Table des matières
Developer Guide – ID360 Capture
🎯 The ID360 solution allows you to:
- ✅ Manage the identification and authentication of users in your business service.
- 🗂️ (Optional) Collect, store, and verify the authenticity of supporting documents.
- 🎨 Customize a user interface to meet your needs.
🔗 Swagger Access
🔧 Main API Operations
- API Login: This call provides a valid token for 15 minutes, allowing access to other API methods.
- Create a user folder: Returns a folder ID and an API key (api_key), essential for the next steps.
- Data comparison (optional): You may compare expected data with extracted identity data.
- Redirect user to the user interface (UI): Use the API key to redirect the user to their enrollment journey.
- Retrieve report: Retrieve the user's folder report using the folder ID, with status and technical/verification info.
- Retrieve documents: Optionally, retrieve identity and supporting documents submitted by the user.
- Retrieving the idClaim (optional): Only in the case of advanced electronic signature, returns an ASIC-E.
🔧 Additional options and tools
- Run ID360 in a WebView (optional): outside processes offering La Poste Digital Identity
- Interrupt a user folder : To invalidate an identification URL and force the closure of a file in the case of an identification process that has not been started or is incomplete.
📘 To continue reading this guide, you must first create at least one process and one application.
If not already done, we recommend checking the first section of this guide: Getting Started with ID360
1. API Login
1.1 API Login: Authentication
🔧 Requête CURL – Production
curl -X POST "https://id360docaposte.com/api/1.0.0/user/login/" \ -H "accept: application/json" \ -d '{ "username": "string", "password": "string", "token": "string" }'
🔧 Requête CURL – Préproduction
curl -X POST "https://preprod.id360docaposte.com/api/1.0.0/user/login/" \ -H "accept: application/json" \ -d '{ "username": "string", "password": "string", "token": "string" }'
📥 Required Parameters
| Parameter | Required | Details |
|---|---|---|
username | Yes | Login identifier |
password | Yes | Password |
token | No (except for admin) | Unnecessary for `application` accounts. Required only for `admin` accounts with two-factor authentication |
📤 Expected Result (example)
HTTP Status: `200 OK`
Response Body:
{ "token": "0123456789abcdef01234567" }
💬 Notes
- This call must be made by your server, never from the user’s browser.
- The token is valid for 15 minutes. This duration resets on each API call using the token.
- If you use an expired token or no token, you’ll get a `401 Unauthorized` error.
- As long as the token is valid, do not call `/login/` again.
- Use the token in the header of future calls:
Authorization: Token 0123456789abcdef01234567 - The token is made up of 25 characters (fixed length).
1.2 Headers for your API Requests
Essential header for your API calls:
`Authorization` → must contain:
- the prefix `Token`
- a space
- the token value from the login call
Example:
Authorization: Token 0123456789abcdef01234567
Testing via Swagger
To test calls in Swagger:
- Click “Try it out” (top right)
- Enter the token in this format: `Token 0123456789abcdef01234567`
- Then click “Authorize”
You will then be authenticated to run API calls directly from Swagger.
⚠️ 1.3 Token lifespan and refresh – MUST BE IMPLEMENTED ⚠️
The login token is valid for 15 minutes, and its lifespan is reset with every call using the token (*except `logIn` itself*).
If you are not connected or the token is expired, you will receive a 401 Unauthorized for any operation requiring authentication.
🔁 Extending Token Validity
To extend token lifespan, you may call this method every 13 minutes: `/api/1.0.0/user/whoami`
This method:
- Requires no parameters
- Requires an Authorization header:
Authorization: Token 0123456789abcdef01234567
✅ Validity Check
- If the method returns 200 OK, your token is still valid.
- Otherwise, generate a new token via the `logIn` method.
ℹ️ Reminder: integrate this call automatically into your process to avoid repeatedly calling the logIn method, as this may be interpreted by ID360 as abnormal or aggressive behavior.
2. Create a user folder
🔧 CURL Request – Production
curl -X POST \ "https://id360docaposte.com/api/1.0.0/process/{id}/enrollment" \ -H "Authorization: Token 0123456789abcdef01234567"
🔧 CURL Request – Preproduction
curl -X POST \ "https://preprod.id360docaposte.com/api/1.0.0/process/{id}/enrollment" \ -H "Authorization: Token 0123456789abcdef01234567"
🛠 URL Notes
Replace the {id} part with the UUID of a process.
Process objects are configurable via the admin UI (their UUID is displayed there).
📥 Expected Body
{
"browser_callback_url": "https://www.example.com/browser_callback_url",
"client_reference": "any_string",
"callback_endpoints": [{
"url": "https://www.example.com/callback_url1",
"on": ["E","F","C"],
"headers": [{"name": "string", "value": "string"}]
},{
"url": "https://www.example.com/callback_url2",
"on": [],
"headers": [{"name": "string", "value": "string"}]
}],
"last_name": "Users last name",
"first_name": "Users first name",
"email": "Users email",
"address_line_1": "Users address line 1",
"address_line_2": "Users address line 2",
"address_line_3": "Users address line 3",
"zip_code": "Users zip code",
"city": "Users city",
"country": "Users country",
"phone_number": "Users phone number",
"group": "string"
}
📝 Field Details
browser_callback_url: required – URL triggered by the user's browser at the end of the process (used only for redirection purposes).client_reference: optional – Allows linking to an internal identifier from your system. Useful for cross-referencing in case of cancellation or failure.callback_endpoints: required – A callback endpoint enables ID360 to notify your system when an enrollment reaches a specific status (e.g., failure, cancellation, completion), via an HTTP POST request to the URL you provided. Headers are optional and can be used as identification headers when receiving callbacks.last_name, first_name, address_line_1/2/3, zip_code, city, country, phone_number, email: optional – User information is provided for informational purposes only (no validation is performed).group: optional – Allows consumption exports based on user-defined groups.
For more information about callback_endpoints, see this dedicated guide.
📤 Expected Result (example)
HTTP Status: 200 OK
{
"url": "https://www.id360docaposte.com/api/1.0.0/enrollment/{id}",
"id": "{id}",
"process": 1,
"api_key": "0123456789abcdef0123456789abcde",
"browser_callback_url": "yyy",
"client_reference": "any_string",
"status": "NEW",
"reason": null,
"creation_time": "2021-12-17T15:01:49.013906",
"starting_time": null,
"finished_time": null;
"callback_endpoints": [{
"url": "https://dev.webhook.id360docaposte.com/66b905f6-ac91-4a2c-8b1b-752d2393ac3b",
"on": ["E","F","C"],
"headers": [{"name": "string"}]
},{
"url": "https://dev.webhook.id360docaposte.com/66b905f6-ac91-4a2c-8b1b-752d2393ac3b",
"on": [],
"headers": [{"name": "string"}]
}]
}
💬 Notes
- This call must be performed server-side, never from the user's browser.
- ⚠️ It is essential to keep both the enrollment
idand theapi_keyfor the next steps in the process.
3. Data Comparison (optional)
In the process configuration, it is essential to select at least one data field to compare.
To do this, go to the Information Entry block and choose the elements to compare.
🔧 CURL Request – Production
curl -X POST \ "https://id360docaposte.com/api/1.0.0/enrollment/{id}/control/data/{data_name}/?locked=true" \ -H "accept: application/json" \ -H "Authorization: Token 0123456789abcdef01234567"
🔧 CURL Request – Preproduction
curl -X POST \ "https://preprod.id360docaposte.com/api/1.0.0/enrollment/{id}/control/data/{data_name}/?locked=true" \ -H "accept: application/json" \ -H "Authorization: Token 0123456789abcdef01234567"
🛠 Technical Information
{id}: enrollment ID, obtained when creating the user enrollment.{data_name}: name of the data field to be compared.- Examples:
name→ last namefirst_name→ first namebirth_date→ date of birth
- To check the expected data fields, you can query:
https://preprod.id360docaposte.com/api/1.0.0/enrollment/flow/enrollment_info
📥 Parameters
| Parameter | Value | Description |
|---|---|---|
locked | true | Locks the data once submitted (prevents further modification) |
auto | false | The behavior depends on the type of data requested. For the phone_number data, the OTP SMS is triggered upon page load. Otherwise, the OTP code is sent immediately upon the API request. |
📤 Expected Body
The body must simply contain the data to be checked, in plain format (text or simple value).
✅ Expected Result
HTTP Status: 204 No Content
This indicates that the comparison was successfully processed and no response body is returned.
4. Redirecting the User to the UI
This step must be performed directly in the user's browser.
Using the api_key obtained during the user enrollment creation, you can redirect the user to the data entry interface using the following URL:
🌐 Production Environment
https://www.id360docaposte.com/static/process_ui/index.html#/enrollment/api_key_from_previous_step
🧪 Preproduction Environment
https://preprod.id360docaposte.com/static/process_ui/index.html#/enrollment/api_key_from_previous_step
ℹ️ Notes
- This URL must be opened in the end user's browser.
- Replace
api_key_from_previous_stepwith the actual value received when the enrollment was created (fieldapi_keyin the response).
When the user has completed their identification process
A token is appended as a parameter to the redirection URL (browser callback) when the user is redirected. For example:
This token can be used to call the following method:
https://preprod.id360docaposte.com/static/swagger.html#/enrollment/enrollment_status_retrieve
This method retrieves the enrollment associated with the token present in the callback URL. It can only be invoked once per enrollment, after which the token is automatically invalidated.
Note that this is a fingerprint of the enrollment, not a full identification report like the one obtained via the “report” parameter (an example is available in Swagger).
Even if you do not use this token, the enrollment status will still be sent through the callback URL (see next step).
5 Retrieve report
5.1 Retrieving the Report via API
🔧 CURL Request – Production
curl -X GET \ "https://id360docaposte.com/api/1.0.0/enrollment/{id}/report" \ -H "accept: application/json" \ -H "Authorization: Token 0123456789abcdef01234567"
🔧 CURL Request – Preproduction
curl -X GET \ "https://preprod.id360docaposte.com/api/1.0.0/enrollment/{id}/report" \ -H "accept: application/json" \ -H "Authorization: Token 0123456789abcdef01234567"
🛠 Technical Information
{id}: ID of the user enrollment, obtained during its creation.- Parameters: no parameters are required for this request.
✅ Expected Result
HTTP Status: 200 OK
Response format: JSON
💬 Notes
- This call must be made by your server, never from the user's browser.
- The access token is valid for 15 minutes, renewed with each call using the token.
- If the token is missing or expired, a 401 Unauthorized error will be returned.
- As long as your token is valid, you should not reuse the
loginmethod. - The token must be included in the header of subsequent requests as follows:
Authorization: Token the_token_returned_by_login
5.2 Retrieving the Report from the Admin Platform
The report is also available in the console, under the “User Enrollments” tab, for a period of two months. The identifier corresponds to the enrollment ID generated at the end of step 2. By selecting “View details,” you can access the identification report and download the evidence file in JSON format at the bottom of the page.
5.3 Specifics
📄 A Temporary Report
A temporary report is available before the final report is issued.
This report can be retrieved using the allow_draft = true parameter but must not be used in production.
⚠️ The report can only be retrieved after receiving the callback_url indicating the completion of the enrollment process.
Warning: Calling a temporary report may cause slowdowns or blockages for your users.
📄 A Report Issued Less Than 7 Days Ago
Applications and users can retrieve all evidence files via the report method.
- A file with the status:
NEWSTARTEDCANCELED
will return a temporary evidence file when using the draft = true parameter.
📄 A Report Issued More Than 7 Days Ago and Less Than 2 Months Ago
Users can retrieve all finalized evidence files (with a verdict OK or KO) via the report method.
📄 A Report Issued More Than 2 Months Ago and Before the Archiving Expiration Date
Only users can access archived reports via the report/archive method.
- A file with status CANCELED or FAILED is not archived.
- A DELETED file (older than 2 months) is archived only if it had a final status of OK or KO.
👥 Definition: Application vs User
▶️ Retrieval via an application: Login using your *application credentials* (application ID + password defined at creation).
▶️ Retrieval via a user: Login using your *user credentials*:
- Email address
- Personal password
- Two-factor authentication token (2FA)
📄 Retrieving the PDF Report
See the dedicated method: Download the PDF report
6. Retrieving documents
You can use the API to retrieve analyzed identity documents and, if configured, collected documents. This is possible up to 7 days after enrollment.
🔧 CURL Request – Production
curl -X 'GET' \ 'https://id360docaposte.com/api/1.0.0/document/{id_document}/file_contents/?page_number={page_number}' \ -H 'accept: application/octet_stream' \ -H 'Authorization: Token 4550d727f89d76dc0b07917461a16710141d101e0796ec644c'
🔧 CURL Request – Preproduction
curl -X 'GET' \ 'https://preprod.id360docaposte.com/api/1.0.0/document/{id_document}/file_contents/?page_number={page_number}' \ -H 'accept: application/octet_stream' \ -H 'Authorization: Token 4550d727f89d76dc0b07917461a16710141d101e0796ec644c'
📄 Notes
- The document is returned directly in the response.
- To get both front and back of an ID document, call the method twice with a different
page_number:page_number=0→ frontpage_number=1→ back
📁 Example of extraction from a JSON report
"documents": {
"identity": [{
"name": "id_document_image",
"files": [
{ "url": "https://preprod.id360docaposte.com/api/1.0.0/document/354746/file_contents/?page_number=0" },
{ "url": "https://preprod.id360docaposte.com/api/1.0.0/document/354746/file_contents/?page_number=1" }
]
}]
}
- The document ID is
354746. page 0= front /page 1= back
📚 Types of Documents That Can Be Retrieved
| Document Type | JSON Key (name) |
|---|---|
| Identity Document (SVID) | “documents”: { “identity”: [{ “name”: “id_document_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}, {“url”: xxxxxxxxxxxxxxx}]} |
| Identity Document (PVID) | “documents”: {“other”: [{ “name”: “ar24_in_front”, “files”: [{“url”: xxxxxxxxxxxxxxx}], [{ “name”: “ar24_in_back”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Identity Document with MIE | “documents”: {“identity”: [{ “name”: “idd”, “files”: [{“url”: xxxxxxxxxxxxxxx}]}]} |
| Bank Account Details (RIB) | “documents”: { “bank_details”: [{ “name”: “bank_details_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Tax Notice | “documents”: { “income_tax”: [{ “name”: “income_tax_notice_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Company Registration (KBIS) | “documents”: { “kbis”: [{ “name”: “kbis_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Payslip | “documents”: { “pay_slip”: [{ “name”: “pay_slip_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Property Tax | “documents”: { “property_tax”: [{ “name”: “property_tax_notice_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Selfie / Uploaded Photo | “documents”: { “selfie”: [{ “name”: “selfie_image_upload”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Selfie / Processed Photo | “documents”: { “selfie”: [{ “name”: “selfie_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Health Insurance Card | “documents”: { “health_insurance_card”: [{ “name”: “health_insurance_card_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Social Security Card | “documents”: { “social_security_card”: [{ “name”: “social_security_card_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Proof of Address | “documents”: { “proof_of_address”: [{ “name”: “proof_of_address_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Car Registration | “documents”: { “car_registration”: [{ “name”: “car_registration_image”, “files”: [{“url”: xxxxxxxxxxxxxxx}]} |
| Liveness | “documents”: { “liveness”: [{“name”: “liveness_video$0”, “files”: [{“url”: “xxxxxxxxxxxxxxx”}]},{“name”: “liveness_video$1”,“files”: [{“url”: “xxxxxxxxxxxxxxx”}]}] |
7. Retrieving the idClaim
🔧 CURL Request – Production
curl -X GET \ "https://id360docaposte.com/api/1.0.0/enrollment/{id}/idclaim" \ -H "accept: application/json" \ -H "Authorization: Token 0123456789abcdef01234567"
🔧 CURL Request – Preproduction
curl -X GET \ "https://preprod.id360docaposte.com/api/1.0.0/enrollment/{id}/idclaim" \ -H "accept: application/json" \ -H "Authorization: Token 0123456789abcdef01234567"
🛠 Technical information
{id}: user file identifier, retrieved when it is created.- Parameters : none expected in this request.
✅ Expected result
HTTP Status : 200 OK
Response format : ASIC-E
💬 Notes
- The connection token is valid for 15 minutes, renewed with each call made using this token.
- If the token is expired or missing, you will receive a 401 Unauthorized error.
- As long as your token remains valid, you must not reuse the
loginmethod. - The token must be used in the header of subsequent calls as follows:
Authorization: Token token_returned_by_login
Conditions for running ID360 in a WebView
The following permissions must be enabled on the application side (Android or iOS):
- Camera access
- Gyroscope access
- File access (for document import)
And also:
- Enable JavaScript
- On Android, initialize the WebView with the activity context (and not the application's global context) to ensure proper functioning of elements such as drop-down menus.
Discontinue an Enrollment
🔧 CURL Request – Production
curl -X GET \ "https://id360docaposte.com/api/1.0.0/enrollment/{id}/control/discontinue" \ -H "Authorization: Token 0123456789abcdef01234567"
🔧 CURL Request – Preproduction
curl -X GET \ "https://preprod.id360docaposte.com/api/1.0.0/enrollment/{id}/control/discontinue" \ -H "Authorization: Token 0123456789abcdef01234567"
🛠 Technical Information
{id}: user enrollment identifier, retrieved during its creation.- Parameters: no parameters are expected in this request.
✅ Expected Result
HTTP Status: 204 No Content
💬 Notes
The enrollment status will be changed to DISCONTINUED.