BWS Token Web API Documentation

GET https://{bws-instance}.bioid.com/extension/token?id={app-id}&bcid={BCID}

Requests a BWS token to be used for authorization with most of the other BWS Web APIs. The issued token will be assigned to the specified user and has a very short lifetime, i.e. it expires after about ten minutes as it is typically only used for one biometric task like verification or enrollment (including retries).

Request Information

Parameters

id
Required. The App-ID of the registered BWS Client App calling the API.
bcid
Required. The Biometric Class ID (BCID) of the person for whom the token shall be issued, i.e. the user that is going to perform a biometric task using this token.
task
Optional, defaults to verify. A string that specifies the task the issued token shall be used for: Currently the tasks verify (default), identify and enroll are defined. Tokens created for the task verify are intended to be used together with the Verification Web API, identify-tokens are used with the Identification Web API and enroll-tokens with the Enrollment Web API. With all kind of tokens access to the Upload Web API is allowed of course.
maxtries
Optional, defaults to 3. An non-zero integer value up to 15 that specifies the maximum number of tries an application or a user is allowed to perform with the issued token. The default is 3 attempts.
livedetection
Optional, defaults to true. A boolean parameter to switch off live data detection. When set to true (the default), live-detection is required and the intended task shall fail, as soon as it cannot undoubtedly determine that the given data is live data. When set to false, live data detection is not required.
challenge
Optional, defaults to false. A boolean parameter only interpreted if live-detection is switched on: if set to true, the challenge-response mechanism is activated, i.e. additionally to the standard liveness detection the user has to respond according to the challenges provided by the system.
autoenroll
Optional, defaults to false. A boolean parameter used in conjunction with the verify task that if set to true and the verification succeeded it allows to automatically enroll the uploaded samples. This ensures, that the biometric template of the person is automatically adapted and always assembled from current samples. When set to false (the default), no automatic enrollment will be performed.

Authentication

This API call requires Basic Authentication, i.e. you have to provide an HTTP authorization header using the authorization method Basic and the base64 encoded string App-ID:App-Secret (therefore the transport is secured using TLS/SSL). To receive the necessary BWS Web API access data (App-ID and App-Secret) you have to register your application on the BWS Management Portal first. This requires a valid BWS subscription.

Response Information

The Token Web API returns a string containing the issued BWS token.

The BWS uses a JSON Web Token (JWT) to represent the issued claims as a JSON object. The object is encoded as JSON Web Signature (JWS) which means that the claims are digitally signed (HMACed) and finally base64url encoded.

Response Body Format

Sample Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbmlkIjoiYmY3NWYyZGItMjhhNi00Y2UwLThmNzQtYWY4OTVhNjliYjczIiwiY2xudCI6IkJpb0lEIiwiYXBwIjoiMTI3MDUwMzk2LjkxNjkuYXBwLmJpb2lkLmNvbSIsImJjaWQiOiJiaW9pZC80Mi8xMjM0NSIsInRhc2siOjc3MSwiY2hhbGxlbmdlIjoiW1tcImRvd25cIixcInVwXCIsXCJyaWdodFwiXSxbXCJyaWdodFwiLFwibGVmdFwiLFwidXBcIl0sW1wicmlnaHRcIixcImxlZnRcIixcImRvd25cIl1dIiwiaXNzIjoiQldTIiwiYXVkIjoiaHR0cHM6Ly9id3MuYmlvaWQuY29tIiwiZXhwIjoxNDY3MjcwNzMyLCJuYmYiOjE0NjcyNzAxMzJ9.y3rNv1xpPVSQpDAq5L7-xE2nhAhhrycjiolAyUOMp-o

Decoded sample token:

Header
{"typ":"JWT","alg":"HS256"}
Claims
{"tokenid":"bf75f2db-28a6-4ce0-8f74-af895a69bb73","clnt":"BioID","app":"127050396.9169.app.bioid.com","bcid":"bioid/42/12345","task":771,"challenge":"[[\"down\",\"up\",\"right\"],[\"right\",\"left\",\"up\"],[\"right\",\"left\",\"down\"]]","iss":"BWS","aud":"https://bws.bioid.com","exp":1467270732,"nbf":1467270132}
Signature
0xcb7acdbf5c693d5490a4302ae4befec44da7840861af27238a8940c9438ca7ea

Claims encoded in a BWS token:

tokenid
A unique identifier for the issued token.
iss
The issuer of the token (typically BWS).
aud
The audience for this token, i.e. the URL of the BWS instance that accepts this token.
nbf
The token is not accepted before this timestamp.
exp
The expiration time on after which the token is not accepted any more.
bcid
The Biomatric Class ID of the user the token belongs to.
clnt
The BWS client that requested the token.
app
The application that requested the token.
task
The task this token is issued for. This is the logical combination of various flags that describe the task this token is intended to be used for.
challenge
An optional array (max tries) of string arrays that shall be used to challenge the user during the recording of face images.

Possible values encoded into the 'task'-claim:

Verify (0)
The token is intended to be used for verification.
Identify (0x10)
The token is intended to be used for identification.
Enroll (0x20)
The token is intended to be used for enrollment.
MaxTriesMask (0x0F)
These four bits are used to encode the number of maximum tries a user is allowed to perform.
LiveDetection (0x100)
Liveness detection is required.
ChallengeResponse (0x200)
Challenge-response is required (the 'challenge'-claim is available).
AutoEnroll (0x1000)
Automatic enrollment is switched on.

Response HTTP Status Codes

Return values of API calls are standard HTTP status codes. With the success code (200) you receive the issued BWS token in the body text. With error codes a Message field within the body text describing the error is returned. The most commonly return codes are:

200 OK
The response body contains the issued BWS token string.
400 Bad Request
An invalid BCID has been specified.
401 Unauthorized
No or an invalid authentication header has been specified, Basic Authentication is required.
403 Forbidden
Access has been denied (typically due to a wrong or invalid app-id or BCID).
500 Internal Server Error
A server side exception occurred.

Sample code

C# sample code to request a BWS token with .NET 4.5:
var httpClient = new HttpClient(); 
// requires Basic Authentication
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", 
    Convert.ToBase64String(Encoding.GetEncoding("iso-8859-1").GetBytes("sample.app.bioid.com:Sample-App-Secret")));
// call the BWS Token Web API at bws.bioid.com
var response = await httpClient.GetAsync(
    "https://bws.bioid.com/extension/token?id=sample.app.bioid.com&bcid=bioid.9876.12345");
// the issued token is in the response body
string token = await response.Content.ReadAsStringAsync();