FAQ
Is there any HTTP header standard recommended by Unico?
Yes. Unico recommends that all HTTP headers follow the specifications of RFCs 7230 and 7231. Using headers outside these standards can cause integration failures, such as errors 415 (Unsupported Media Type) or 502 (Bad Gateway), since proxies like Apigee can reject or corrupt requests, making it difficult to trace the problem.
Some common errors are:
Content-Encodinginvalid (e.g.:utf8instead ofgzip,deflate,broridentity);Header names with spaces, accents or non-ASCII characters;
Header values containing control characters (CR, LF, tab);
Duplication of headers prohibited by the RFC.
Recommendation: always validate, before sending the request, that all headers comply with RFCs 7230/7231 to ensure stability and security in communication with Unico services.
Does Unico recommend certificate pinning for integration with its services?
No. Unico does not recommend the practice of certificate pinning or pinning certificate chains. Although pinning “fixes” a specific certificate in the client application, this can cause downtime when the certificate is replaced — something that happens periodically for security and maintenance, even if the connection remains secure. Furthermore, pinning does not significantly increase security and prevents Unico from using modern protection services such as CDN, WAF and attack mitigation. The security of connections with Unico is guaranteed by trusted certificates issued by globally recognized authorities, public auditing via Certificate Transparency and robust authentication standards such as OAuth + JWT, ensuring stability, resilience and security in integrations.
Why can’t I use the by Unico link in a iframe common one, without using the token provided in the API?
iframe common one, without using the token provided in the API?For reasons of security, traceability and access control, it is not allowed to embed the By Unico link directly in an iframe without using the authentication token provided in the response from our API.
The authorized and supported flow requires the use of a CSP token (Content Security Policy) generated securely and tied to the transaction, the user and the context of the request. This token is used to authenticate and load the iframe, ensuring the integrity and security of the journey.
Risks of using direct links (without token):
Social engineering and phishing: direct links can be intercepted, tampered with and replicated, allowing the simulation of the legitimate flow on malicious sites.
Loss of integrity: the token ensures that the
iframeis linked to a legitimate and cryptographically trusted context. Without it, we lose that validation.Lack of traceability: the token allows each session to be recorded and correlated with internal events. Ignoring it compromises the ability to audit and trace actions.
Security exposure via CSP: opening the
iframedirectly without control by token would require adding all customer domains to the CSP policy, which:increases the risk of client enumeration;
may exceed the header size limit;
or, in the worst case, would force the full opening of the CSP policy, leaving the content vulnerable to being embedded in any site.
The decision to require the authentication token is not only technical, but also strategic and aligned with best security practices
Can I import my database to be processed at Unico?
Yes, it is possible to import your faces database for processing by the Unico IDCloud platform engine. To do so, follow the steps below:
Notify the person responsible for your account about the need to import the database, to ensure appropriate support for the process;
Request a specific service account for the database import operation;
Authenticate with that service account to obtain the access token required;
Obtain an APIKey with the desired capabilities. Make sure that:
The APIKey is configured to receive images in base64 (and not encrypted);
The import will be performed without returning the Liveness capability.
Make the calls to our API, storing:
The responses of the executed capabilities;
The process IDs generated.
Does Unico have a TPS / RPM limit?
Yes, Unico adopts, by default, a limit of 10 TPS (transactions per second) per customer. This control is essential to ensure the stability, security and good performance of the platform, especially in DoS (Denial of Service) attack scenarios.
This value is usually contractually agreed, but can be adjusted according to the customer's needs. If you wish to increase the TPS limit — either temporarily (for example, during a promotional action or seasonal event) or permanently (due to an increase in operational volume) — just contact the person responsible for your account and/or project. From there, our team will guide and operationalize the limit increase.
Important: when exceeding the stipulated TPS limit, additional requests will receive the error code 429 (Too Many Requests).
What are the differences between By Unico and By Client integrations?
by Unico: For companies that want a partner to manage the user experience with best practices and privacy, in addition to the ease of orchestrating flows with Unico's capabilities and the automatic update of technologies, such as SDKs.
With by Unico, we are responsible for managing your end user's entire experience, applying best UX design and security practices, focusing on conversion optimization, while taking care of all updates and maintenance. It can be used both as a webview or iFrame within your application, and in the messaging flow in an asynchronous operation (via WhatsApp, SMS and/or E-mail).
by Client: For companies that want to control the user experience with their own frontend, as well as build flows with Unico's capabilities in the backend alongside the other technologies and resources used for authentication.
With by Client you have the freedom to create and manage the end user's journey as you prefer, leveraging Unico's capabilities in the backend and integrating other authentication technologies as needed.
What is orchestration?
Orchestration in the context of the Unico IDCloud platform is when, in a biometric registration, the Identity Verification capability upon returning the response "Inconclusive", executes the probabilistic validation that the face belongs to the CPF holder with the Risk Score capability.
How can I use by Unico in my operation?
You can use by Unico in your operation in 3 distinct ways:
In your mobile application through a Webview;
In your web application through an iFrame;
In the messaging flow (WhatsApp, SMS and/or E-mail).
What customizations are possible in by Unico?
In by Unico it is possible to customize the following items:
Logo;
Background color of the CTA;
CTA text;
Corner rounding of the CTA in pixels.
How do document technologies work?
Typification works by ensuring that the provided document is indeed that document (the validation is done on the document layout. Document inspection/forensics is not performed);
FaceMatch works by comparing the user's selfie face with the face on the document (the return can be
trueorfalse);CPF Match works by comparing the CPF number that was provided in the registration with the CPF that appears on the document (the return can be
trueorfalse);OCR Extraction works by extracting the document data in text format from an image.
Can I use IDCloud manually?
Yes, it is possible to use by Unico manually.
Is the IDUnico API synchronous or asynchronous?
The information return is made available by IDUnico in two ways: Synchronous or Asynchronous. In the API Key configuration you can choose how you want to integrate.
What is the average response time (latency) of the API for an identity verification?
The expected average response time is 3 seconds, but this may vary depending on how the product is used (e.g., if liveness is used, if the API Key is synchronous or asynchronous, among others).
What are the API returns from IDUnico for me to make decisions to approve or not a CPF/customer?
API returns will depend on your operation, which can have different IDCloud capabilities. The most common is to have Identity Verification + Risk Score. Considering the most common scenario, the API response will have the following fields:
{
"id": "Process_ID",
"status": process_status},
"unicoId": {
"result": "ID_result"
},
"liveness": liveness_result,
"score": score_result
}Do Unico's products have Serpro similarity?
Yes, the IDCloud platform offers Serpro similarity feature, both via by Client and via by Unico. This functionality returns the Serpro similarity percentage, commonly used for payroll loan flows.
Does Unico perform any automatic validation of captured documents? Like document forensics?
No, currently Unico does not perform document forensics. Unico has the following technologies associated with the document capture and reuse capability:
Typification: we validate whether the layout of the sent document is the same as the one informed in the API;
OCR data extraction: we extract the document data in text format from the submitted image;
FaceMatch: we compare the captured selfie face with the face that appears on the provided document;
CPF Match: we look in the provided document for the CPF that was sent in the API.
What are the most common error returns in the IDUnico API?
The most common error returns are:
400: generally associated with request errors;
403: generally associated with permission errors;
404: when we cannot find the provided data;
500: server errors and unexpected failures.
What happens if biometric capture fails?
by Unico: by Unico, if there is a failure in the biometric, in the experience we manage the user can retry and we have high conversion numbers.
by Client: in by Client, if there is any error, either in the request or even in generating the result of the Identity Verification or Risk Score, these errors must be handled as exceptions in the API by you. For this, we advise that you review the possible scenarios and the error codes in our documentation to map all possible scenarios.
Last updated
Was this helpful?