No-ID

Documentation

No-ID API reference

Everything you need to enroll a user with their national eID and authenticate them afterwards. The examples below are illustrative — your real endpoints and fields are provided with your API key.

Getting started

The No-ID API verifies that a real person is who they claim to be using a government-issued electronic ID. The flow is: start an enrollment to get a challenge, have the eID sign it, complete the enrollment (we validate the certificate against the issuing authority's PKI and check revocation), then authenticate the user with a passkey on future visits. All requests use HTTPS and exchange JSON.

The base URL for all examples is https://api.no-id.example/v1.

Authentication

Authenticate every request with your secret API key in the Authorization header. Keep this key on your server — never expose it in client code.

Authorization: Bearer <your_api_key>

Start enrollment

Begin enrollment for a citizen, specifying their country and national ID number. The response returns a one-time challenge for the eID to sign, proving possession of the physical card.

POST /v1/enroll
Authorization: Bearer <your_api_key>
Content-Type: application/json

{ "country": "PE", "national_id": "12345678" }

→ 201 Created
{
  "enrollment_id": "enr_8a1c...",
  "challenge": "b64u_x9..."
}

Complete enrollment

Submit the eID's X.509 certificate and the signed challenge. No-ID validates the certificate chain up to the issuing authority, checks OCSP/CRL revocation, and — on success — issues a device credential and a certified result.

POST /v1/enroll/enr_8a1c.../complete
Authorization: Bearer <your_api_key>

{
  "eid_certificate": "<base64 X.509>",
  "challenge_signature": "<base64 signature>"
}

→ 200 OK
{
  "id": "ver_5d7a...",
  "status": "completed",
  "verified": true,
  "is_real_person": true,
  "assurance_level": 2,
  "credential_id": "cred_3f2c...",
  "certificate_id": "noid_cert_7Hk2..."
}

Authenticate (Level 1)

On future visits, authenticate the user with a WebAuthn passkey or app-bound key — no eID required. For a Level 2 step-up, run enrollment again to force a fresh eID check.

POST /v1/auth
Authorization: Bearer <your_api_key>

{
  "credential_id": "cred_3f2c...",
  "assertion": "<webauthn assertion>"
}

→ 200 OK
{
  "verified": true,
  "assurance_level": 1
}

Response fields

FieldTypeDescription
idstringUnique identifier for the verification or enrollment.
statusstringpending, completed, or expired.
verifiedbooleanWhether the eID was validated and possession proven.
is_real_personbooleanWhether a genuine cardholder completed the check.
assurance_levelnumber1 for a passkey session, 2 for a fresh eID verification.
credential_idstringThe passkey / app-bound credential bound to the device.
certificate_idstringReference to the stored certificate of verification.

Errors

No-ID uses standard HTTP status codes. Error responses include a JSON body with a machine-readable code and a human-readable message.

StatusMeaning
401Unauthorized — missing or invalid API key.
404Not found — the enrollment or credential id does not exist.
409Conflict — the enrollment is still pending.
422Unprocessable — the eID certificate is invalid, expired, or revoked (per the issuing authority/OCSP).
429Too many requests — you have hit a rate limit.