Reusable KYC

Make it simple for your applicants to pass verification โ€” reuse existing verification results.

With Reusable KYC, Sumsub clients can partner up with each other to simplify and speed up verification for their applicants that have already passed it.

Such an approach minimizes onboarding drop-offs and verification cost and enables your applicants to avoid repeat verification when they need to access multiple services.

How it works

Assume an applicant A passed user verification in Service X and is now registering at the partner Service Y. If Service X agrees to share information about A with Service Y, it can be done as follows:

  1. Service X generates a share token and passes it to Service Y.
  2. Service Y calls the API method with the received share token and obtains information on applicant A with all its data and documents.



You can also request to reset a document type if the verification flow is different for the client and partner (e.g. ask for additional selfies or update it).

There are two ways Sumsub processes reusable KYC data:

  • Applicant copying. Sumsub copies the applicant data from one partner dataset to another in case their check flows coincide. As all applicants have unique IDs, you will be able to see the source ID from which your applicant was imported. If the applicant profile has a questionnaire attached, a copy of this questionnaire will be created and attached to the new applicant profile.
  • Applicant copying with rechecks. Sumsub copies the applicant data from the partnerโ€™s dataset and runs all required checks again to ensure compliance. Note that if your flow includes an AML check, you cannot use applicant copying without rechecks.

Get started

To turn on the data sharing functionality:

  1. Contact our support team at [email protected] and sign a tripartite agreement on personal data sharing between you, Sumsub, and your partner service.
  2. Generate a share token and import applicants.
  3. Conduct verification and review verification results.

Generate share token

To generate a share token (should be done by Service X), use the following POST method:

## applicantId and Y's client ID must be provided
 curl -X POST \
applicantIdStringYesApplicant ID in Service X.
forClientIdStringYesClient ID for Service Y. You can find your clientId in the Dashboard in the applicant profile (field Created for) and in the response (field clientId).
ttlInSecsIntegerNoTime to live in seconds. Default 1200.


A share token is returned.

  "token": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJfYWN0LTZmODI2ZTU0LTE2MzctNDViMS05NzMyLWY1MjZiN2YxNWE3YyIsInVybCI6Imh0dHBzOi8vYXBpLnN1bXN1Yi5jb20ifQ.",
  "forClientId": "CoolCoinLtd"



Make sure your integration code does not validate or analyze the access token content, as the format is not fixed and may undergo further changes in the future. The token must be treated as an arbitrary string with the maximum length of 1KB.

Import applicants

To import the applicant data (should be done by Service Y), use the following POST method:

 curl -X POST \
shareTokenStringYesShare token generated by X.
resetIdDocSetTypesStringNoSpecify one or few comma-separated document types if an applicant has to resubmit the documents to be verified. Examples, SELFIE, IDENTITY, etc.
trustReviewBooleanNoIf you trust your partner's check result, use true. If it is false, then the applicant will be rechecked. Default false.
userIdStringNoSets your own externalUserId for the imported applicant. In case of empty value, we'll generate a random one.
levelNameStringNoSets specified levelName to the imported applicant and sets init in case not all required documents are present.


An applicant entity in service Y. A new applicant ID will be returned in the response.

    // Applicant in service Y
    "id": "5d08a63239b79354a2ebaa1d",
    "createdAt": "2019-06-18 10:52:02",
    "clientId": "CoolCoinLtd",



Mind that share tokens are invalidated once used.

Data sharing restrictions

Any organizations that possess the data of those who are located in the EU/UK or to which the EU GDPR/UK GDPR apply must obey the data sharing rules of these acts.

If you operate in the European Economic Area (EEA) or offer goods and services to individuals or monitor the behaviour of individuals there, the EU GDPR may still apply to you.

Before any data sharing between the organizations, these organisations must check whether itโ€™s legitimate to share such data and whether it is necessary to enter into the appropriate legal arrangement.

Sometimes, the organisations must implement appropriate safeguards for international transfers if such occurs.