Fractal ID documentation
Production client dashboardStaging client dashboard
  • Introduction
  • Getting started
  • KYC levels
  • OAuth 2.0 scopes
  • Production and staging URLs
  • Client dashboard
  • Migration to Kraken
  • User integration
    • User authorization
    • User information retrieval
    • Webhooks
      • Available notifications
      • Delivery
      • Securing webhooks
    • Mobile app integration
    • Embedded Journey Iframe
  • Back-office integration
    • Client authorization
    • Application statistics
  • Legacy Integrations
    • Fractal Credentials API
  • Troubleshooting
    • Common issues
Powered by GitBook
On this page
  • Obtaining an authorization code
  • Authorization allowed
  • Authorization denied
  • Other errors
  • Obtaining an access token
  • Exchange authorization code for access token
  • Refreshing access token
  • Refresh access token

Was this helpful?

  1. User integration

User authorization

PreviousMigration to KrakenNextUser information retrieval

Last updated 5 months ago

Was this helpful?

Fractal ID implements the of the .

This flow can be summarized by the following steps:

  • your application redirects your user to our authorization endpoint, with the KYC level described as a set of scopes;

  • the user fills in their information on Fractal ID;

  • the user gets redirected back to your application (redirect_uri), with a code in its URL parameters (that expires after 10 minutes);

  • your application's backend exchanges the code for an access_token and a refresh_token, using your client credentials;

  • when the access token expires (after 2 hours), you may obtain a new one using the refresh_token and your client credentials;

Obtaining an authorization code

Redirect the user to our authorization endpoint:

https://FRONTEND_DOMAIN/authorize
  ?client_id={your-app-id}
  &redirect_uri={your-redirect-uri}
  &response_type=code
  &scope={desired-scope}
  &state={state-param}
  &ensure_wallet={ensure-wallet-param}

If you want this window to open as a popup, you can use JavaScript's window.open with the above URL like so:

window.open(URL, "fractal", "width=480,height=700,top=150,left=150")

You can send the user to this authorization link as many times as you like (for example, if you didn't obtain an access token for them the first time around). They will be transparently redirected to the redirection URL you set, provided they already authorized your application previously, or shown an authorization screen otherwise.

This request has the following parameters:

Parameter
Required?
Description

client_id

yes

The ID of your app on our system.

redirect_uri

yes

The URL that you want to redirect the person logging in back to. Must be HTTPS.

response_type

yes

code

scope

no

A space-separated list of authorization scopes to request. Defaults to uid:read.

state

yes

ensure_wallet

no

The wallet address you wish the user to input as part of the wallet addon. Note that the user can choose to ignore the suggestion.

Once redirected, the user might have to log into Fractal ID. If so, they'll be presented with a page to that effect.

Once they are logged in, they will be shown an authorization screen, where they're asked whether they're willing to grant your application the requested permissions as requested through the scopes. They will then be redirected back to {your-redirect-uri}.

Authorization allowed

If the user authorizes your application, they will be redirected to:

https://{your-redirect-uri}
  ?code={code}
  &state={state-param}

This request has the following parameters:

Parameter
Description

code

Authorization code to be exchanged for an access token, expiring in 10 minutes.

state

Unchanged state parameter you provided during authorization request.

After the user is redirected, their authorization will only be counted as authorized once this code is exchanged for an access token, as described below.

Authorization denied

If the user refuses authorization, Fractal ID will redirect them to:

https://{your-redirect-uri}
  ?error=access_denied
  &error_description=The+resource+owner+or+authorization+server+denied+the+request.

Other errors

Obtaining an access token

You will then need to exchange the code for an access token. Be sure to do the following on your server, as your client_secret shouldn't be exposed to the client.

If the access token is not fetched, the user's authorization won't be effective, and as such won't increase the count of authorized users.

Exchange authorization code for access token

POST https://AUTH_DOMAIN/oauth/token

Obtained access token expires 2 hours later.

Path Parameters

Name
Type
Description

client_id

string

Your API application ID.

client_secret

string

Your API application secret.

code

string

Authorization code obtained in the previous step.

grant_type

string

authorization_code

redirect_uri

string

The URL that the user was redirected to in the first step (without parameters).

{
  "access_token": "7rgojfemuk-aq8RcA7xWxJQKv6Ux0VWJ1DQtU6178B8",
  "token_type": "bearer",
  "expires_in": 7200,
  "refresh_token": "thPSSHGnk3NGU5vV4V_g-Qrs47RibO9KEEhfKYEgJOw",
  "scope": "uid:read email:read",
  "created_at": 1543585106
}

Note: the list of authorized scopes may be different from the required ones. Default scopes may be added, and the user may deny access to some of them. If you request both institution and person scopes, you will only be granted the ones that match the user type.

Refreshing access token

Fractal ID implements refresh token rotation, which means that every access token refresh request will issue a new refresh token. Previous tokens are invalidated (revoked) only once the access token is used. For refreshed access tokens, the scopes are identical from the previous access token.

Refresh access token

POST https://AUTH_DOMAIN/oauth/token

Path Parameters

Name
Type
Description

client_id

string

Your API application ID.

client_secret

string

Your API application secret

refresh_token

string

Refresh token to be exchanged for an access token for access retrieval.

grant_type

string

refresh_token

{
  "access_token": "bftp_00bxmjiTyCqiptfR_hUDMMcPAZuGg9mylnNM3g",
  "token_type": "bearer",
  "expires_in": 7200,
  "refresh_token": "leZCHE_ZTggSB2wNiUM1Huy0X7ZgYpbLaJ9ZHk-rRas",
  "scope": "uid:read email:read",
  "created_at": 1543586706
}

A value created by you to maintain state between the request and callback. This parameter is and will be passed back to you, unchanged, in your redirect URI.

The request might fail for reasons other than authorization refusal. Please refer to for details.

The user's information and status will still be available through the within the client dashboard.

Please refer to for further details on the fields.

Please refer to for further details on the fields.

authorization code grant
OAuth2 standard
RFC 6749 §4.1.2.1. (Error Response)
RFC 6749 §5.1 (Successful Response)
RFC 6749 §5.1 (Successful Response)
mostly used to prevent CSRF
user explorer