FAQ

Is there any HTTP header standard recommended by Unico?

Yes. Unico recommends that all HTTP headers follow the specifications of RFCs 7230 and 7231. Using headers outside these standards can cause integration failures, such as errors 415 (Unsupported Media Type) or 502 (Bad Gateway), because proxies like Apigee may reject or corrupt requests, making it difficult to trace the problem.

Some common errors are:

Content-Encoding invalid (e.g.: utf8 instead of gzip, deflate, br or identity);
Header names with spaces, accents or non-ASCII characters;
Header values containing control characters (CR, LF, tab);
Duplication of headers prohibited by the RFC.

Recommendation: always validate, before sending the request, whether all headers comply with RFCs 7230/7231 to ensure stability and security in communication with Unico services.

No. Unico does not recommend the practice of certificate pinning or pinning certificate chains. Although pinning “fixes” a specific certificate in the client application, this can cause unavailability when the certificate is replaced — something that occurs periodically for security and maintenance, even when the connection remains secure. In addition, pinning does not significantly increase security and prevents Unico from using modern protection services such as CDN, WAF and attack mitigation. The security of connections with Unico is guaranteed by trusted certificates issued by globally recognized authorities, public auditing via Certificate Transparency and robust authentication standards such as OAuth + JWT, ensuring stability, resilience and security in integrations.

Why can't I use the by Unico link in a `iframe` common, without using the token provided in the API?

For reasons of security, traceability and access control, it is not allowed to directly embed the By Unico link in a iframe without using the authentication token provided in the response from our API.

The authorized and supported flow requires the use of a CSP token (Content Security Policy) securely generated and tied to the transaction, the user and the context of the request. This token is used to authenticate and load the iframe, ensuring the integrity and security of the journey.

Risks of using direct links (without token):

Social engineering and phishing: direct links can be intercepted, tampered with and replicated, allowing the simulation of the legitimate flow on malicious sites.
Loss of integrity: the token ensures that the iframe is linked to a legitimate and cryptographically reliable context. Without it, we lose that validation.
Lack of traceability: the token allows each session to be recorded and correlated with internal events. Ignoring it compromises the ability to audit and track actions.
Security exposure via CSP: opening the iframe directly without token control would require adding all client domains to the CSP policy, which:
- increases the risk of client enumeration;
- can exceed the header size limit;
- or, in the worst case, would force the full opening of the CSP policy, leaving the content vulnerable to being embedded on any site.

The decision to require the authentication token is not only technical, but also strategic and aligned with best security practices

Can I import my database to be processed by Unico?

Yes, it is possible to import your face database for processing by the Unico IDCloud platform engine. To do this, follow the steps below:

Notify the person responsible for your account about the need to import the database, to ensure proper support for the process;
Request a specific service account for the database import operation;
Authenticate with that service account to obtain the access token required;
Obtain an APIKey with the desired capabilities. Make sure that:
1. The APIKey is configured to receive images in base64 (and not encrypted);
2. The import will be performed without returning the Liveness capability.
Make the calls to our API, storing:
1. The responses of the executed capabilities;
2. The process IDs generated.

It is essential to store the process IDs, as they are required to use capabilities such as 1:1 Validation.

Does Unico have a TPS / RPM limit?

Yes, Unico adopts, by default, a limit of 10 TPS (transactions per second) per customer. This control is essential to ensure the stability, security and good performance of the platform, especially in DoS (Denial of Service) attack scenarios.

This value is usually contractually agreed, but can be adjusted according to the customer's needs. If you want to increase the TPS limit — either temporarily (for example, during a promotional action or seasonal event) or permanently (due to increased operational volume) — just contact the person responsible for your account and/or project. From there, our team will guide and operationalize the limit increase.

Important: when exceeding the stipulated TPS limit, additional requests will receive the error code 429 (Too Many Requests).

What are the differences between the By Unico and By Client integrations?

by Unico: For companies that want to have a partner manage the user experience with best practices and privacy, in addition to the ease of orchestrating flows with Unico's capabilities and automatic updating of technologies such as SDKs.

With by Unico, we are responsible for managing your end user's entire experience, applying UX design and security best practices, focusing on conversion optimization, while handling all updates and maintenance. It can be used both as a webview or iFrame within your application, and in message flows in an asynchronous operation (via WhatsApp, SMS and/or Email).

by Client: For companies that want to control the user experience with their own frontend, as well as build flows with Unico's capabilities in the backend alongside other technologies and resources used for authentication.

With by Client you have the freedom to create and manage the end user's journey as you prefer, leveraging Unico's capabilities in the backend and integrating other authentication technologies as needed.

What is orchestration?

Orchestration in the context of the Unico IDCloud platform is when, in a biometric enrollment, the Identity Verification capability upon returning the response "Inconclusive", executes the probabilistic validation that the face belongs to the CPF holder using the Risk Score capability.

How can I use by Unico in my operation?

You can use by Unico in your operation in 3 distinct ways:

In your mobile application through a Webview;
In your web application through an iFrame;
In the message flow (WhatsApp, SMS and/or Email).

What customizations are possible in by Unico?

In by Unico it is possible to customize the following items:

Logo;
CTA background color;
CTA text;
CTA corner rounding in pixels.

How do document technologies work?

Typification works by ensuring that the provided document is indeed that document (validation is done on the document layout. Document forensics is not performed);
FaceMatch works by comparing the user's selfie face with the face on the document (the return can be true or false);
CPF Match works by comparing the CPF number provided in the registration with the CPF that appears on the document (the return can be true or false);
OCR Extraction works by extracting the document's data in text format from an image.

Can I use IDCloud manually?

Yes, it is possible to use by Unico manually.

Is the IDUnico API synchronous or asynchronous?

The information return is made available by IDUnico in two ways: Synchronous or Asynchronous. In the API Key configuration you can choose how you want to integrate.

What is the average response time (latency) of the API for an identity verification?

The expected average response time is 3 seconds, but this may vary depending on how the product is used (e.g.: whether liveness is used, whether the API Key is synchronous or asynchronous, among others).

What are the returns in the IDUnico API for me to make decisions to approve or not a CPF/customer?

The API returns will depend on your operation, which may have different IDCloud capabilities. The most common is to have Identity Verification + Risk Score. Considering the most common scenario, the API response will have the following fields:

{
   "id": "Process_ID",
   "status": process_status},
   "unicoId": {
       "result": "ID_result"
   },
   "liveness": liveness_result,
   "score": score_result
}

Do Unico products have Serpro similarity?

Yes, the IDCloud platform offers Serpro similarity resource, both via by Client and via by Unico. This functionality returns the Serpro similarity percentage, commonly used for payroll loan flows.

Does Unico perform any automatic validation of captured documents? Like document forensics?

No, currently Unico does not perform document forensics. Unico has the following technologies associated with the capture and reuse of documents capability:

Typification: we validate if the layout of the sent document is the same as the one informed in the API;
OCR data extraction: we extract document data in text format from the submitted image;
FaceMatch: we compare the captured selfie face with the face that appears on the provided document;
CPF Match: we look in the provided document for the CPF that was sent in the API.

What are the most common error returns in the IDUnico API?

The most common error returns are:

400: generally associated with request errors;
403: generally associated with permission errors;
404: when we cannot find the provided data;
500: server errors and unexpected failures.

What happens if biometric capture fails?

by Unico: with by Unico, if there is a biometric failure, in the experience we manage the user can retry and we have high conversion numbers.

by Client: with by Client, if there is any error, whether in the request or even when generating the result of the Identity Verification or Risk Score, these errors must be handled as exceptions in the API by you. For this, we advise that you check the possible scenarios and the error codes in our documentation to map all possible scenarios.

PreviousGlossary

Last updated 15 days ago

Was this helpful?