the + More...subject
The first two are returned by registerIssuer. The third (credential type) is part of what verifiers use to KYCVerification, issued by ACME Bank. The fourth (data about the subject) can be any valid JSON.
You can optionally provide:
- expiration date
note
An expiration date is not the only control on whether a credential is valid. You can also change the credential's status at any time, for example to revoke it (see revokeCredential).
issueCredential returns a credential id that you should store. You'll need this, for example, if you ever want to revoke the credential. We recommend storing the entire credential, indexed on the credential id. If you only store the credential id, it'll be very difficult to later remember what the id corresponds to.
note
In the full credential object that's returned, there are also id fields within credentialSubject and credentialStatus, but these are different. They refer to the subject
important
The private key never leaves your server. The Server SDK only needs it to perform cryptographic functions on your behalf.
Parameters#
Response Body: Credential#
updateCredentialStatus#
Revoke a
A credential is a collection of data about a person. It's issued by a company (i.e. created and sent to a user) and stored in the company's app, on that user's device.+ More...credential (i.e. make it invalid).
You need to provide the credential id (which issueCredential returns) and a CredentialStatusOptions status. Currently there are only two valid statuses: "valid" and "revoked".
note
As noted in issueCredential, we recommend storing the entire credential, indexed on the credential id. If you only store the credential id, it'll be very difficult to later remember what the id corresponds to.
Parameters#
Response Body: Empty#
If unsuccessful, an exception will be thrown.
Verifier#
You can use the Server SDK to act as an
Jump to:
registerVerifier#
Register a
A verifier is a role a company can play to verify presentations shared by subjects (users). A verifier can also make requests for presentations and send them to subjects.+ More...verifier (corresponding to your customer UUID and verifier API key).
As a customer, you can register as many verifiers as you like (or none at all), depending on your use case. Note, however, that you'll need a unique verifier API key for each one.
important
You need to store the did) and encryption and signing key pairs (keys) that this returns. You'll need these to make requests and verify presentations.
danger
The DID and public keys are nonsensitive, but you should store the private keys securely and never share them.
Parameters#
Response Body: RegisteredVerifier#
sendRequest#
Create a
A request (or presentation request) is a request for a presentation. It's sent by a company to a user, who chooses whether to share a presentation in response.+ More...request to be displayed or sent to a+ More...subject.
You need to provide:
- your verifier A DID (or decentralized identifier) identifies a participant in the Unum ID ecosystem. A participant is an issuer, subject, or verifier.+ More...DID
- your verifier signing private key
- A holder app is an Unum ID enabled mobile app. See also: holder.+ More...holder app UUID
- credential request(s)
The first two are returned by registerVerifier. The third (holder app UUID) identifies the mobile app users will share
The fourth (credential requests) encodes which CredentialRequest objects (defined in the Unum ID generic types project):
If you list multiple
You can optionally provide:
- expiration date
- metadata
important
The private key never leaves your server. The Server SDK only needs it to perform cryptographic functions on your behalf.
Parameters#
Response Body: PresentationRequestResponse#
verifyPresentation#
Verify
A presentation is a set of one or more credentials. It's shared with (or presented to) a company by a user.+ More...presentation shared by+ More...subject.
You need to be able to receive presentations from users and pass them to this function. To do this, you need to create a /presentation endpoint that conforms to our OpenAPI specification. The Unum ID cloud sends encrypted presentations to this endpoint, which should pass those presentations to the verifyPresentation function to be decrypted and verified.
You need to provide:
- your verifier A DID (or decentralized identifier) identifies a participant in the Unum ID ecosystem. A participant is an issuer, subject, or verifier.+ More...DID
- your verifier encryption private key
- encrypted presentation (received at
/presentationendpoint) - (optional, but recommended) presentation request (received at
/presentationendpoint)
The fist two are returned by registerVerifier.
important
Unum ID never has access to sensitive data contained in presentations. The Mobile SDK encrypts each presentation (with your verifier encryption public key) before sending it to us. We have no ability to decrypt the data โ only you do.
note
presentationRequest is optional in order for the server sdk can handle verifying presentations that may not have a corresponding request. However, if presentationRequest is supplied from UnumID's SaaS via the /presentation endpoint, it is strongly recommended that it is provided as it performs additional validation checks on your behalf.
Parameters#
Response Body: DecryptedPresentation#
You can decide what to do with the result of the verification. We recommend that you require that isVerified must be true, but depending on your use case you may want to handle this case differently.
sendSms#
This is a utility function you won't usually need. For most use cases, the Web SDK or a separate service of your choice will handle sending SMS messages. But you can use this function if helpful.
Send an SMS containing a deep link to a
+ More...subject.
Messages you send will (necessarily) be delivered from an Unum ID associated phone number, but this association won't be visible to the user. You can of course use your own SMS sending service if you prefer.
To request a
- create the A request (or presentation request) is a request for a presentation. It's sent by a company to a user, who chooses whether to share a presentation in response.+ More...request object using
sendRequest, which includes a deep link that references the request - send or display the deep link to the user
SMS is one way to send the deep link.
Parameters#
Response Body: Empty#
If unsuccessful, an exception will be thrown.
sendEmail#
This is a utility function you won't usually need. For most use cases, the Web SDK or a separate service of your choice will handle sending emails. But you can use this function if helpful.
Send an email containing a deep link to a
+ More...subject.
Emails you send will be delivered from no-reply@unum.id. You can of course use your own email sending service if you prefer.
To request a
- create the A request (or presentation request) is a request for a presentation. It's sent by a company to a user, who chooses whether to share a presentation in response.+ More...request object using
sendRequest, which includes a deep link that references the request - send or display the deep link to the user
Email is one way to send the deep link.
tip
JSON special characters (like double quotes or backslashes) in the subject or htmlBody fields will need to be escaped with a single backslash (\). For example, "Unum ID rocks!" must be written as \"Unum ID rocks!\".
Parameters#
note
You can only use textBody or htmlBody, not both.
Response Body: Empty#
If unsuccessful, an exception will be thrown.
checkCredentialStatus#
Used to check the status of a credential.
The status attribute of the response is of type CredentialStatusOptions. Currently the only valid status are: verified and revoked.
Parameters