AADHAAR AUTHENTICATION API
AADHAAR authentication service will be exposed as stateless service over HTTPS with mutual SSL authentication (server and client certificate validation). Usage of HTTP allows any device such as computer, mobile phone, micro-ATM devices, and PoS systems to communicate over broadband, GPRS, and similar communication channels.
To support strong end to end security and avoid request tampering and man-in-the- middle attacks, it is essential that encryption of data happens at the time of capture. For establishing a secure channel, AUAs are required to be registered and their public key needs to be shared with UIDAI. Process for registration and key sharing will be specified later.
Following is the URL format for AADHAAR authentication service:
API input data should be sent to this URL using POST parameter “input”.
host – AADHAAR authentication server name. Currently it is “auth.uidai.gov.in”.
ac – A unique code for the AUA which is assigned by UIDAI during AUA registration process. This is an alpha-numeric string having maximum length 40.
uid and uid – First 2 digits of AADHAAR Number. Used for load-balancing.
For all valid responses, HTTP response code 200 is used. All application error codes are encapsulated in response XML element. In the case of connection and other server errors, standard HTTP error response codes are used (4xx codes such as 403, 404, etc.). HTTP automatic redirects also should be handled by AUA server.
Input Data Format
AADHAAR authentication will use XML as the data format for input and output. To avoid sending unnecessary data, do not pass any optional attribute or element unless its value is different from default value. Any bad data or extra data will be rejected.
Following is the data format for authentication API:
<Auth uid=”" tid=”" ac=”" ver=”" txn=”">
<Skey>encrypted and encoded session key</Skey> <Uses pi=”" pa=”" bio=”" bt=”" pin=”" otp=”"/> <Data>encrypted and then encoded block</Data> </Auth>
“Data” element contains “Pid” (Personal Identity Data) element which is a base-64 encoded encrypted block. Complete “Data” block should be encrypted at the time of capture on the capture device. See next chapter for details.
Following is the format for “Pid” element:
<Pid ts=”"> <Demo>
<Pi ms=”E” name=”" gender=”M|F|T” dob=”" phone=”" email=”"/> <Pa ms=”E” co=”" house=”" street=”" lm=”" loc=”" vtc=”" dist=”" state=”" pc=”"/> </Demo> <Bios>
<Bio>encoded biometric</Bio> <Bio type=”FMR|FIR|IIR”>encoded biometric</Bio> </Bios>
<Pv otp=”" pin=”"/> </Pid>
Element: Auth (mandatory)
root element of the input XML for authentication service.
uid – (mandatory) AADHAAR Number of the resident
tid – (mandatory) For Registered devices, send its unique Terminal ID. For Public devices, value should be passed as “public”.
ac – (mandatory) A unique code for the AUA which is assigned by UIDAI during AUA registration process. This is an alpha-numeric string having maximum length 40.
ver – (optional) version of the API. Defaulted to latest version. Suggested to use latest version always by leaving this attribute unless an application wants specific version compatibility. Currently only valid value is “1.0″.
txn – (optional) AUA specific transaction identifier. AUA can choose to pass this as part of input. This is returned as part of response as is. This can be an alphanumeric string of maximum length 50.
Element: Data (mandatory)
Contains the encrypted “Pid” element in base-64 encoding
Element: Uses (mandatory)
This element specifies the authentication factors used by the request. When an authentication factor is specified in this element, that specific attribute must be present in the encrypted data block. This is particularly useful in situations where the AUA does not fully control the terminal device, but wishes to maintain a certain level of control on the authentication transaction.
pi – (mandatory) Valid values are “y” or “n”. If the value is “y” then at least one attribute of element “Pi” (part of “Demo” element) should be used in authentication. Otherwise, it is not mandated.
pa – (mandatory) Valid values are “y” or “n”. If the value is “y” then at least one attribute of element “Pa” (part of “Demo” element) should be used in authentication. Otherwise, it is not mandated.
bio – (mandatory) Valid values are “y” or “n”. If the value is “y” then at least one biometric element “Bio” (part of “Bios” element) should be used in authentication. Otherwise, it is not mandated.
bt – (mandatory only if “bio” attribute has value “y”) provide a comma separated list of biometrics used. Valid values that can be used in this comma separated list are “FMR”, “FIR”, and “IIR”. If “FMR” is part of the list, then at least one “Bio” element with type FMR should be used. Similarly, if “FIR” or “IIR” are part of the list, then at least one “Bio” element with those types must be used.
pin – (mandatory) Valid values are “y” or “n”. If the value is “y” then PIN should be used in authentication. Otherwise, “pin” is not mandated.
otp – (mandatory) Valid values are “y” or “n”. If the value is “y” then OTP should be used in authentication. Otherwise, “otp” is not mandated.
Element: Skey (mandatory only for Public devices)
Value of this element is base-64 encoded value of encrypted session key. See next chapter for encryption details.
Element: Pid (mandatory)
ts – (mandatory) Timestamp at the time of demographic and biometric input capture. This is in ISO 8601 date and time format “YYYY-MM-DDThh:mm:ss”. Time zone automatically defaulted to IST (UTC +5.30).
AUAs can queue authentication requests and send it to AADHAAR authentication server to support occasional lack of network connectivity on the field. Maximum time up to which requests can be queued will be defined by UIDAI policy. During initial release, this will be configured to 24 hours. All requests with “ts” value older than this limit will be rejected.
Element: Demo (optional)
- Contains child elements “Pi” and “Pa” both of which are optional.
- All demographic data fields as per KYR specifications.
Element: Pi (Optional)
- This element captures attributes related to “Personal Identity”
- ms – (optional) “Matching Strategy” for “name” attribute. Currently only the value “E” (Exact) is supported. This is used only when “name” attribute is specified. Future releases will support fuzzy matching.
- name – (optional) Name of the resident.
- gender – (optional) Valid values are “M” for male, “F” for female, and “T” for transgender.
- dob – (optional) Date of Birth in “YYYY-MM-DD” format. If only year needs to be authenticated, then use format “YYYY”.
- phone – (optional) Registered mobile phone number of the resident.
- email – (optional) Registered email address of the resident.
Element: Pa (Optional)
This element captures attributes related to “Personal Address”. These are address fields as provided by the resident during enrolment or later updates. Only attributes that are sent as part of input will be compared.
- ms – (optional) “Matching Strategy” for address attributes. Currently only the value “E” (Exact) is supported. This is used only when at least one address attribute is specified.
- co – (optional) “Care of” person’s name.
- house – (optional) House identifier.
- street – (optional) Street name.
- lm – (optional) Landmark if any.
- loc – (optional) Locality where resident resides.
- vtc – (optional) Name of village or town or city.
- dist – (optional) District name.
- state – (optional) State name.
- pc – (optional) Postal pin code.
Element: Bios – (optional)
This element can have one or many “Bio” elements carrying biometric records to be matched.
Element: Bio (optional)
base 64 encoded biometric record
type – (optional) This attribute specifies type of the biometric. Valid values are “FMR” (Finger Minutiae), “FIR” (Finger Image), and “IIR” (Iris Image). Defaulted to “FMR”.
FMR – The biometric data is of type Fingerprint Minutiae Record. This
data is in ISO minutiae format with no proprietary extensions allowed. o FIR – The biometric data is of type Fingerprint Image Record. The data is a fingerprint image packaged in ISO 19794-4 format, which could contain a compressed or uncompressed image, of type PNG, WSQ, or Jpeg2000. o IIR – The biometric data is of type Iris Image Record. The data is an iris image packaged in ISO 19794-6 format, which could contain a compressed (or uncompressed) image, which could be of type PNG, or Jpeg2000.
Element value contains base-64 encoded biometric record.
Element: Pv (optional)
This element (“Pin Value”) is used to support additional secret “pin” or “otp” or both for supporting multi-factor authentication.
pin – (optional) Actual value of PIN as set by resident. This attribute contains a 6 digit numeric value.
otp – (optional) Most recently activated challenge-response OTP value for resident. Resident can send an SMS/Email to a specified short code or to specified email address to obtain an OTP and then use the last active OTP as part of authentication. This attribute contains a 6 digit numeric value. Unlike PIN, OTP is a one-time usage token.
Output Data Format
Authentication API does not provide any identity data as part of the response. All it does is to match given input and respond with a “yes/no”. Response XML is as follows:
<AuthResp ret=”y|n” code=”" txn=”" err=”"/>
Element: AuthResp Attributes:
ret – this is the main authentication response. It is either “y” or “n”.
code – unique alphanumeric authentication response code having maximum length 40. AUA is expected to store this for future reference for handling any disputes. AADHAAR authentication server will retain authentication trail only for a short period of time as per UIDAI policy. After that period, older authentication trails will be deleted and this code will become unusable.
txn – Authenticator specific transaction identifier. This is exactly the same value that is sent within the request.
err – Failure error code. If authentication fails (“ret” attribute value is “n”), this attribute provides any of the following codes:
“100″ – “Pi” (basic) attributes of demographic data did not match.
“200″ – - “Pa” (address) attributes of demographic data did not match
“300″ – Biometric data did not match
“500″ – - Invalid encryption
“510″ – Invalid XML format
“520″ – Invalid device
“530″ – Invalid authenticator code
“540″ – - Invalid version
“550″ – Invalid “Uses” element attributes
“700″ – Invalid demographic data
“710″ – Missing “Pi” data as specified in “Uses”
“720″ – Missing “Pa” data as specified in “Uses”
“730″ – Missing PIN data as specified in “Uses”
“740″ – Missing OTP data as specified in “Uses”
“800″ – - Invalid biometric data
“810″ – Missing biometric data as specified in “Uses”
“999″ – - Unknown error