REGISTER

The PrivateID® Session API leverages state-of-the-art, patented homomorphic tokenization and advanced authentication mechanisms to ensure that raw biometric data is never transmitted or stored. All interactions are cryptographically bound using a combination of an API key (for billing only) and robust client credentials (clientID/clientSecret or SLC). This section details the machine-to-machine authentication infrastructure and the REGISTER operation for secure facial biometric enrollment.

Overview

The REGISTER operation is responsible for enrolling a new user’s homomorphic token and optional FIDO Passkey through a secure, on-device process. The procedure entails:

Biometric Capture & On-device Preprocessing:
- The local device captures the user’s facial image using an integrated sensor.
- On-device biometric pre-processing pipeline (e.g., face detection, crop and align, biometric validation and liveness models) isolates and validates the biometric.
Homomorphic Token Generation On-device:
- The biometric data is transformed on-device into a secure, anonymized Homomorphic Token.
- This Homomorphic Token allows for similarity computations on ciphertexts without the possibility to invert, ensuring privacy-preserving matching.
Data Purging:
- All biometric information including the raw biometric input is immediately purged from volatile memory on the local device and never stored or transmitted, minimizing the risk of data leakage. In some cases, customers may return this user selfie in the Webhook to comply with anti-fraud or regulatory requirements.
Optional Token Transmission:
- The anonymized homomorphic token is optionally transmitted to the server for persistent storage.
Session Metadata:
- Additional parameters such as sessionExpiry , deviceInfo , and transactionID can be included to provide context and enforce session limits.

POST/v2/verification-session

Endpoint

  POST /v2/verification-session

Request Body

In addition to the base parameters, we include additional parameters for enhanced session control and device-level auditability:

  {
    "type": "REGISTER",
    "redirectURL": "https://your-app.com/callback",
    "callback": {
      "url": "https://your-api.com/webhook",
      "headers": {
        "authorization": "Bearer YOUR_TOKEN"
      }
    },
    "locale": "en-US",  //optional - your user locale, if known
    "enableDesktop": false,
    "estimateAge": true,    //Returns Facial Age Estimation (FAE) Level 3 Certified by ACCS
    "sendImages": false,
    "enablePasskey": true,               // Enables issuance of a FIDO passkey.
    "verifyPhotoID": true,               // Enforces PhotoID verification.
    "assuranceLevel": ["2", "3"],        // NIST SP 800-63 Identity Assurance Levels.
    "registrationFacialScanMaxAttempts": 5,
    "registrationFacialScanTimeout": 300,
    "sessionExpiry": 3600,               // Session expiry in seconds.
    "transactionID": "txn-abcdef123456", // Client-generated transaction identifier.
    "deviceInfo": {                      // Optional device metadata.
        "os": "iOS 15.0",
        "model": "iPhone 13",
        "resolution": "2532x1170"
    },
    "FallBackAuthEnabled": ["mobile", "barcode", "voice", "palm"],
    "FallBackAuthWithPinEnabled": "Y",
    "debugMode": false,                  // Enable additional logging for troubleshooting.
    "requirements": [                    // Enables usage of different scenarios
      "face",
      "identity_document"
      "passkey",
    ],
  }

Parameter Details

Name
type
Type
(String, Required)
Description
Must be "REGISTER" to denote a face registration operation.
Name
redirectURL
Type
(String, Required)
Description
The URL where the client browser is redirected after successful registration.
Name
callback
Type
(Object, Required)
Description
Contains webhook configuration for asynchronous delivery of verification results.
- Name
  url
  Type
  (String)
  Description
  Endpoint for receiving webhook notifications.
- Name
  headers
  Type
  (Object)
  Description
  Additional headers (e.g., authorization) for securing the callback endpoint.
Name
locale
Type
(String, Required)
Description
Locale context for the session (e.g., "en-US")
Name
enableDesktop
Type
(Boolean, Optional)
Description
If true, desktop-based enrollment is enabled. Default is false. The desktop is not as secure as mobile devices.
Name
sendImages
Type
(Boolean, Optional)
Description
Default is false. If set to true, loudly announces in the UI that their selfie will be shared with your organization, and returns captured user selfie in the webhook payload. Please consult with your counsel before enabling to support anti-fraud or regulatory requirements.
Name
sendImages
Type
(Boolean, Optional)
Description
Default is false. If set to true, loudly announces in the UI that their selfie will be shared with your organization, and returns captured user selfie in the webhook payload. Please consult with your counsel before enabling to support anti-fraud or regulatory requirements.
Name
estimateAge
Type
(Boolean, Optional)
Description
Default is false. If set to true, will do age estimation on the estimateAge
Name
enablePasskey
Type
(Boolean, Optional)
Description
Enables issuance of a FIDO Passkey for enhanced passwordless authentication, up to NIST 800-63 Authentication Assurance Level 2 (AAL2).
Name
verifyPhotoID
Type
(Boolean, Optional)
Description
If enabled, requires the user to register with a validated Photo ID. Supports up to NIST SP 800-63 Identity Assurance Level 2 (IAL2).
Name
assuranceLevel
Type
(Array of Strings, Optional)
Description
Specifies the NIST SP 800-63 Identity Assurance Level (IAL) (e.g., "2", "3") your organization requires the user to try to achieve. The user may sign-in multiple times to attempt to achieve a higher IAL.
Name
registrationFacialScanMaxAttempts
Type
(Number, Optional)
Description
Maximum allowed failed attempts for facial registration. Default == 5.
Name
registrationFacialScanTimeout
Type
(Number, Optional)
Description
Maximum duration (in milliseconds) for completing the registration scan. Default == 3000
Name
sessionExpiry
Type
(Number, Optional)
Description
Specifies the time in milliseconds until the session token expires. Default == 5000.
Name
transactionID
Type
(String, Optional)
Description
A client-generated unique identifier for tracking the transaction. If helpful, provide your unique transaction or correlation ID, and the same ID will be returned in the Webhook.
Name
deviceInfo
Type
(Object, Optional)
Description
Contains metadata about the device used for enrollment, such as operating system, model, and display resolution.
Name
FallBackAuthEnabled
Type
(Array, Optional)
Description
Enumerates alternative authentication methods (e.g., "mobile", "barcode", "voice", "palm","PIN").
Name
debugMode
Type
(Boolean, Optional)
Description
Enables verbose logging for debugging purposes; should be disabled in production.
Name
requirements
Type
(Array, String)
Description
Enables usage of different scenarios. Require face scan, document scan, passkey. To create required flow.

Success Response

A successful registration returns a JSON payload including a unique session identifier and a launch URL for the biometric process:

{
  "launchUrl": "https://verify.privateid.com/start?sessionId=2fbbb4a3-1392-43c4-8d12-f61ff44e4efb",
  "sessionId": "2fbbb4a3-1392-43c4-8d12-f61ff44e4efb"
}

Note: The issuedToken represents the Homomorphic Token, which can be used for subsequent SIGN-IN or VERIFY operations.

Failure Response

{
  "statusCode": 401,
  "message": "Invalid API key"
}

Webhook Response

Success


  {
    "sessionId": "ed36ca71-c1e0-4eaa-a517-a405bc111077",
    "status": "SUCCESS",
    "puid": "NLOaU9FP-RvN7-TAmR-jR9T-nKt75q9L20ad",
    "guid": "wbvH0V3u-tntc-XjWO-Cr8F-ygZHXi6rpu3d",
    "identityInformation": {
        "documentType": "drivers_license",
        "verificationDate": "1743795933839"
    },
    "contactInformation": {
        "email": "test@test.com"
        "phone": "1111111111"
    },
    "message": "here will be the message"
}

Cryptographic Considerations for REGISTER

Homomorphic Tokenization: Private Identity employs homomorphic tokenization to generate deep harmonic embeddings that enable secure, limited search and matching operations on ciphertexts without allowing decryption, thus preserving data confidentiality. This advanced cryptographic architecture centers on generating tokens that are computationally irreversible and collision-resistant through the combined application of preimage resistance, second preimage resistance, and collision resistance. By integrating a time-based salt within an AES256 encryption framework, the system produces non-deterministic, fixed-size outputs (ranging from 1KB to 16KB) with each token generated in as little as 20ms via neural network cryptography. Despite the inherent limitation that no homomorphic token ciphertext is fully IND-CCA secure, extensive research confirms that Private Identity’s embeddings remain opaque, with any inversion or decryption attempts yielding no sensitive information. Further robustness is achieved through the Private ID Edge Encryption Service, which executes immutable, compiled native C++ code and proprietary deep neural networks in an isolated, stack-based virtual machine, reinforced by three additional layers of cryptography to secure backend communications and the entire authentication process. Immediately after token generation, raw biometric data is purged from volatile memory in a "fire and forget" approach, thereby minimizing the risk of residual data exposure.