Skip to content


1. Tokens

Alice Onboarding uses JSON Web Tokens (JWT) to manage its authentication.

There are four different types of tokens:

  1. LOGIN_TOKEN: basic access token.
  2. BACKEND_TOKEN: for global operations only available in the backend (e.g. creating/deleting a user)
  3. USER_TOKEN: for user-related operations available in the frontend (e.g. upload a selfie, upload a document, …)
  4. BACKEND_TOKEN_WITH_USER_ID: for backend operations related to users (e.g. delete user, get user's report, …)

The LOGIN_TOKEN is required for obtaining the rest of the tokens. Both USER_TOKEN and BACKEND_TOKEN_WITH_USER_ID also require a user_id, which is obtained when creating a new user in Alice Onboarding.

All four tokens last for 60 minutes. For security reasons, you must never use a BACKEND_TOKEN or a BACKEND_TOKEN_WITH_USER_ID in the frontend of your application or malicious users could discover them in your source code. You should only use them server-side.

2. How to implement the authentication flow

Here you will learn how to integrate Alice Onboarding in your backend to automate the onboarding of your clients. Your backend will be in charge of managing authentications and all kinds of user-related operations.

The following diagram explains the authentication flow.

Alice Onboarding Backend Authentication Process

  1. Get your API_KEY provided within your credentials.

  2. Your backend gets a LOGIN_TOKEN from the Alice Onboarding service using your API_KEY.

    curl --request GET --url --header 'apikey: <YOUR-API-KEY>'

    Go directly to the next step

  3. Your backend asks for a BACKEND_TOKEN using the LOGIN_TOKEN.

    curl --request GET --url --header 'Authorization: Bearer <LOGIN_TOKEN>'
    from alice import Auth, Config, Onboarding
    config = Config(api_key="<YOUR-API-KEY>") 
    auth = Auth.from_config(config)
    backend_token = auth.create_backend_token().unwrap_or_throw()
  4. Using the BACKEND_TOKEN, your backend creates a new user on the onboarding service. This is a must before starting the onboarding flow.

    curl --request POST --url --header 'Authorization: Bearer <BACKEND_TOKEN> --header 'Content-Type: multipart/form-data' --form'
    onboarding = Onboarding.from_config(config)
    user_id = onboarding.create_user().unwrap_or_throw()
  5. Using both the user_id and LOGIN_TOKEN, your backend asks for a USER_TOKEN.

    curl --request GET --url<user_id> --header 'Authorization: Bearer <LOGIN_TOKEN>'
    user_token = auth.create_user_token(user_id=user_id).unwrap_or_throw()
  6. Your app receives the USER_TOKEN from your backend and injects the token into our client SDK. Now the client-side SDK is ready to operate against the Alice Onboarding API.

  7. The client SDK uses the USER_TOKEN to upload selfies, documents, and other user operations.