BWS Token Web API Documentation

GET https://{bws-instance}{app-id}&bcid={BCID}

Requests a BWS token to be used for authorization with most of the other BWS Web APIs. The issued token will be assigned to the specified user and has a very short lifetime, i.e. it expires after about ten minutes as it is typically only used for one biometric task like verification or enrollment (including retries).

Request Information


Required. The App-ID of the registered BWS Client App calling the API.
Required. The Biometric Class ID (BCID) of the person for whom the token shall be issued, i.e. the user that is going to perform a biometric task using this token.
Optional, defaults to verify. A string that specifies the task the issued token shall be used for: Currently the tasks verify (default), identify and enroll are defined. Tokens created for the task verify are intended to be used together with the Verification Web API, identify-tokens are used with the Identification Web API and enroll-tokens with the Enrollment Web API. With all kind of tokens access to the Upload Web API is allowed of course.
Optional, defaults to 3. An non-zero integer value up to 15 that specifies the maximum number of tries an application or a user is allowed to perform with the issued token. The default is 3 attempts.
Optional, defaults to true. A boolean parameter to switch off live data detection. When set to true (the default), live-detection is required and the intended task shall fail, as soon as it cannot undoubtedly determine that the given data is live data. When set to false, live data detection is not required.
Optional, defaults to false. A boolean parameter only interpreted if live-detection is switched on: if set to true, the challenge-response mechanism is activated, i.e. additionally to the standard liveness detection the user has to respond according to the challenges provided by the system.
Optional, defaults to false. A boolean parameter used in conjunction with the verify task that if set to true and the verification succeeded it allows to automatically enroll the uploaded samples. This ensures, that the biometric template of the person is automatically adapted and always assembled from current samples. When set to false (the default), no automatic enrollment will be performed.


This API call requires Basic Authentication, i.e. you have to provide an HTTP authorization header using the authorization method Basic and the base64 encoded string App-ID:App-Secret (therefore the transport is secured using TLS/SSL). To receive the necessary BWS Web API access data (App-ID and App-Secret) you have to register your application on the BWS Management Portal first. This requires a valid BWS subscription.

Response Information

The Token Web API returns a string containing the issued BWS token.

The BWS uses a JSON Web Token (JWT) to represent the issued claims as a JSON object. The object is encoded as JSON Web Signature (JWS) which means that the claims are digitally signed (HMACed) and finally base64url encoded.

Response Body Format

Sample Token:


Decoded sample token:


Claims encoded in a BWS token:

A unique identifier for the issued token.
The issuer of the token (typically BWS).
The audience for this token, i.e. the URL of the BWS instance that accepts this token.
The token is not accepted before this timestamp.
The expiration time on after which the token is not accepted any more.
The Biomatric Class ID of the user the token belongs to.
The BWS client that requested the token.
The application that requested the token.
The task this token is issued for. This is the logical combination of various flags that describe the task this token is intended to be used for.
An optional array (max tries) of string arrays that shall be used to challenge the user during the recording of face images.

Possible values encoded into the 'task'-claim:

Verify (0)
The token is intended to be used for verification.
Identify (0x10)
The token is intended to be used for identification.
Enroll (0x20)
The token is intended to be used for enrollment.
MaxTriesMask (0x0F)
These four bits are used to encode the number of maximum tries a user is allowed to perform.
LiveDetection (0x100)
Liveness detection is required.
ChallengeResponse (0x200)
Challenge-response is required (the 'challenge'-claim is available).
AutoEnroll (0x1000)
Automatic enrollment is switched on.

Response HTTP Status Codes

Return values of API calls are standard HTTP status codes. With the success code (200) you receive the issued BWS token in the body text. With error codes a Message field within the body text describing the error is returned. The most commonly return codes are:

200 OK
The response body contains the issued BWS token string.
400 Bad Request
An invalid BCID has been specified.
401 Unauthorized
No or an invalid authentication header has been specified, Basic Authentication is required.
403 Forbidden
Access has been denied (typically due to a wrong or invalid app-id or BCID).
500 Internal Server Error
A server side exception occurred.

Sample code

C# sample code to request a BWS token with .NET 4.5:
var httpClient = new HttpClient(); 
// requires Basic Authentication
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", 
// call the BWS Token Web API at
var response = await httpClient.GetAsync(
// the issued token is in the response body
string token = await response.Content.ReadAsStringAsync();