Reusable checks (Yoti keys)

When a user visits a restricted content website, they’re sent to the portal to verify their age. Yoti identifies the content provider, the age requirement, and any criteria specified for the verification. With this information, Yoti create a credential subject that contains the age token and a credential proof that contains a digital signature that proves the credential was issued by Yoti.

Age token

Tokens are flexible and are accepted entirely at the discretion of the integrating party. You can define your own criteria for what type of age tokens you accept, depending on your regulatory requirements.

When the user lands on your site there will be a token request, a check is performed to see if the user has an age claim that matches your requirements.

If a user doesn’t have a token that meets the requirements, they’ll be sent to your age portal to prove their age again.

If a user doesn’t have a token that meets your requirements, they’ll be sent through the age verification process to prove their age again. You will need to add rules to your configuration e.g.

• The maximum time that a token can be considered valid.
• The method of age verification used.
• The type of age recorded (an “Over/Under Age” or date of birth)
• The age threshold a user must fall within.
• The type of liveness check performed.
• The type of authenticity check performed.

To test out the flow of an age token please try this demo. You will need the first tile: Visitor access.

There are two steps that need to take place in order to use age tokens:

• Create age token rule
• Configure yoti_keys method

Create an Age Token rule

By creating an age token rule, you define the exact AV requirements the user should meet from an existing flow.

POST https://age.yoti.com/api/v1/rules

The rule body is a mirror of the payload to Create an AV session. The rule is granular and will only be fulfilled if the AV method, threshold and anti spoofing levels are all met.

Hint It's advised to match your Age Token rule to your create session payload to ensure the user has met your own requirements.

{

  "ttl": 2592000, // value is in seconds, max 30 days

  "type": "OVER",

  "age_estimation": {

    "allowed": true,

    "threshold": 21,

    "level": "PASSIVE"

  },

  "doc_scan": {

    "allowed": true,

    "threshold": 18,

    "authenticity": "AUTO",

    "level": "PASSIVE"

  },

  "digital_id": {

    "allowed": true,

    "threshold": 18

  }

}

The returned Rule ID must be retained as it will be used for all future checks.

Responses

Success responses

statusCode: 201

body: { "id": "<rule id>" }

Error responses

statusCode: 4xx - 5xx

body: { "error_message": "<string>", "error_code": "<string>"}

Configure Yoti Key Method

Now that a rule id has been generated, it can be used in the session creation configuration to understand what conditions the age token needs to satisfy. You will also need to configure the yoti_key method, to enable the age token functionality.

{

    "type": "OVER",

    "age_estimation": {

        "allowed": true,

        "threshold": 21,

        "level": "PASSIVE",

        "retry_limit": 1

    },

    "digital_id": {

        "allowed": true,

        "threshold": 18,

        "level": "NONE",

        "retry_limit": 1

    },

    "doc_scan": {

        "allowed": true,

        "threshold": 18,

        "authenticity": "AUTO",

        "level": "PASSIVE",

        "retry_limit": 1

    },

    "yoti_key": {

      "allowed": true,

      "authentication": true // true for Yoti key, false for Age token

    },

    "rule_id": "your_rule_id",

    "ttl": 900,

    "reference_id": "over_18_example",

    "callback": {

       "auto": true,

       "url": "https://www.yoti.com"

    },

    "notification_url": "https://yourdomain.example/webhook",

    "cancel_url": "https://www.yoti.com",

    "retry_enabled": false,

    "resume_enabled": false,

    "synchronous_checks": true

}