Generate access token

To initialize the SDK, you must generate a temporary access token which you will pass during initialization. This action must be performed on the server side. You also have to provide a unique and meaningful userId query parameter, which can be an external user ID in your system or an email address.

📘

Note

  • Make sure to authenticate all API requests as described in this section. For testing purposes, make sure to use an app token and secret key pair created in Sandbox for request authorization headers.
  • If you reuse access tokens, make sure to set up an access token expiration handler.

To generate an access token, use the following POST method of our API:

curl -X POST \
  'https://api.sumsub.com/resources/accessTokens?userId=JamesBond007&levelName=basic-kyc-level&ttlInSecs=600' \
  -H 'Accept: application/json'
NameTypeRequiredDescription
ttlInSecsIntegerNoLifespan of a token in seconds. Default value is equal to 10 minutes.
userIdStringYesAn external user ID which will be bound to the token. It correlates to externalUserId of an applicant.
levelNameStringYesA name of the verification level configured in the dashboard.
externalActionIdStringNoAn external action ID which will be bound to the token. For more information about applicant actions, see this article.

📘

Note

If your userId or levelName contains reserved characters (e.g., "@", "+", white spaces as %20), it should be URL-encoded, otherwise you may get a signature mismatch or just an invalid parameter value.

Response

{
  "token": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJfYWN0LTZmODI2ZTU0LTE2MzctNDViMS05NzMyLWY1MjZiN2YxNWE3YyIsInVybCI6Imh0dHBzOi8vYXBpLnN1bXN1Yi5jb20ifQ.",
  "userId": "JamesBond007"
}
NameTypeDescription
tokenStringA newly generated access token for the applicant.
userIdStringAn external user ID which will be bound to the token. It correlates to externalUserId of the applicant.

📘

Note

  • Make sure your integration code does not validate or analyze the access token content, as the format is not fixed and may undergo further changes in the future. The token must be treated as an arbitrary string with the maximum length of 1KB.
  • An access token for the applicant has limited access to the API, e.g., it is only valid for 1 applicant and cannot access other applicants.