One endpoint. One API key. Verified credential claims returned in milliseconds. Production-ready in hours — with institutions staying fully in control of decisions.
Drop in one React component. A QR code appears on your page. Your customer scans it in the PASSID app. Proven claims land in your onSuccess callback — automatically. No token copying, no manual steps.
Install @passid/react and drop <PASSIDVerify /> anywhere in your application. Your institution API key is your only configuration. The component handles QR generation, deep-link creation, polling, countdown timer, and all UI states.
qrcode canvas — no third-party image serviceAll endpoints require X-Institution-Key: <your-api-key> unless marked public. Base URL: https://api.passid.io
<PASSIDVerify /> on mount. Returns requestId, code (e.g. AB3X-7YQM), deepLink (passid://verify-request?r=…&i=…), and expiresAt. Body: { institutionName?, permissions?, ttlSeconds? } — TTL defaults to 600 s, max 3600 s.status: "pending" | "completed" | "declined" | "expired". When completed, response includes the full claims object and verifiedAt. Requires institution API key.410 if already expired, fulfilled, or declined.AB3X-7YQM or AB3X7YQM) to the same response as the public request endpoint. Used by the in-app manual code entry screen.{ valid, claims, analytics?, denyReason? }. Used by the SDK's manual entry path and by the institution dashboard "New Verification" screen. Pass Idempotency-Key header — retries never double-verify. Response includes X-PASSID-API-Version: 1.{ token, outcome, productType?, amountUsd?, observationDays?, notes? }. Valid outcomes: repaid · no_default · delinquent · defaulted · fraud_confirmed · account_closed · other. The FSI score at time of verification is captured automatically — you never send it. One outcome per token per institution. Fires outcome.reported webhook.1.0.0), release date, and a full map of all endpoint paths. Use to confirm your integration is on the versioned surface.Idempotency-Key on the verify call to prevent duplicate webhooks.deny_reason string. Only fired when the request carries a valid institution API key.POST /api/bridge/outcome. Payload includes the token, outcome type, product type, amount, and the FSI score that was used at decision time. Use for audit trails and downstream model updates.X-PASSID-Signature: sha256=<hex>. Automatic retries on non-2xx: immediate → 30 s → 5 min → 30 min → 2 h (5 attempts total). Pending deliveries survive server restarts.Use your sandbox API key with the same endpoints. The sandbox returns deterministic results — identical API shape to production, isolated from live data.
POST /api/bridge/verify · { "token": "PASSID-SANDBOX-..." }permissions[] arrayfull_scoreFSI score, tier, confidence interval, p_stableincome_verifiedBoolean + income band (e.g. $3,000–$4,000/mo)identity_verifiedIdentity verification booleansanctions_clearOFAC · EU · UN watchlist check resultpayment_reliability0–1 score: on-time payment consistencysavings_consistency0–100 score: savings balance regularityfraud_risklow · medium · high — synthetic fraud signalPOST /api/bridge/verify with the exact token string — live in the API now.verification.completed, verification.failed, and outcome.reported test events from your institution dashboard → API & Webhooks panel.