1 of 39

English

Introduction

Here you will find the technical information for the Unico IDPay product REST APIs.

Overview

Welcome to the Unico IDPay REST API documentation! On this page, you will find everything you need to know to enhance the security and quality of your applications using our REST API.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

ABOUT IDPAY

Unico ID Pay

Get to know everything about the Unico IDPay product

Unico IDPay is an innovative solution from Unico that combines, in a single verification, both the identification of the shopper and the validation of the credit card's ownership. This approach ensures safer transactions for remote purchases and helps recover sales that could otherwise be lost due to payment inconsistencies.

With IDPay, you ensure that:

The user is live at the moment of the transaction;
The identity matches the credit card holder;
The credit card belongs to the person performing the transaction at your establishment;
- The authorized and validated use of third-party cards is possible.

What's more: you are guaranteed liability protection in case of validation errors (for more details, see the "Chargeback" section).

The operation is simple and efficient: a transaction is created from the credit card number and the cardholder's CPF, and IDPay handles the authentication of that transaction, either through facial biometrics or device metadata authentication.

In addition, IDPay is highly flexible and can be tailored to meet different scenarios and needs. Its platform offers a wide range of features that support various use cases, making it ideal for operations that require precision and security.

For a better understanding of IDPay, follow the suggested sequence in the menu below and explore all the possibilities the product offers:

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Features

In this section, you will find all the features of the Unico IDPay product.

Introduction

Unico IDPay offers a wide range of endpoints, modules, and features, designed to adapt to different scenarios and use cases. Below, we present the key definitions and applications of each feature.

Payment Transactions

The first major feature of IDPay is to validate each transaction made within the establishment, ensuring that the sale can be processed for that user.

Transactions are organized into different modules, each designed to address specific scenarios and varied needs. Explore the available modules and see how each one can be applied to your use case:

Modules

With a subset of validations in transaction creation (Pre)

This module performs some pre-validations with the provided data. The returned status will be: waiting or fast-inconclusive. The link for biometric capture will only be provided if we are able to validate the user's CPF/credit card number.

This option can be used in various scenarios, including:

When the provided identification (e.g., CPF) belongs to the cardholder. This flow does not allow the user to provide a new CPF during validation, so if the provided identification is not consistent with the cardholder, it will negatively impact the approval rate;
When you want to minimize friction (opening the IDPay capture experience) without sacrificing approval, maximizing the approval rate of transactions returned as 'waiting';
When IDPay is at the top of its fraud prevention funnel;
In a 100% integrated solution with capture via Webview or iFrame;
Among others.

With all validations in transaction creation (Super Pre)

This module performs all pre-validations with the provided data. The returned status will be: waiting or fast-inconclusive. The link for biometric capture will only be provided if we are able to validate the user's CPF/credit card number.

This option can be used in various scenarios, including:

When the provided identification (e.g., CPF) belongs to the cardholder. This flow does not allow the user to provide a new CPF during validation, so if the provided identification is inconsistent with the cardholder, it will negatively impact the approval rate;
When you want to minimize friction (opening the IDPay capture experience) with a small loss in approval, maximizing the approval rate of transactions returned as 'waiting';
When IDPay is at the top of its fraud prevention funnel. In a 100% integrated solution with capture via Webview or iFrame;
Among others.

Without validation in transaction creation (Post)

This module does not perform any pre-validation when creating a transaction. The returned status will always be 'waiting', and the link will always be provided for the user to perform the biometric capture.

This option can be used in various scenarios, including:

When the provided identification (e.g., CPF) is not necessarily that of the cardholder (this flow allows the user to provide a new CPF during the capture experience);
When you want to use the IDPay capture experience for all transactions;
Preferably for sales recovery;
Among others.

Credit Card Onboarding

With this functionality, you can onboard your users' credit cards to your digital wallet, ensuring that the card belongs to the correct cardholder.

What differentiates this functionality from Payment Transactions are the endpoints and specific parameters of the REST API, which have been developed to optimally meet the needs of card validation and registration in your solution.

Continue reading with the suggested link below:

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Use Cases

In this section, you will find all the use cases and ways to utilize the Unico IDPay product.

Use Cases

IDPay can be used in various use cases and in many different ways. Below, check out the possible use cases and their correlations.

Checkout

Application

Method of use

Module

Channel

Web

Integrated

Pre / Super Pre

SDK / Redirect

Mobile

Integrated

Pre / Super Pre

Webview

Tips to increase your conversion

Make it clear to your customer that the CPF on the order must match the cardholder's CPF;
Contextualize to your customer that they will be able to perform an identity validation to have their order approved. Messaging focused on security tends to yield higher conversion;
Clearly inform your customer that if they do not complete the identity validation, their order may be declined;
Once the user finishes the identity validation, let them know that the order will still be under review.

Pre-analysis table

Application

Method of use

Module

Channel

Web / Webmobile

Integrated

Pre / Super Pre / Post

"Messages (WhatsApp)"

Web / Webmobile

Manual

Post

"Messages (WhatsApp)"

Tips to increase your conversion

Contextualize your customer by informing them that they will be able to complete an identity validation to have their order approved. Messaging focused on security tends to have higher conversion;
Let your customer know that you are using a partner to ensure their identity (preferably, mention Unico to build trust in the process);
Clearly explain to your customer that if they do not complete the identity validation, their order may be declined;
Send identity validation requests as close as possible to the moment of purchase (this also tends to increase conversion);
After the user finishes the identity validation, inform them that the order will still be under review.

Analysis table tool

Application

Method of use

Module

Channel

Web / Webmobile

Integrated

Pre / Super Pre / Post

"Messages (WhatsApp)

Web / Webmobile

Manual

Post

"Messages (WhatsApp)

Tips to increase your conversion

Contextualize your customer by informing them that they will be able to complete an identity validation to have their order approved. Messaging focused on security typically results in higher conversion;
Let your customer know that you are using a partner to ensure their identity (preferably, mention Unico to build trust in the process);
Clearly explain to your customer that if they do not complete the identity validation, their order may be declined;
Send the identity verification requests as close as possible to the moment of the customer's purchase (this also tends to increase conversion);
After the user finishes the identity validation, inform them that the order will still be under review.

Sales recovery

Application

Method of use

Channel

Web / Webmobile

Integrated

Pre / Super Pre / Post

"Messages (WhatsApp)

Web / Webmobile

Manual

Post

"Messages (WhatsApp)

Tips to increase your conversion

Contextualize your customer by informing them that they will be able to complete an identity validation to have their order approved. Messaging focused on security typically results in higher conversion;
Let your customer know that you are using a partner to ensure their identity (preferably, mention Unico to build trust in the process);
Clearly explain to your customer that if they do not complete the identity validation, their order may be declined;
Send identity validation requests as close as possible to the customer's purchase moment (this also tends to increase conversion);
After the user finishes the identity validation, inform them that the order will still be under review.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Chargeback

In this section, you will find everything you need to know about Chargebacks.

Introduction

As highlighted in the previous sections, Unico IDPay offers liability guarantee, ensuring maximum accuracy in the validations performed. Unico's Chargeback protection shields you from potential losses in transactions where the cardholder's identity was incorrectly validated by IDPay.

If a transaction validated by IDPay results in an official chargeback process, properly formalized with the acquirer or card network, the IDPay customer may be reimbursed by Unico for the equivalent transaction amount. This guarantee is applicable upon verification, after proper investigation, that there was an error in the validation performed by IDPay and that Unico was responsible for the incorrect decision.

This additional security demonstrates Unico IDPay's commitment to providing reliability and protection in operations carried out with its solution.

Unico IDPay does not provide reimbursements in cases of self-fraud, meaning when the legitimate cardholder makes a purchase and later disputes the transaction.

When to use this option?

When you have received a chargeback request due to fraud and believe that there was an error by IDPay in validating the credit card holder's identity.

What is chargeback?

Chargeback is the process of investigating a dispute of a purchase/transaction made with credit/debit cards on online platforms, which may result in a reversal/cancellation of the purchase/transaction. Chargebacks can be classified into two main categories:

Chargeback due to Commercial Disagreement: When a transaction needs to be canceled due to an issue in the consumer-to-business relationship. Examples: Goods not delivered, defective goods, purchase cancellation, duplicate purchase, service not provided, etc.
Chargeback due to Fraud: When the cardholder claims that they did not make a purchase in their name, initiating a dispute between the parties (who bears the loss).

Chargeback analysis can only be requested in cases of chargeback due to fraud.

Prerequisites for requesting chargeback analysis

Chargeback analysis can only be requested for transactions that meet all of the following conditions:

The transaction must have been approved (status: approved);
The transaction must have been created within the last 90 days;
The transaction must not have been submitted for another chargeback analysis;
The transaction must be of the "credit" type.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

INTEGRATION

Overview

In this section, you will find an overview of the IDPay product integration.

Integration Overview

Authenticate yourself

The first step to using the Unico IDPay product is Authentication. You must have a service account and perform OAuth2 authentication to obtain a valid access token.

Learn more in Authentication

Define at which point in your funnel and how you will use IDPay

Will you use IDPay at the top of your fraud prevention funnel? Then integrate via Webview or SDK in your Checkout;
Will you use IDPay to recover transactions denied by your fraud prevention system? Integrate it into a flow via WhatsApp;
Short on time and/or resources to implement IDPay fully integrated? Use the product manually in your analysis table operation and ensure you recover your sales.

Customize your experience

Before creating transactions for your customer, make sure the IDPay experience reflects your business.

Customize the experience your way: use your logo with your branding, personalize the CTAs, and adjust the colors. Ensure that IDPay speaks the same 'language' as your business ;).

Create a transaction

Will you follow the integrated flow?
- Create a transaction using our APIs;
- Open the IDPay experience in your application or send a WhatsApp message to your customer.
Will you follow the manual flow?
- Create a transaction directly through the portal;
- Send the link to your customer via the channel of your choice.

Check the transaction result

Done. With the transaction completed, check the validation result and decide whether to approve or decline the transaction.

To optimize your integration, you can use Webhook to know when the result of your process is completed.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Authentication

In this section, you will find all the technical specifications on how to authenticate in order to use the REST APIs of the Unico IDPay product.

To use IDPay, it is necessary to authenticate via access token, using the OAuth2 authentication system.

Unico's OAuth2 authentication system supports server-to-server interaction between a web application and Unico's services.

For this scenario, you will need a service account, which is a non-personal account that belongs to your application and not to an individual user. Your application calls Unico's APIs on behalf of the service account, so users are not directly involved. This scenario is called 'two-legged OAuth' or '2LO'. Typically, an application uses a service account when the application calls Unico's APIs to work with its own data rather than user data.

This is step zero to begin your implementation, so do not skip this stage.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Creating a Service Account

In this section, you will find how to create a service account to authenticate in the Unico IDPay product.

To use server-to-server interactions, you need to request the creation of a service account by contacting the project manager responsible for your company and sending the following information: company name, application name, name, email, and phone number of the person responsible for the application within the company. Separate accounts must be created for the Testing and Production environments.

Once these details are received, a service account will be created to authenticate your application, and we will send an email for you to generate the key pair for the account.

A service account credential includes a unique account name, a company identifier (Tenant ID), and at least one key pair (public and private). After generating the keys, you will only receive the private key (file .key.pem), as well as the payload that should be used to create the JWT. This payload will have the following format:

If you need the public key to configure it in your system, please contact the project manager responsible for your account. It is also possible to generate a public key using the following openssl command:

openssl req -x509 -new -nodes -sha256 -days 720 \
-key fileName.key.pem -out fileName.cert.pem

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Preparing to make an authenticated request to the API

In this section, you will find how to perform the authentication process for the Unico IDPay product.

After creating and configuring a service account, your application needs to complete the following steps:

Create a JSON Web Token (JWT), which includes the header, payload, and signature;
Request an access token (AccessToken) from the OAuth2 authentication platform;
Handle the JSON response that the authentication platform will return.

If the response includes an access token, you can use it to make requests to Unico's product APIs for which the service account has access permissions. (If the response does not include an access token, your JWT and token request may be incorrect, or the service account may not have the necessary permissions to access the requested resources.)

The access token generated in the request mentioned above has a default validity of 3600 seconds, but this may vary depending on the security configuration set for your company. When the access token expires, your application should generate a new JWT, sign it, and request a new access token from the authentication platform.

1 - Creating the JWT

A JWT consists of three parts: a header, a payload, and a signature. The header and payload are JSON objects. These JSON objects are serialized in UTF-8 and then encoded using Base64url encoding¹. This encoding provides resilience against encoding changes in cases of repeated encoding operations. The header, payload, and signature are concatenated with a period (.) character.

A JWT is composed as follows:

{Header in Base64url}.{Payload in Base64url}.{Signature in Base64url}

The base text for the signature is composed as follows:

{Header in Base64url}.{Payload in Base64url}

1.1 - Forming the JWT Header

The header consists of two fields that specify the signing algorithm and the token format. Both fields are mandatory, and each field has only one value. Service accounts rely on the RSA SHA-256 algorithm and the JWT token format. As a result, the JSON representation of the header is as follows:

{"alg":"RS256","typ":"JWT"}

The Base64url representation is as follows:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9

1.2 - Forming the JWT Payload

The JWT payload contains information about the JWT, including the requested permissions (scopes), the account requesting access, the issuer, the time when the token was issued, and the token's lifetime. Most fields are mandatory. Just like the JWT header, the payload is a JSON object and is used in the composition of the signature.

1.3 - Mandatory Fields

The mandatory fields in the JWT are shown in the table below. They can appear in any order within the payload.

Name

Descrition

iss

The identifier of the service account within the company.

scope

A space-delimited or plus sign (+) list of the permissions the application is requesting. If all permissions of the account are required, use the asterisk (*) symbol for this.

aud

The address of the authentication platform that issues access tokens. This value should always be exactly https://identityhomolog.acesso.io

Common issues that do not work:

Adding a trailing slash at the end of the address:https://identityhomolog.acesso.io/
Using the HTTP protocol instead of HTTPS:http://identityhomolog.acesso.io

exp

The expiration time of the token, specified in seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum duration of 1 hour after the JWT issuance time. It must be numeric. Common issues that do not work:

Using quotes to delimit the value. For example: “1524161193” is a string and will not work. Whereas 1524161193 is a number and will work.

iat

The time of JWT issuance, specified in seconds since 00:00:00 UTC, January 1, 1970. This value must be numeric. Common issue that does not work:

Using quotes to delimit the value. For example: “1524161193” is a string and will not work. However, 1524161193 is a number and will work.

Understand how the conversion works for the issuance (iat) and expiration (exp) fields of the JWT, and also see examples of how to use these field values here. In addition, the 'iat' field must represent the current time in the required format, and the 'exp' field must respect the following calculation:

exp = iat + 3600

The representation of the mandatory JSON fields in the JWT payload is as follows:

{
  "iss": "service_account_name@tenant_id.iam.acesso.io",
  "aud": "https://identityhomolog.acesso.io",
  "scope": "*",
  "exp": 1626296976, // This is just an example. Use the current value generated here.
  "iat": 1626293376 // This is just an example. Use the current value generated here.
}

1.4 - Calculating the Signature

The JSON Web Signature (JWS) specification is the mechanism that guides the calculation of the signature for a JWT. The input content for the signature calculation is the byte array of the following content:

{Header in Base64url}.{Payload in Base64url}

The same algorithm specified in the JWT header must be used for calculating the signature. The only signature algorithm supported by the OAuth2 authentication platform is RSA using SHA-256. It is expressed as RS256 in the alg field of the JWT header.

Sign the UTF-8 representation of the input content using SHA256withRSA (also known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash) with the private key that was created and associated with the service account (the .key.pem file generated from the request received by email). The output content will be a byte array.

The signature then needs to be encoded in Base64url. The header, payload, and signature should be concatenated with a period character. The result is the JWT. It should be as follows:

{Header in Base64url}.{Payload in Base64url}.{Signature in Base64url}

Here is an example of a JWT token before Base64url encoding:

{"alg":"RS256","typ":"JWT"}.
{
  "iss": "service_account_name@tenant_id.iam.acesso.io",
  "aud": "https://identityhomolog.acesso.io",
  "scope": "*",
  "exp": 1626296976, // This is just an example. Use the current value generated here.
  "iat": 1626293376 // This is just an example. Use the current value generated here.
}.
[byte array da assinatura]

Below is an example of the JWT that has been signed and is ready for transmission:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzZXJ2aWNlX2FjY291bnRf
bmFtZUB0ZW5hbnRfaWQuaWFtLmFjZXNzby5pbyIsImF1ZCI6Imh0dHBzOi8vaWRlbnRpdHlob21vbG9nLmFjZXNzby5pbyIsInNjb
3BlIjoiKiIsImV4cCI6MTYyNjI5Njk3NiwiaWF0IjoxNjI2MjkzMzc2fQ.JsymP3NZdgCSqeNlgsOM2
-AQ7M450NxFnZnnaKSu4Q8g12QGEIvvM4EhCokUHfwk5s7pOpm2UD_Ng3Hb5g_wgrjfiVSLWH5Q2wYg1AvfLqo
YSoJWaMHm9KL0kpv32XdDD8TZVR-MVd2VBHmCMVbV6gvk8buUoK1HZDN7g84PaY3bfgcB3RKU-
H55lR8yyJjZxToIv17-wfla2G99uaMEFNGX0ZSE7ETn5Z8-WypmFrNAK0TM58upzvfVI6_-
gY4cj4iQvmRbuvxsAaGiHA2xd0RVm2Mrx-gQtdPqtbZPuQcH7k64Z_EOQBgiGTgVjucyHD6zBijr_P-
2mhIxuecNSw

It is also possible to use pre-established libraries to create the JWT. As a reference, you can find a list of libraries on the jwt.io website.

2 - Making a request for an access token

After generating the signed JWT, an application can use it to request an access token. The access token request is a POST HTTPS request, and the body should be URL encoded. The URL is shown below:

https://identityhomolog.acesso.io/oauth2/token

The following parameters are mandatory in the POST HTTPS request:

Name

Description

grant_type

Use the following text, URL-encoded if necessary: urn:ietf:params:oauth:grant-type:jwt-bearer

assertion

The JWT, including the signature.

POST /oauth2/token HTTP/1.1
Host: identityhomolog.acesso.io
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-
bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzZXJ2aWNlX2FjY
291bnRfbmFtZUB0ZW5hbnRfaWQuaWFtLmFjZXNzby5pbyIsInN1YiI6InVzZXJfaWRlbnRpZmllciIs
ImF1ZCI6Imh0dHBzOi8vaWRlbnRpdHlob21vbG9nLmFjZXNzby5pbyIsInNjb3BlIjoiKiIsImV4cCI
6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ.TjH-mTtwP6tBB93O1sDPaAA6yUF7N2-HZDlpIPz
bf_dxO8A6KZuRWG8ZnICrxX56qj0HREiMlYy27XJgxowrUa0JHvbqc8HJkT7-6Mh7J67UnubZKG1-hi
6jDtkC9BIXBcOhtkNUfZvZetXjLzsRsSDkqxdMtzYZwkRlocvaxL5QXiQhweeEwK_Ux81Adh3z0EIhT
yl7CKJLJ69PuHS7s9IdrjUl79owipp4LF1FvtMhoe7YIL69ohPgFqSv_-Y9qpPdW6be3OEAyKlOM08S
ZBbHBwW4XMvw3uZjTY1sgJ4cBoxrftDpjYOw34oPOKxirqc5-90uOCYe1O1hRtG45w

3 - Handling the Authentication Platform's Response

If the JWT and the access token request are properly formed, and the service account has the necessary permissions, the authentication platform will return a JSON object containing an access token. Here’s an example of the response from the platform:

{
  "access_token": "<access_token>",
  "token_type": "Bearer",
  "expires_in": "3600"
}

The access token returned in the "access_token" field of the JSON object is also a JWT token that should be used in the APIs of Unico's Products. If an error occurs in the request, you can check the error type in the error table by clicking here.

4 - Duration of the Access Token

The duration of the access token is variable. Its duration is specified in the "expires_in" field, which is returned along with the access token. The same access token should be used throughout its validity for all API calls to the products.

Do not request a new access token until the validity of the current token is nearing its end. We recommend a margin of 600 seconds (10 minutes). To do this, perform the following calculation:

token decodificado:
new Date(token.exp - 600)

Where token.exp is the timestamp of the token's expiration.

By default, the token sent to the company lasts 1 hour, but it can be changed. The recommendation is to always use the expires_in as the base and subtract 600s from it to request a new token.

Examples:

Standard scenario:
expires_in: 3600 (1h) - Token generated at 14:42

Request a new token only at 15:32, that is, 14:42 + (3600 - 600)

Scenario with modified duration:
expires_in: 7200 (2h) - Token generated at 14:42

Request a new token only at 16:32, that is, 14:42 + (7200 - 600)

A new access token can be requested when there are 10 minutes left until expiration.

Do not use a fixed time to obtain a new token, as the duration of the received token may be shorter than the established time, which could cause failures when using the services.

¹ According to RFC 4648 for BaseN encoding, the Base64url format is similar to Base64, except that the '=' character is omitted, and the characters '+' and '/' are replaced by '-' and '_', respectively.
² JSON Web Signature: https://tools.ietf.org/html/rfc7515.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Additional resources

In this section, you will find additional resources related to authentication.

Example in JavaScript

In this section, you will find an implementation example of the authentication for the Unico IDPay product.

Authentication Errors

In this section, you will find the possible errors that may occur when trying to authenticate with the Unico IDPay product.

The errors returned in the request can be identified by the codes below and have the following structure:

{
  "error": "server_error",
  "error_description": "Falha na autenticação x.x.x"
}

Name

Description

1.0.1

Check if the ID provided in the formation of the "iss" is the correct tenant ID, provided during the generation of the private key¹.

1.0.14

Check with the project manager if the application being used is active.

1.1.1

The "scope" parameter was not provided in the payload of the JWT used in the request.

1.2.4

The JWT used in the request has expired. Check the value provided in the "exp" field of the payload.

1.2.5

The JWT used in the request cannot be validated. Check the provided parameters and make sure it has been signed correctly.

1.2.6

The private key used to sign the JWT in the request is no longer acceptable. Please request new credentials for the account used.

1.2.7

O token jwt utilizado na requisição não é mais aceitável, pois já foi utilizado anteriormente. Gere um novo token para fazer uma nova requisição.

1.2.11

The account used is not active.

1.2.14

The account used does not have the necessary permissions.

1.2.18

The account used has been temporarily locked due to exceeding the number of invalid authentication attempts.

1.2.19

The account used is not authorized to impersonate another user account (remove the "sub" parameter from the payload).

1.2.20 1.2.21

Failed to decode the JWT used in the request. Use a new token by including only the fields specified in the "Mandatory Fields" and "Additional Fields" sections, adhering to the correct naming conventions, semantics, and data types for each field.

1.2.22

The JWT used in the request contains additional fields in the payload that are not allowed. Use a new token by including only the fields specified in the "Mandatory Fields" and "Additional Fields" sections, following the correct naming conventions, semantics, and data types for each field.

1.3.1

The account used has source IP restrictions.

1.3.2

The account used has access date/time restrictions.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Postman Collection

In this section, you will find the Postman collection for the REST API to authenticate with the Unico IDPay product.

Download the file below, import it into Postman, and replace the values of the parameters "service_account", "tenant_id", and "secret_key" to test the call.

APIs

In this section, you will find everything related to the Unico IDPay APIs.

API Reference

In this section, you will find all the available endpoints for the Unico IDPay product.

Payment transactions

In this section, you will find all the technical specifications of the IDPay product REST APIs for managing payment transactions.

Before you begin

Your API requests are authenticated using an access token. Any request that does not include a valid access token will return an error.

You can learn more about how to generate an access token here.

Endpoints:

Transaction creation

The orderNumber field must be filled with the UNIQUE order number of that purchase in the e-commerce system, and using a distinct transactional ID is incorrect.

It is important to pay attention to this field, as it may negatively impact the user experience in the final flow, causing issues with product usage.

Possible impacts include:

Low Conversion:
- The order number is used to help the end user complete the flow.
API Errors:
- You might encounter errors such as "replicated transaction" if the same order number, BIN, and last4 digits are used.

Note: If the company is configured to reuse transactions with the same data, please refer to the "Transaction Reuse" section.

If the validations determine that biometric capture is not required, the response will have a different status, and a capture link will not be generated, as shown below:

{
    "id": "6ab1771e-dfab-4e47-8316-2452268e5481",
    "status": "fast-inconclusive"
}

This scenario will occur if you use the Pre or Super Pre modules, for cases where you use IDPay in the Checkout, as specified in the Features section.

Reuse of Transactions

It is possible to configure the company to reuse transactions that have the same data, avoiding "replicated transaction" errors. The reuse will occur under the following conditions:

A transaction is being created with the same orderNumber, identity.key, identity.value, company, card.binDigits, card.lastDigits, and value of a previously created transaction.
The previous transaction has not yet exceeded the expiration time configured for the company.

If the transaction to be created and the previous transaction do not meet these conditions, a new transaction will be created. Otherwise, the following are the possible responses:

If the previous transaction is in a final status, such as approved or inconclusive:

{
    // previous transaction information
    "id": "6ab1771e-dfab-4e47-8316-2452268e5481",
    "status": "approved"
}

If the previous transaction is still in an initial status, such as waiting or shared:

{
    // previous transaction information
    "id": "6ab1771e-dfab-4e47-8316-2452268e5481",
    "status": "waiting",
    "link": "https://aces.so/teste",
    "token": "eyJhbGciOiJIUzI1NiIsIn[...]dQssw5c"
}

In this last case, the transaction still in an initial status will have its expiration date recalculated, based on the date of this request.

Transaction status query

To see all possible statuses, refer to the Enumerated section.

To optimize the performance of your application, you can also implement our Webhook to know when to check the transaction status. See more in the Webhook section.

Obtaining the set of evidence for the transaction

The evidence set can only be generated for approved transactions.

The link returned for the evidence set is valid for five minutes after it is obtained. Therefore, it is important that this link is not saved, but rather used to download the evidence set.

Resending the transaction notification

It is also possible to configure the resending of notifications through the portal, without the need to implement it via API. To understand the possibilities, speak with the person responsible for your project.

Transaction cancellation

For a transaction to be canceled, it must be in the initial status (waiting).

To see all possible statuses, refer to the Enumerated section.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Chargeback

Before you begin

Your API requests are authenticated using an access token. Any request that does not include a valid access token will return an error.

You can learn more about how to generate an access token here.

Endpionts:

UAT: https://transactions.transactional.uat.unico.app/api/public/v1;
Production: https://transactions.transactional.unico.app/api/public/v1. We

Chargeback Analysis Request

Check the status of the chargeback analysis

To see all possible statuses, refer to the Enumerated section.

To optimize your application's performance, you can also implement our Webhook to know when to query the Chargeback status.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Credit card onboarding

Before you start

Your API requests are authenticated using an access token. Any request that does not include a valid access token will return an error.

You can learn more about how to generate an access token here.

Endpoints:

Credit Card Validation

If the validations determine that biometric capture is not necessary, the response will have a different status, and no capture link will be generated, as shown below:

{
    "id": "6ab1771e-dfab-4e47-8316-2452268e5481",
    "status": "fast-inconclusive"
}

Get the validation status

To view all possible statuses, refer to the Enumerated section.

To optimize your application's performance, you can also implement our Webhook to know when to check the transaction status.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Errors

In this section, you will find an overview of the errors you may receive from the endpoints of the Unico IDPay product.

Introduction

Unico IDPay uses conventional HTTP response codes to indicate the success or failure of an API request.

As a general rule:

Codes in the 2xx range indicate success with the request.
Codes in the 4xx range indicate incorrect or incomplete parameters (for example, a mandatory parameter was omitted, or an operation failed with third parties, etc.).
Codes in the 5xx range indicate an error on the Unico IDPay product servers.

Unico IDPay also generates an error message and an error code formatted in JSON:

Possible Errors

In this topic, you will find the possible errors for the endpoints, separated by their HTTP response.

Transaction Creation

Transaction status query

Recovery of the evidentiary set of the transaction

Resending the transaction notification

Transaction cancellation

Enumerated

In this section, you will find all the enumerations related to the Unico IDPay product.

Transaction Result

Code

Status type

Description

waiting

Intermediate

Waiting for information to be submitted

processing

Intermediate

In processing

shared

Intermediate

You have shared the capture, and we are waiting for the information to be submitted.

approved

Final

Approved

inconclusive

Final

We were unable to perform a conclusive validation.

expired

Final

Transaction expired

skiped

Final

The person skipped the biometric capture in the flow.

unknown-share

Final

The person marked that they do not recognize that purchase.

fast-inconclusive

Final

We were unable to perform a conclusive validation (pre-approval).

absent-holder

Final

When the cardholder is not present to complete the capture.

canceled

Final

When a transaction was manually canceled.

The development should account for scenarios where new statuses may appear, creating a rule. For example, if a status different from those mentioned in this article appears, follow a manual flow.

Chargeback result

Code

Status type

Description

waiting

Intermediate

Awaiting analysis

analyzing

Intermediate

In the process of analysis

approved

Final

Approved

refused

Final

Rejected

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Webhook

In this section, you will find information about how the Webhook works for the Unico IDPay product.

The GetProcess articles in this documentation describe a way to retrieve the status of a process by calling an endpoint. This allows polling to receive information about the created processes. This means that the endpoint can be called multiple times for the same process to get the most recent status.

By using webhooks, it is possible to notify a specific endpoint every time the status of a process is changed.

What is a webhook?

A webhook is a system notification service that enables asynchronous integration between systems, where one system notifies the other through a trigger. This way, webhooks can keep systems updated with the latest information without the need for constant polling for updates.

How to configure the Webhook

To configure the webhook, the following information is required:

Notification URL: This is the endpoint used by By Unico for notifications about status updates.
Authentication Type: This is the authentication method used to invoke the endpoint. The following options are available:
- Basic Authorization;
- API Key;
- No authentication.
Secret: Indicates a secret used for authentication. The secret is only required when the authentication type is Basic Authorization or API Key:
- For Basic Authentication, it must be sent in the format user:pass.
- For API Key, it can be sent in two formats:
  - header:value, when a specific header name is desired;
  - value, when the desired header is Authorization.
Retry Settings: Indicates the number of retry attempts in case the endpoint call fails:
- Maximum number of attempts;
- Interval between attempts (in seconds);
- Rate Limit: Maximum number of simultaneous submissions (max: 500);
- Timeout: Maximum waiting time for the endpoint response (in seconds).
Status to be notified: You can subscribe to specific statuses to receive notifications. These include:
- approved: Transaction approved;
- processing: Transaction in processing;
- inconclusive: We couldn't perform a conclusive validation;
- shared: Transaction shared, waiting for submission;
- skipped: The person skipped the biometric capture in the flow;
- unknown-share: The person marked that they don’t recognize the purchase;
- absent-holder: The cardholder is not present to perform the capture;
- expired: The person didn’t complete the capture within the established time and the transaction was expired.

About authentication:

The API can be protected by an authentication method such as Basic Authentication or API Key. A list of valid IPs for access can also be defined for additional protection.

Integration with IDPay

By configuring a webhook on the platform, you can receive information about processes through notifications sent to an API endpoint developed by you to receive these updates.

The information sent by the platform to the API includes:

ID: Transaction ID;
Status: Transaction status.Integration with IDPay

Webhook configuration. After sending this information, the expected response should be synchronous.

Requests

The request should be a POST method in a REST API, making it easier and more secure to send the information. All fields should be mandatory. The request body should accept the transaction ID and the status, as shown in the following example:

{
  "id": "8263a268-5388-492a-bca2-28e1ff4a69f0",
  "status": "approved"
}

Response

The response should be synchronous. The status for successful requests should be in the range of 200 to 299. Any other status will be considered a failure, and IDPay will make additional notification attempts (with exponential backoff between them), until receiving a 2xx response or reaching the maximum number of attempts.

Response Status

Currently, we have a set of statuses, but this set may change in the future. Therefore, it is recommended to make configurable the statuses that the client is interested in to take action. For example, if the intention is to take action every time a capture is successfully completed, this currently happens with the status "processing." However, since this could be modified in the future, it is recommended that the status indicating successful capture be configurable in the system, so a future change to the "captured" status can be easily implemented.

Additionally, we recommend having specific actions for specific statuses and a general action in case the status is unrecognized (for example, assuming that anything different from "processing" and "approved" is inconclusive). This is important because new statuses may appear in the future, and it is not expected for the webhook to break due to this.

Important Considerations

Pay attention to the following aspects when developing the API that IDPay will use to notify status changes:

Rate limit

In order to avoid overloading your resources in situations with many transactions, it is possible to specify an upper limit on the number of times the endpoint can be invoked.

Error Rate

The error rate (responses outside the [200, 299] range) should always be kept low. Otherwise, the webhook throughput will be automatically reduced, and this reduction, combined with the retry mechanism, may result in an increased execution time for new webhooks.

Idempotence

The current webhook implementation guarantees at-least-once delivery, so the same status may be notified more than once. Therefore, the endpoint implementation should be done in an idempotent manner.

Fallback

In case of any unavailability in the webhook service, it is recommended to have a fallback method in place so that you can continue retrieving the transaction statuses within the established response time. The endpoint query is described in the "API Reference" section of this documentation.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Controlling the experience

In this section, you will find all the technical specifications of the SDKs available in the Unico IDPay product.

Overview

In this section, you will find an overview of how the Unico IDPay product SDK works.

Introduction

Unico IDPay offers a simple and fast integration. Currently, we standardize integration in applications (mobile or web) through the use of Webview, SDK, and Redirect. This standard enhances the security of your business and customers, abstracting the complexity of handling the users' device camera and capturing selfies.

In our REST API, we provide methods for generating integration links that can be opened and controlled by the applications.

Generating Data in the API

Before moving on to the integration details in your application or website, it is crucial to start by integrating with our API. In this process, two key points will be used:

Create Transaction (CreateTransaction):
- Make sure to fill in the redirectUrl field, as it will be essential for the integration flow.

After completing this initial step, you will be ready to continue with the integration in your application or website.

It is important to remember that once the entire flow is completed, you will need to obtain the transaction result via our API to ensure the process is properly concluded.

You can use the API in a sandbox environment to test the features without affecting your production environment.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Requirements

In this section, you will find all the requirements to use the Unico IDPay product.

To use the Unico IDPay product, there are some prerequisites, which are as follows:

iOS: From version 11.0 (if opened in WebView, iOS 13 and above).
Android: From version 5.1 (if opened in WebView, Android 8 and above).
Desktop: No specific version or OS requirements.

The capture frame provided through the SDK is compatible with the following combinations of browsers and operating systems:

Operating System

Chrome

Firefox

Safari

Samsung Internet

Opera

Edge

Windows (desktop)

N/A

Android

N/A

iOS

N/A

MacOS (desktop)

N/A

In general, the SDK supports WebRTC and the latest versions of the browsers listed above. For compatibility and security reasons, functionality in very old versions of these browsers is not guaranteed.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Mobile

In this section, you will find how to control the IDPay experience through webviews, separated by their respective frameworks.

Android

In this section, you will find how to implement the webview on Android for using the Unico IDPay product.

For the Android use case, using a Webview is recommended. After creating the transaction and obtaining the transaction link, the following implementation is recommended:

In your regular flow (where IDPay is integrated), you will open the Webview with the link generated via API.
You can customize how this opening works in the way that best fits your application.
You will monitor if there is a URL change (to the redirectUrl) and then close the Webview.

Opening a Webview is quite simple:

import android.webkit.PermissionRequest
import android.webkit.WebChromeClient
import android.webkit.WebView
import android.webkit.WebViewClient

@SuppressLint("SetJavaScriptEnabled")
override fun onCreate(savedInstanceState: Bundle?) {
    super.onCreate(savedInstanceState)
    setContentView(R.layout.activity_camera)

    findViewById<WebView>(R.id.webView).apply {
        settings.javaScriptEnabled = true
        settings.domStorageEnabled = true
        settings.mediaPlaybackRequiresUserGesture = false
        clearCache(true)
        webViewClient = myWebViewClient
        webChromeClient = object : WebChromeClient() {
            override fun onPermissionRequest(request: PermissionRequest?) {
                request?.grant(request.resources)
            }
        }
        loadUrl("<URL_TO_LOAD>")
    }
}

To control when it is necessary to close the Webview, it can be done as follows:

private val myWebViewClient = object : WebViewClient() {
    override fun shouldOverrideUrlLoading(
        view: WebView?,
        request: WebResourceRequest?
    ): Boolean {
        if (request?.url.toString() == "<URL_TO_OBSERVER>") {
            // close here your webview
        }
        return super.shouldOverrideUrlLoading(view, request)
    }
}

To do this, it is necessary to enable permissions in the Android Manifest:

<uses-feature android:name="android.hardware.camera" android:required="false"/>
<uses-permission android:name="android.permission.CAMERA"/>

Example of how it should look in the app:

It is necessary to have some permissions to function correctly, such as:

Camera
Geolocation

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Flutter

In this section, you will find how to implement the webview in Flutter for using the Unico IDPay product.

For the use case using Flutter, it is recommended to use inappwebview.

After creating the transaction and obtaining the transaction link, the following implementation is recommended:

In your common flow (which includes IDPay), you will open the inappwebview with the link generated via the API;
You can customize this opening as needed for your application;
You will monitor if the URL changes (to the redirectUrl) and then close the inappwebview;

To open an inappwebview and control URL changes, you can do it as follows:

  import 'package:flutter_inappwebview/flutter_inappwebview.dart';  
  import 'package:unico_poc_id_pay_inappwebview/RedirectScreen.dart';
  import 'package:unico_poc_id_pay_inappwebview/service.dart';

  Widget setWebView(String URL_TO_LOAD) {
    InAppWebViewGroupOptions options = InAppWebViewGroupOptions(
        crossPlatform: InAppWebViewOptions(
          useShouldOverrideUrlLoading: true,
          mediaPlaybackRequiresUserGesture: false,
        ),
        android: AndroidInAppWebViewOptions(
          useHybridComposition: true,
        ),
        ios: IOSInAppWebViewOptions(
          allowsInlineMediaPlayback: true,
        ));

    return Expanded(
      child: InAppWebView(
        initialUrlRequest: URLRequest(
          url: Uri.parse(URL_TO_LOAD),
        ),
        initialOptions: options,
        androidOnPermissionRequest: (controller, origin, resources) async {
          return PermissionRequestResponse(
              resources: resources,
              action: PermissionRequestResponseAction.GRANT);
        },
        onWebViewCreated: (controller) {
          setState(() {
            _inAppWebViewController = controller;
          });
        },
        onLoadStart: (controller, url) {
          print('CARREGANDO');
          setState(() {
            _link = url.toString();
          });
        },
        onProgressChanged: (controller, progress) {
          setState(() {
            progress == 100 ? _isLoading = false : _isLoading = true;
          });
        },
        onLoadStop: (controller, url) {
          print('CARREGADO');
          setState(() {
            _link = url.toString();
          });
        },
        shouldOverrideUrlLoading: (controller, navigationAction) async {
          var uri = navigationAction.request.url;
          if (uri == Uri.parse("<URL_TO_OBSERVER>")) {
            setState(() {
              _link = "";
            });

            Navigator.push(
              context,
              MaterialPageRoute(
                builder: (context) => const RedirectSreen(),
              ),
            );
            return NavigationActionPolicy.CANCEL;
          }
          return NavigationActionPolicy.ALLOW;
        },
      ),
    );
  }

To obtain camera permission, you can do it as follows:

  import 'package:permission_handler/permission_handler.dart';

  void requestPermission() async {
    var status = await Permission.camera.status;
    if (status.isDenied) {
      if (await Permission.camera.request().isGranted) {
        print("ok");
      }
    }
  }

To obtain camera permission, you can do it as follows:

The following permissions are required for proper functioning, such as:

Camera
Geolocation

For more information, we recommend reading the following articles and documentation:

To access the official documentation, click here.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

iOS

In this section, you will find how to implement the webview on iOS for using the Unico IDPay product.

WKWebView

In this section, you will find how to implement the webview on iOS using WKWebView.

For the iOS usage scenario, using WKWebView is one of the recommended approaches.

After creating the transaction and obtaining the transaction link, the following implementation is recommended:

In your common flow (which includes IDPay), you will open the WKWebView with the link generated via the API;
You can customize this opening as needed for your app;
You will monitor if the URL has changed (to the redirectUrl) and then close the WKWebView.

Opening a WKWebView is quite simple:

import UIKit
import WebKit
import SafariServices

var webView: WKWebView!

override func viewDidLoad() {
    super.viewDidLoad()
    // Do any additional setup after loading the view.
    self.view.backgroundColor = .white
}

@IBAction func open(_ sender: Any) {
    createWKWebViewFull()
}

func createWKWebViewFull() {
    webView = WKWebView(frame: self.view.bounds, configuration: getWKWebViewConfiguration())
    webView.navigationDelegate = self
    view.addSubview(webView)
    self.loadUrl()
}

func loadUrl() {
    if let url = URL(string:"<URL_TO_LOAD>") {
        webView.load(URLRequest(url: url))
        webView.allowsBackForwardNavigationGestures = true
    }
}

private func getWKWebViewConfiguration() -> WKWebViewConfiguration {
    let config = WKWebViewConfiguration()
    config.allowsInlineMediaPlayback = true
    config.mediaTypesRequiringUserActionForPlayback = []

    return config
}

To control when to close the WKWebView, this can be done as follows:

func webView(_ webView: WKWebView, didCommit navigation: WKNavigation!) {
    if let currentURL = webView.url {
        print("URL changed to: \(currentURL.absoluteString)")
        if currentURL.absoluteString == "<URL_TO_OBSERVER>" {
            closeWebView()
        }
    }
}

@objc func closeWebView() {
    DispatchQueue.main.asyncAfter(deadline: .now() + 0.1) {
        self.webView.removeFromSuperview()
    }
}

Example of how it should look in the app:

It is necessary to have some permissions to function correctly, such as:

Camera
Geolocation

To learn more, we recommend reading the following articles and documentation:

To access the official documentation, click here.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

ASWebAuthenticationSession

In this section, you will find how to implement the webview in iOS using ASWebAuthenticationSession.

For iOS usage, using ASWebAuthenticationSession is one of the recommended approaches.

After creating the transaction and obtaining the transaction link, the following implementation is recommended:

In your regular flow (which includes IDPay), you will open the ASWebAuthenticationSession with the link generated via API.
You can customize this opening in the way that works best for your app.
You will monitor if the URL has changed (to the redirectUrl) and then close the page.

To make the flow work, you need to follow the following steps:

Step 1: Create the Payment Authentication Controller

The first step is to create the payment authentication controller. To do this, create a class called IDPayAuthenticationController (or any name you prefer).

Next, import the AuthenticationServices framework at the top of the class.

Declare the class as NSObject and implement the ASWebAuthenticationPresentationContextProviding protocol.

The result should be:

import AuthenticationServices

class IDPayAuthenticationController: NSObject, ASWebAuthenticationPresentationContextProviding {
    func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor {
           if let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene {
               if let mainWindow = windowScene.windows.first {
                   return mainWindow
               }
           }
           return ASPresentationAnchor()
       }
}

Step 2: Implement Authentication

Open the file where you will perform the authentication and add the necessary imports (in our example, we are doing this in ContentView.swift).

import SwiftUI
import AuthenticationServices

To control the authentication state, we will create a @State property.

@State private var isAuthenticated = false

Create an instance of the IDPayAuthenticationController class outside the body of the ContentView structure.

let idPayController = IDPayAuthenticationController()

To validate the payment, create a function called authenticatePayment.

func authenticatePayment() {
    guard let url = URL(string: "URL_AUTHENTICATION") else { return }

    var session: ASWebAuthenticationSession?
    session = ASWebAuthenticationSession(url: url, callbackURLScheme: "BUNDLE") { callbackURL, error in
        guard callbackURL != nil else {
            if let error = error {
                return print("Erro durante a autenticação: \(error.localizedDescription)")
            }
            return
        }

        // Processa o URL de callback para verificar se a autenticação foi bem-sucedida
        session?.cancel()
        isAuthenticated = true
    }

    session?.presentationContextProvider = idPayController
    session?.prefersEphemeralWebBrowserSession = true
    session?.start()
}

Remember to change the URL_AUTHENTICATION to the authentication URL received in your transaction and also the callbackURLScheme BUNDLE to the redirect provided when creating your transaction (we recommend using the Bundle Identifier of your app).

It is important to set prefersEphemeralWebBrowserSession to true to ensure a unique authentication per transaction.

Example of how it should look in the app:

Some permissions are required for it to work properly, such as:

Camera;
Geolocation.

For more information, we recommend reading the following articles and documentation:

To access the official documentation, click here.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Web

In this section, you will find how to implement iFrame and Redirect in your web application for using the Unico IDPay product.

SDK

In this section, you will find how to implement the Unico SDK in your web application for using the Unico IDPay product.

For web usage, the recommended approach is to use the Unico SDK for the following reasons:

Higher security;
Integrated experience with your flow;
Higher conversion rate when using the SDK;
Easier implementation.

The use of integrations that do not comply with the standards established in this documentation may result in unexpected disruptions in the system's functionality, which will not be covered or supported by IDPay.

For example: Implementing the Unico by iFrame within a webview, implementing the iFrame through an HTML tag, etc.

How to get started

To use IDPay through the Unico IDPay SDK, the first step is to register the domains that will be used as hosts to display the user journey experience.

Notify the person responsible for your integration project or the Unico support team to make this configuration.

To begin using the SDK, we should start with the installation of the Unico web SDK:

Available Methods

init(options)

This method allows the SDK to be initialized, regardless of a transaction ID, making the end-user experience smoother. This is because when the transaction ID and token become available, the application will already have been pre-loaded through this method. If this method is not called directly by the application, the end user will experience a long load time when the SDK is opened for the first time.

Parameters:

options
- Receives an object with configuration properties:
  - type
    The type of flow that will be initialized. Currently, we offer two types of flows (REDIRECT and IFRAME). For new applications, we recommend using the IFRAME type, which makes the end-user experience much smoother and with less friction, as it avoids the need to leave the checkout screen, and the experience can be preloaded.

open({ transactionId, token, onFinish? })

This method opens the IDPay experience according to the flow type chosen previously in the initialization function. For the REDIRECT flow, this function performs a simple redirect to the IDPay capture flow route. For the IFRAME flow, this function displays the pre-loaded iframe and starts the messaging flow between the customer's page and the IDPay experience.

Parameters:

options
- Receives an object with configuration properties:
  - transactionId
    Receives the ID of the created transaction. This ID is important to obtain the transaction details and complete the flow correctly (it can be obtained during transaction creation via the API).
  - token
    Receives the token for the created transaction. This token is important to authenticate the transaction and ensure that only authorized domains use it (it can be obtained during transaction creation via the API).
  - optional onFinish(transaction, type)
    Receives a callback function that will be executed at the end of the IDPay capture flow, passing two arguments:
    The transaction object with the following data: { captureConcluded, concluded, id }
    The response type, which can be FINISH for cases where the flow was completed successfully, or ERROR for cases where the flow was interrupted by an error¹.

[1] In cases of an error in the flow, the transaction status will not be changed, and a callback via webhook, if configured, will not be triggered.

Security

After careful analysis of the needs and challenges we face, we decided to adopt a solution based on iFrames with authentication tokens instead of implementing a Content Security Policy (CSP). This decision was driven by several considerations related to security and the flexibility required to meet our clients' demands.

Context and Challenges with CSP

The Content Security Policy (CSP) is a powerful tool to protect web applications against various types of attacks, such as Cross-Site Scripting (XSS) and code injection. However, when configuring a CSP policy, it is necessary to define a strict list of trusted domains. This approach works well when domains are fixed and predictable. However, for our clients who often use dynamic and variable domains, this rigid configuration presents significant challenges.

Vulnerability with Dynamic Domains

Dynamic domains pose a substantial security risk when using CSP. When a client has domains that change frequently or are created dynamically, it would be necessary to constantly update the CSP policy to include these new domains. This not only increases the maintenance effort but also exposes the domains that the CSP policy applies to. Each domain added to the CSP policy is potentially a point of vulnerability if not properly managed.

Solution with iFrame and Auth Token

To mitigate these risks and meet the flexibility required by our clients, we opted to use iFrames combined with authentication tokens. This solution provides an additional layer of security and eliminates the need to expose or manage an extensive and dynamic list of domains.

How It Works

Secure Authentication: Each iframe is loaded with a unique authentication token for each transaction, ensuring that only authorized users can access the content. This token is verified in real-time, providing an additional layer of security and control.
Content Isolation: The use of iFrames allows content to be isolated in a separate context, reducing the risk of interference between different origins and mitigating potential attacks.
Flexibility for Dynamic Domains: By not relying on a static CSP policy, our solution easily adapts to clients' dynamic domains without the need for constant updates to security policies.

Redirect (deprecated)

In this section, you will learn how to implement Redirect in your web application for using the Unico IDPay product.

This method of controlling the web experience is being deprecated. For better conversion of IDPay in your application, follow the method outlined in the "SDK" section.

The web version offers the option to use the redirect model, but the iframe model is the most recommended.

1) Using window.open()

When creating the transaction, the redirectUrl field was passed as a parameter, which will be used later. You can use this option.

The window.open() option consists of opening a new browser tab for the user to complete the capture flow. Once done, the tab will close and redirect back to the previously visited site. We recommend:

Follow the public documentation on this, which can be found here;
Monitor if the URL has changed (to the redirectUrl), and then close the tab using window.close().

2) Using redirect

When creating the transaction, the redirectUrl field was passed as a parameter, which will be used later. You need to follow these steps:

In your regular flow (where IDPay is integrated), you will redirect the customer to the link generated via the API;
After this, the customer within the IDPay webpage will complete the necessary steps to continue the flow;
Once completed, they will be redirected back to your page (using the redirectUrl passed when creating the transaction).

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Customizations

In this section, you will find all the available customizations for the Unico IDPay product.

Logo Customization

It is possible to customize the logo displayed to the end user, as shown in the image below:

To request the inclusion of this logo, you need to send the Unico team an image in .PNG format, with a size of 56x56px.

Button Color and Shape Customization

Throughout the implementation process, it is possible to request the configuration of the color and shape of the buttons in the IDPay interface, according to the company’s visual identity, as shown in the images below:

To configure this, simply send the following information to the Unico team:

Hexadecimal color code for the button's background.
- Example: #000000.
Hexadecimal color code for the button’s text.
- Example: #ffffff.
Button corner rounding in pixels.
- Example: 10px.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

HELP & FAQ

FAQ

Frequently asked questions about the Unico IDPay:

Click here to access the IDPay FAQ;
Click here to access the Unico general FAQ.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

Best communication practices

How to communicate identity validation via IDPay to the consumer?

We know that biometric validation performed by a third-party provider can raise doubts and friction with your end users. Therefore, it is important to provide transparency about this process and offer proper support to ensure good results for your operation. Below, you'll find a series of tips that can assist you in this communication:

Communicate that a partner company (preferably mention Unico) may contact the user via SMS, email, or WhatsApp requesting a photo of their face for facial biometric validation.
Inform that, in some cases, they will need to confirm their CPF number, which is used to verify the digital identity of the credit card holder.
Explain that the identity validation is specific to the credit card holder to ensure consent for using the card.
Warn the consumer not to provide any personal information or photos via email, SMS, or WhatsApp. The entire validation flow occurs within the link sent.
Notify/train the customer service team to handle any questions or concerns from the consumer.
Include a section in your FAQ page detailing this validation process.
Provide the link to our help center:

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our .

const fs = require('fs') const path = require('path') const jwt = require('jsonwebtoken') const request = require('request') // settings const basePath = 'https://identityhomolog.acesso.io' // entry point let options = { serviceAccount: 'svcapp1', tenant: "9ea3c3bd-4447-4c3b-ae2e-504b795d3733" } requestAnAccessToken(createServiceAccountToken(options), (err, accessToken) => { let payload = jwt.decode(accessToken.access_token) console.log('Response:') console.log(' Access Token: ', accessToken.access_token) console.log(' ID: ', payload.jti) console.log(' Issuer: ', payload.iss) console.log(' Subject: ', payload.sub) console.log(' expires_in: ', accessToken.expires_in) console.log(' Expiration Date: ', new Date(payload.exp)) console.log(' Creation Date: ', new Date(payload.iat)) }) // functions function createServiceAccountToken({tenant, serviceAccount, account = ''}) { // Reads the service account private key let privateKey = fs.readFileSync(path.resolve(`${serviceAccount}.key.pem`)) // Prepare the request let payload = { iss: `${serviceAccount}@${tenant}.iam.acesso.io`, aud: basePath, scope: '*', exp: Math.floor(Date.now() / 1000) + 3600, iat: Math.floor(Date.now() / 1000) } // Service account is requesting an access token for another user? if (account) { payload.sub = account } // Create JWS return jwt.sign(payload, privateKey, { algorithm: 'RS256' }) } function requestAnAccessToken(serviceToken, callback) { // Prepare the request let options = { method: 'POST', url: `${basePath}/oauth2/token`, headers: {'content-type': 'application/x-www-form-urlencoded'}, form: { grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer' , assertion: serviceToken } } console.log('Requesting Access Token with self created token:' ) console.log('', serviceToken) // Ask identity and authorization server for an access token request(options, (error, response, body) => { if (error) { callback(new Error(error)) } body = JSON.parse(body) if (body.error) { callback(new Error(`${body.error}: ${body.error_description}`)) } callback(null, body) }) }

Preparing to make an authenticated request to the API

In this section, you will find how to perform the authentication process for the Unico IDPay product.

After creating and configuring a service account, your application needs to complete the following steps:

Create a JSON Web Token (JWT), which includes the header, payload, and signature;
Request an access token (AccessToken) from the OAuth2 authentication platform;
Handle the JSON response that the authentication platform will return.

1 - Creating the JWT

A JWT is composed as follows:

{Header in Base64url}.{Payload in Base64url}.{Signature in Base64url}

The base text for the signature is composed as follows:

{Header in Base64url}.{Payload in Base64url}

1.1 - Forming the JWT Header

{"alg":"RS256","typ":"JWT"}

The Base64url representation is as follows:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9

1.2 - Forming the JWT Payload

1.3 - Mandatory Fields

The mandatory fields in the JWT are shown in the table below. They can appear in any order within the payload.

Name

Descrition

iss

The identifier of the service account within the company.

scope

A space-delimited or plus sign (+) list of the permissions the application is requesting. If all permissions of the account are required, use the asterisk (*) symbol for this.

aud

The address of the authentication platform that issues access tokens. This value should always be exactly https://identityhomolog.acesso.io

Common issues that do not work:

Adding a trailing slash at the end of the address:https://identityhomolog.acesso.io/
Using the HTTP protocol instead of HTTPS:http://identityhomolog.acesso.io

exp

Using quotes to delimit the value. For example: “1524161193” is a string and will not work. Whereas 1524161193 is a number and will work.

iat

The time of JWT issuance, specified in seconds since 00:00:00 UTC, January 1, 1970. This value must be numeric. Common issue that does not work:

Using quotes to delimit the value. For example: “1524161193” is a string and will not work. However, 1524161193 is a number and will work.

exp = iat + 3600

The representation of the mandatory JSON fields in the JWT payload is as follows:

{
  "iss": "service_account_name@tenant_id.iam.acesso.io",
  "aud": "https://identityhomolog.acesso.io",
  "scope": "*",
  "exp": 1626296976, // This is just an example. Use the current value generated here.
  "iat": 1626293376 // This is just an example. Use the current value generated here.
}

1.4 - Calculating the Signature

{Header in Base64url}.{Payload in Base64url}

The signature then needs to be encoded in Base64url. The header, payload, and signature should be concatenated with a period character. The result is the JWT. It should be as follows:

{Header in Base64url}.{Payload in Base64url}.{Signature in Base64url}

Here is an example of a JWT token before Base64url encoding:

{"alg":"RS256","typ":"JWT"}.
{
  "iss": "service_account_name@tenant_id.iam.acesso.io",
  "aud": "https://identityhomolog.acesso.io",
  "scope": "*",
  "exp": 1626296976, // This is just an example. Use the current value generated here.
  "iat": 1626293376 // This is just an example. Use the current value generated here.
}.
[byte array da assinatura]

Below is an example of the JWT that has been signed and is ready for transmission:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzZXJ2aWNlX2FjY291bnRf
bmFtZUB0ZW5hbnRfaWQuaWFtLmFjZXNzby5pbyIsImF1ZCI6Imh0dHBzOi8vaWRlbnRpdHlob21vbG9nLmFjZXNzby5pbyIsInNjb
3BlIjoiKiIsImV4cCI6MTYyNjI5Njk3NiwiaWF0IjoxNjI2MjkzMzc2fQ.JsymP3NZdgCSqeNlgsOM2
-AQ7M450NxFnZnnaKSu4Q8g12QGEIvvM4EhCokUHfwk5s7pOpm2UD_Ng3Hb5g_wgrjfiVSLWH5Q2wYg1AvfLqo
YSoJWaMHm9KL0kpv32XdDD8TZVR-MVd2VBHmCMVbV6gvk8buUoK1HZDN7g84PaY3bfgcB3RKU-
H55lR8yyJjZxToIv17-wfla2G99uaMEFNGX0ZSE7ETn5Z8-WypmFrNAK0TM58upzvfVI6_-
gY4cj4iQvmRbuvxsAaGiHA2xd0RVm2Mrx-gQtdPqtbZPuQcH7k64Z_EOQBgiGTgVjucyHD6zBijr_P-
2mhIxuecNSw

It is also possible to use pre-established libraries to create the JWT. As a reference, you can find a list of libraries on the jwt.io website.

2 - Making a request for an access token

After generating the signed JWT, an application can use it to request an access token. The access token request is a POST HTTPS request, and the body should be URL encoded. The URL is shown below:

https://identityhomolog.acesso.io/oauth2/token

The following parameters are mandatory in the POST HTTPS request:

Name

Description

grant_type

Use the following text, URL-encoded if necessary: urn:ietf:params:oauth:grant-type:jwt-bearer

assertion

The JWT, including the signature.

POST /oauth2/token HTTP/1.1
Host: identityhomolog.acesso.io
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-
bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzZXJ2aWNlX2FjY
291bnRfbmFtZUB0ZW5hbnRfaWQuaWFtLmFjZXNzby5pbyIsInN1YiI6InVzZXJfaWRlbnRpZmllciIs
ImF1ZCI6Imh0dHBzOi8vaWRlbnRpdHlob21vbG9nLmFjZXNzby5pbyIsInNjb3BlIjoiKiIsImV4cCI
6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ.TjH-mTtwP6tBB93O1sDPaAA6yUF7N2-HZDlpIPz
bf_dxO8A6KZuRWG8ZnICrxX56qj0HREiMlYy27XJgxowrUa0JHvbqc8HJkT7-6Mh7J67UnubZKG1-hi
6jDtkC9BIXBcOhtkNUfZvZetXjLzsRsSDkqxdMtzYZwkRlocvaxL5QXiQhweeEwK_Ux81Adh3z0EIhT
yl7CKJLJ69PuHS7s9IdrjUl79owipp4LF1FvtMhoe7YIL69ohPgFqSv_-Y9qpPdW6be3OEAyKlOM08S
ZBbHBwW4XMvw3uZjTY1sgJ4cBoxrftDpjYOw34oPOKxirqc5-90uOCYe1O1hRtG45w

3 - Handling the Authentication Platform's Response

{
  "access_token": "<access_token>",
  "token_type": "Bearer",
  "expires_in": "3600"
}

4 - Duration of the Access Token

Do not request a new access token until the validity of the current token is nearing its end. We recommend a margin of 600 seconds (10 minutes). To do this, perform the following calculation:

token decodificado:
new Date(token.exp - 600)

Where token.exp is the timestamp of the token's expiration.

By default, the token sent to the company lasts 1 hour, but it can be changed. The recommendation is to always use the expires_in as the base and subtract 600s from it to request a new token.

Examples:

Standard scenario:
expires_in: 3600 (1h) - Token generated at 14:42

Request a new token only at 15:32, that is, 14:42 + (3600 - 600)

Scenario with modified duration:
expires_in: 7200 (2h) - Token generated at 14:42

Request a new token only at 16:32, that is, 14:42 + (7200 - 600)

A new access token can be requested when there are 10 minutes left until expiration.

Do not use a fixed time to obtain a new token, as the duration of the received token may be shorter than the established time, which could cause failures when using the services.

¹ According to RFC 4648 for BaseN encoding, the Base64url format is similar to Base64, except that the '=' character is omitted, and the characters '+' and '/' are replaced by '-' and '_', respectively.
² JSON Web Signature: https://tools.ietf.org/html/rfc7515.

Still need help?

Didn't find something or still need help? If you're already a client or partner, you can reach out through our Help Center.

const response = await fetch('https://transactions.transactional.uat.unico.app/api/public/v1/wallet/transactions/pre-approved', { method: 'POST', headers: { "Authorization": "text", "Content-Type": "application/json" }, body: JSON.stringify({ "identity": { "key": "cpf", "value": "12345678909" }, "orderNumber": 123456, "company": "7873959b-f7b2-4b81-8b0e-4ce178e64daf", "card": { "binDigits": "12345678", "lastDigits": "7890", "name": "João da Silva" } }), }); const data = await response.json();

Transaction created successfully.

Body

idstring

Created transaction ID.

Example: "6ab1771e-dfab-4e47-8316-2452268e5481"

statusstring

Current transaction status.

Example: "waiting"

linkstring

Link associated with the transaction.

Example: "https://aces.so/test"

tokenstring

Signed token containing the necessary parameters to initialize Unico IDPay's web SDK.

Example: "eyJhbGciOiJIUzI1NiIsInR5cC[...]Ok6yJV_adQssw5c"

Notification sent successfully.

Unique ID of the generated notification.

Example: "b50ee24c-71eb-4a5d-ade1-41c48b44c240"

Generated link for the notification.

Example: "https://aces.so/example"

Transaction successfully created.

ID of the created transaction.

Link related to the transaction.

Signed token containing the necessary parameters to initialize Unico IDPay web SDK.

English

Introduction

Overview

Read more

ABOUT IDPAY

Unico ID Pay

Features

Introduction

Payment Transactions

Modules

With a subset of validations in transaction creation (Pre)​

With all validations in transaction creation (Super Pre)

Without validation in transaction creation (Post)

Credit Card Onboarding

Use Cases

Use Cases

Checkout

Pre-analysis table

Analysis table tool

Sales recovery

Chargeback

Introduction

When to use this option?

What is chargeback?

Prerequisites for requesting chargeback analysis

INTEGRATION

Overview

Integration Overview

Authenticate yourself

Define at which point in your funnel and how you will use IDPay

Customize your experience

Create a transaction

Check the transaction result

Authentication

Still need help?​

Creating a Service Account

Still need help?​

Preparing to make an authenticated request to the API

1 - Creating the JWT

1.1 - Forming the JWT Header

1.2 - Forming the JWT Payload

1.3 - Mandatory Fields

1.4 - Calculating the Signature

2 - Making a request for an access token

3 - Handling the Authentication Platform's Response

4 - Duration of the Access Token

Still need help?​

Additional resources

Example in JavaScript

Authentication Errors

Still need help?​

Postman Collection

APIs

API Reference

Payment transactions

Before you begin

Transaction creation

Reuse of Transactions

Transaction status query

Obtaining the set of evidence for the transaction

Resending the transaction notification

Transaction cancellation

Still need help?​

Chargeback

Before you begin

Chargeback Analysis Request

Check the status of the chargeback analysis

Still need help?​

Credit card onboarding

Before you start

Credit Card Validation

Get the validation status

Still need help?​

Errors

Introduction

Possible Errors

Transaction Creation

Transaction status query

Recovery of the evidentiary set of the transaction

Resending the transaction notification

With a subset of validations in transaction creation (Pre)

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

Still need help?

With a subset of validations in transaction creation (Pre)