All Products
Search

This Product

    ID Verification:Integrate ID Verification - KYC

    Document Center

    ID Verification:Integrate ID Verification - KYC

    Last Updated:Jan 27, 2025

    This topic describes how to integrate ID Verification - Know Your Customer (KYC) with an application.

    Prerequisites

    ID Verification - KYC is activated. For more information, see Activate ID Verification - KYC.

    Procedure

    1. Log on to the Resource Access Management (RAM) console and obtain an AccessKey pair. For more information, see Obtain an AccessKey pair.

      You can perform business development and management by using an Alibaba Cloud account or as a RAM user. For more information about how to create a RAM user and perform related operations as the RAM user, see Authorize a RAM user to access ID Verification - KYC.

      Warning

      An Alibaba Cloud account has access and control permissions on all Alibaba Cloud resources within the account. If your Alibaba Cloud account is disclosed, security risks may occur. We recommend that you create a RAM user and grant the required permissions to the RAM user to use ID Verification - KYC based on the principle of least privilege.

    2. Understand integration methods.

      ID Verification - KYC provides operating system-specific SDKs for integration. If you want to call a client-side or server-side operation, you can use a client-side SDK or server-side SDK, which is secure and convenient. For more information about SDKs, see the description of the integration process for a specific solution.

      Note

      If you cannot call ID Verification - KYC operations by using existing SDKs, you can call ID Verification - KYC operations over HTTP or HTTPS. When you construct requests to call Alibaba Cloud API operations, you must sign the requests. Alibaba Cloud SDKs provide the algorithm for signing API requests. For more information, see API signature methods.

    3. Integrate ID Verification - KYC based on your business requirements.For more information, see Developer Guide.

    API signature methods

    Alibaba Cloud verifies the identity of the sender of each HTTP or HTTPS request based on the request signature. The verification is implemented based on the symmetric encryption of an AccessKey pair. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.

    1. Create a canonicalized query string. The structure of the canonicalized query string must comply with the requirements of the request structure.

      1. Sort the request parameters. Sort all common request parameters in alphabetical order.

        Note

        If you use the GET method to send a request, the request parameters are included as part of the request URL. The parameters follow the question mark (?) and are connected by ampersands (&) in the URL.

      2. Encode the parameters. Encode request parameters and their values in UTF-8 based on the RFC3986 rule. 

        private static final String ENCODING = "UTF-8";

private static String percentEncode(String value) throws UnsupportedEncodingException {
    return value != null
            ?  URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~")
            : null;
}
        Note

        • Letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~) are not encoded.

        • Other characters must be percent-encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.

        • Extended UTF-8 characters are encoded in the %XY%ZA… format.

        • Spaces must be encoded as %20. Do not encode spaces as plus signs (+). The preceding encoding method is slightly different from the application/x-www-form-urlencoded MIME encoding algorithm. If you use java.net.URLEncoder in the Java standard library, use percentEncode to encode request parameters and their values. In the encoded query string, replace the plus sign (+) with %20, the asterisk (*) with %2A, and %7E with a tilde (~). This way, you can obtain an encoded string that matches the encoding rules.

      3. Use equal signs (=) to connect the encoded parameter names and values.

      4. Use ampersands (&) to concatenate different request parameters. Take note that the order of the parameters must be the same as the order used in Step a.

    2. Generate a signature string.

      1. Create a string-to-sign. You can also use percentEncode to encode the canonicalized query string that is constructed in Step 1 based on the following rules. 

        StringToSign=   HTTPMethod + "&" + //HTTPMethod: The HTTP method that is used to send a request, such as GET. 
            percentEncode("/") + "&" + //percentEncode("/"): Encode the forward slashes (/) in UTF-8 as %2F. 
            percentEncode(CanonicalizedQueryString) // Encode the canonicalized query string that is created in Step 1.

      2. Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on the RFC 2104 rule. Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value. In this example, the Java Base64 encoding method is used. 

        Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
        Note

        When you calculate the signature, the key value that is specified based on the RFC 2104 rule is your AccessKey secret with an ampersand (&) appended to it. The ASCII value of an ampersand (&) is 38. For more information, see Obtain an AccessKey pair.

      3. Encode the Signature parameter based on the RFC 3986 rule and add it to the canonicalized query string.