API Reference
Overview
The Nametag API contains several parts:
- Request - get people’s consent to share data with you, to log in to your site, or to execute a transaction. (based on OAuth 2.0)
- People - fetch and manage the data that people have shared with you.
- Configuration - manage the configuration of your organization.
Scopes
Scopes are used to describe the information you want people to share with you. In order to request a scope you must first define it in your environment and provide additional parameters, such as what type of data and how long you need the data. This is done separately for each environment you manage in the developer console.
The following scopes are defined:
Scope enum | |
---|---|
nt:name | The person's preferred name |
nt:first_name | The person's preferred given (first) name |
nt:last_name | The person's preferred family (last) name |
nt:phone | Phone number, in E.164 format, e.g |
nt:email | Verified email address |
nt:address | Verified postal address |
nt:legal_name | The person's name from their identity document |
nt:legal_first_name | The given name (first name) from their identity document |
nt:legal_last_name | The family name (last name) from their identity document |
nt:birth_date | The person's date of birth (an RFC 3339 full-date) |
nt:govtid_details | Details about the person's identity document, a JSON-encoded GovtidDetailsValue |
nt:age_over_21 |
|
nt:age_over_18 |
|
nt:profile_picture | A URL to the person's preferred profile picture. Nametag checks that the image provided is the same person as pictured on their identity document. |
Subject
A subject uniquely identifies a person. We recommend that you store this field in your database when identifying a person. (In fact, this may be the only thing you need to store in your database.)
Subjects are stable within an environment. This means that even if someone revokes access to your environment and then re-grants it, or if they delete and re-install the Nametag app, the subject will remain unchanged.
Because each environment is its own privacy domain, different environments will be issued with different subjects for the same person.
Environments
Each user of the Nametag API creates one or more environments which are the basic unit of privacy separation. This means that anything a person shares with an environment is kept private from another. My default you will have one environment called “Live” for your production use and another called “Sandbox” for development, but you can have as many or as few environments as you like.
Organizations
Organizations are the unit of access control for you and your colleagues. Each Organization contains one or more Environments. Each organization has members (your colleagues) and can be assigned to roles (administrator, or read-only access).
Basics
The Nametag API is located at https://nametag.co. All requests must be made via HTTPS. Unless otherwise noted, all
requests and responses are JSON-encoded and use the application/json
content type.
Authentication
How you authenticate to the Nametag API varies based on the context. The following authentication methods are available:
API Key
API keys are used to manage organizations and environments. Get an API key from the developer console. Each API key is scoped to either work for some or all of your environments, depending on your needs.
To use an API key provide set the Authorization
header:
# list all my environments
$ curl -H "Authorization: Bearer API_KEY" https://nametag.co/api/envs
You can also use HTTP basic authentication with an empty username and the API_KEY as the password:
$ curl -u ":API_KEY" https://nametag.co/api/envs
In come circumstances, you may need to use the token
query parameter in lieu of
the Authorization
header or basic authentication:
$ curl https://nametag.co/api/envs?token=API_KEY
ID Token
An ID token authenticates a particular person, rather than your entire environment. This is returned from the token endpoint. You can use ID tokens to fetch information about a single user only, and you must use the URL /people/me/...
. To use an ID token, use HTTP basic authentication with an
empty username and the ID_TOKEN as the password.
# get the current user's name
$ curl -u ":ID_TOKEN" https://nametag.co/people/me/nt:name
Response Codes
When a call succeeds the Nametag API responds with HTTP a 2xx status code:
- 200 Ok - when data is being returned.
- 204 No Content - when there is no response data.
In the case of errors, the server responds with the following status codes:
- 400 Bad Request - The request is malformed.
- 401 Unauthorized - The request lacks the required authentication credentials.
- 403 Forbidden - The credentials provided do not permit the requested action.
- 429 Too Many Requests - A rate limit has been exceeded.
- 500 Internal Server Error - Something went wrong on our end.
Rate limits
Responses from the API contain several headers to provide feedback on our rate limiters. The rate limiter defines a maximum number of requests allowed in a particular time window. The number of requests and the time window may vary according to the particular route and access pattern. Each request will include the following response headers:
X-RateLimit-Limit
- the total number of requests allowed in the current time window.X-RateLimit-Remaining
- the number of requests remaining in the current time window.X-RateLimit-Reset
- the time when the current time window will reset, in RFC 3339 full-date format.
If the rate limit is exceeded the Nametag API responds with status code 429 Too Many Requests and the standard Retry-After
header which is the number of seconds to wait before retrying the request.
Request API
The request API is how you request proof of identity or personal information from people. This API implements and extends OAuth 2.0, so many standard OAuth 2.0 libraries will work with this interface.
Request authorization
If your user has an active web session, or is active in your mobile app, direct their browser to the /authorize
endpoint. (If you do not have a web session or active mobile app at the time you are making a request, use the create request endpoint instead.)
Method: GET
URL: https://nametag.co/authorize
Authentication: none
Query parameters:
Parameter | Description |
---|---|
client_id |
Your environment’s ID, from the developer console. |
redirect_uri |
A URL that you control where the user will be directed when the authorization completes. This must be one of the values listed in the callback_urls list. |
scope |
A space-separated list of the scopes you are requesting |
template |
The name of a pre-configured template to specify additional parameters for this request. (Specify this or scope , but not both) |
state (recommended) |
Arbitrary data that you provide which will be passed back to the REDIRECT-URI. |
response_mode (optional) |
Determines how authorization is passed back to your app. Either query (the default) or fragment . When you pass query to response_mode the code is passed in the URL query string, e.g. https://example.com/callback?code=CODE&state=STATE . With fragment the response is passed after a hash, e.g. https://example.com/callback#code=CODE&state=STATE . |
email_hint (optional) |
The user’s email address, if you already know it. |
label (optional) |
An arbitrary label that will be attached to the Request |
Example: (whitespace added for clarity)
https://nametag.co/authorize?
client_id=obo0jukwhhlbo8&
scope=nt%3Aemail+nt%3Aname+nt%3Alegal_name&
state=83f4e159-5cab-4002-ac5a-809f21925a67&
redirect_uri=https%3A%2F%2Fexample.com%2Fcallback
Authorization requests are valid for 168 hours (7 days) from their creation.
Completing authorization
When the user completes authorization, they will be redirected to your REDIRECT-URI. This URL is invoked with the following query parameters:
Parameter | Description |
---|---|
state |
The arbitrary data you provided to /authorize . |
code |
A code which you can use with the /token endpoint to exchange for information about the person. |
error |
A text description of an error that occurred during the process. Present only if code is not present. |
Example: (whitespace added for clarity)
https://example.com/callack?
state=83f4e159-5cab-4002-ac5a-809f21925a67&
code=09965885d2d8559d61b520935da550f7
Token endpoint
This endpoint is defined by the OAuth 2.0 specification. It allows you to exchange the code you received at your redirect_uri for an id token and a subject which uniquely identifies the person that has accepted your sharing request.
Method: POST
URL: https://nametag.co/token
Authentication: Either specify ENV-ID and API-KEY in the body of the message, or specify the API key as the password for HTTP basic authentication.
Request: An HTML form with the following parameters
Parameter | Description |
---|---|
grant_type |
must be authorization_code |
client_id |
Your environment’s ENV-ID. (optional if basic authentication is used) |
client_secret |
A global or environment-scoped API-KEY. (optional if basic authentication is used) |
redirect_uri |
The redirect URI passed to /authorize . |
code |
The code you received from the user’s request to your redirect_uri. |
Response: A JSON object with the following fields:
Field | Meaning |
---|---|
id_token |
This token identifies the user. It is suitable for use as e.g. a session cookie. Use it to authenticate to the /people/me API to gather information about the specific user indentified in id_token . It is safe to deliver to the user’s browser. |
scope |
A space-separated list of the scopes returned. |
expires_in |
The number of seconds that the authorization is valid for. |
subject |
This value uniquely identifies the person in your environment. This is a good candidate for storing in a database to track a particular user. A subject issued to one environment has no meaning to any other environment. |
Example:
$ curl https://nametag.co/token \
-d grant_type=authorization_code \
-d client_id=obo0jukwhhlbo8 \
-d client_secret=ef5f848e265eb423ee358cf12c5aef924c20d19356f7ad5aa07ad1614cfc4411 \
-d code=09965885d2d8559d61b520935da550f7 \
-d redirect_uri="https://example.com/callback"
{
"access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJvYXQiLCJleHAiOjE2MzcyMzg3MjUsImlhdCI6MTYzNzIzNTEyNSwiaXNzIjoibmFtZXRhZy5jbyIsIm5iZiI6MTYzNzIzNTEyNSwic3ViIjoidmtsamlwa2FpbzJhcDY2M2RvNTRyNWZwMmFANWxzcWZnMWx1cXpiOXMubmFtZXRhZy5jbyJ9.U2YAAc0TMnSJD_zKcCs_9Nayhrm5OdlcsjOQwbDSjOrBlAKI5uRCqXOoBB_oGjQjmWNYZhCYMUJShBPzSZfZZQ",
"refresh_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJvcnQiLCJleHAiOjIxNDc0ODM2NDcsImlhdCI6MTYzNzIzNTEyNSwiaXNzIjoibmFtZXRhZy5jbyIsIm5iZiI6MTYzNzIzNTEyNSwic3ViIjoidmtsamlwa2FpbzJhcDY2M2RvNTRyNWZwMmFANWxzcWZnMWx1cXpiOXMubmFtZXRhZy5jbyJ9.5D8lexomXYJoGZNDUFmxNB3TnQIhSDleb7kTL89VLHX30bilq95PDyJ5vE3W1IdmWGxziK9IE4puIkXxBEj7LA",
"id_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJvaXQiLCJleHAiOjIxNDc0ODM2NDcsImlhdCI6MTYzNzIzNTEyNSwiaXNzIjoibmFtZXRhZy5jbyIsIm5iZiI6MTYzNzIzNTEyNSwic3ViIjoidmtsamlwa2FpbzJhcDY2M2RvNTRyNWZwMmFANWxzcWZnMWx1cXpiOXMubmFtZXRhZy5jbyJ9.P-elo7PUVC9dIBSV_UgoFbaHc2yATNOj8jumVTF_3izs9QqZ4lslvUsfCnogc1l7oEpowCR9d2j42J6J-5LWjw",
"scope": "nt:email nt:name nt:legal_name",
"expires_in": 3600,
"token_type": "Bearer",
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co"
}
Create a request
Creates a new request for information from a person.
This is useful when requesting information from people over the phone, in-person, or via email. If you are integrating Nametag with a web or mobile app, you may wish to use the OAuth 2.0 authorize endpoint instead.
This API returns an identifier that can be used to track the request. It also returns a link suitable for passing to a user. Clicking this link opens the Nametag app (or app clip on iOS, or instant app on Android) and allow the user to complete the request.
If you include the optional phone parameter, then this link is sent to the user via SMS.
Requests are valid for 168 hours (7 days) from their creation.
Method: POST
URL: https://nametag.co/api/requests
Authentication: API key
Request: A JSON object with the following fields:
CreateRequestRequest struct | |
---|---|
env string | The ID of the environment associated with the request. |
scopes List of Scope
(optional) | A list of the information (scopes) that the request is asking for. |
template string (optional) | The name of a template that customizes how the request is presented to the user. Because a template contains it's own scope definitions, you must not specify |
expires_at RFC 3339 date-time string (optional) | The last time this request will be valid. After this time, the request is expired and the user will no longer be able to complete it. This cannot be used with |
phone ITU E.184 phone number string (optional) | The phone number to which the request link should be sent. |
whatsapp ITU E.184 phone number string (optional) | The Whatsapp phone number to which the request link should be sent. |
label string (optional) | An internal label for this request. You can use this field to help you track the request in your own systems. Nametag stores this field, but does not process it at |
Response: A JSON object with the following fields:
CreateRequestResponse struct | |
---|---|
id string | A unique identifier for the request |
status NumericRequestStatus
| The status code for the request. Always |
env string | The ID of the environment associated with the request. |
scopes List of Scope
| A list of the information (scopes) that the request is asking for. |
template string (optional) | The name of a template that customizes how the request is presented to the user. |
link string | An authorization link. Passing this link to the user will prompt them to complete the request. |
phone string (optional) | The phone number to which the request link was sent, in E.184 format. |
label string (optional) | An internal label for this request. You can use this field to help you track the |
expires_at RFC 3339 date-time string (optional) | The last time this request will be valid. After this time, the request is expired |
Example:
$ curl -u :$APIKEY \
-X POST \
https://nametag.co/api/requests \
-d '{
"env": "tp7975e07n8sjl",
"scopes": ["nt:phone", "nt:legal_name"],
"expires_at": "2024-04-14T06:34:00-07:00"
"label": "Ref Customer #41471"
}'
{
"id": "32478070-6fc9-4b26-8f2c-5269f1222c6f",
"status": 100,
"scopes": ["nt:phone", "nt:legal_name"],
"label": "Ref Customer #41471",
"link": "https://nametag.co/i/utl2ffahuw7lqf"
}
Get a request
Fetch the status of a request.
You can also configure a webhook to receive notification when a request completes.
Method: GET
URL: https://nametag.co/api/requests/REQUEST-ID
Authentication: API key
Response: A JSON object with the following fields:
Request struct | |
---|---|
id string | A unique identifier for this request |
created_at RFC 3339 date-time string | Timestamp of when this request was created |
updated_at RFC 3339 date-time string | Timestamp of the last time this request was updated |
expires_at RFC 3339 date-time string | Timestamp of when this request expires |
ticket string | The request ticket (used to construct the link) |
link URL string | The URL which should be send to the user. This link launches the mobile app and prompts the user to verify their identity. |
phone string (optional) | The phone number that will receive an authorization link via SMS |
env string | The ID of the environment associated with the request |
template string | |
label string | The label for the request; can be empty |
scopes List of Scope
| |
status RequestStatus
| The status of the request, e.g. |
progress RequestProgress
| Indicates the user's progress through the scanning process, e.g. |
subject string (optional) | The subject of the request. Present only when |
subject_text string (optional) | A description of the subject (e.g. their name or email address) suitable for presentation in a user interface. |
requester string (optional) | The member ID of the user that created this request. This field is absent for requests created via the API. |
requester_text string (optional) | A description of the requester suitable for presentation in a user interface (e.g. their name or email address) |
properties RequestProperties
| The properties that were shared with you. |
mobile RequestMobileDevice
(optional) | Details of the end-user's mobile device |
browser RequestBrowser
(optional) | Details of the browser used to pivot to the mobile app (present for only some flows). |
is_known_user boolean (optional) | If the user is known as an account |
marked_for_deletion_after RFC 3339 date-time string (optional) | Indicates whether the person associated with this request has asked for their data to be deleted and the earliest time that will occur at. |
photo string (optional) | The photo associate with this person |
external_ids List of string (optional) | External IDs for accounts if the user is known |
RequestStatus
The enumeration RequestStatus
can have the following values:
RequestStatus enum | |
---|---|
pending | The request has been issued but the user has not yet opened the link. |
in_progress | The user has opened the link but has not yet completed the request. |
shared | The user has completed the request and authorized the data to be shared with you. |
revoked | The user has authorized data sharing but then revoked the authorization. |
cancelled | Either you or the user has cancelled the request |
person_deleted | The user has deleted their Nametag |
expired | The request has expired without the user having completed it |
expired_scopes | The user has completed the request and authorized the data to be shared with you, but the sharing authorization has expired |
rejected_appealed | The user has attempted to provide data, but the data was rejected and the user has appealed the decision. It is awaiting review by Nametag. |
rejected_unusable | The user has attempted to provide data, but the data was rejected because the evidence submitted cannot be used. |
rejected_fraud | The user has attempted to provide data, but the data was rejected because the data provided are fraudulent. |
RequestProgress
The enumeration RequestProgress
can have the following values:
RequestProgress enum | |
---|---|
created | The link has been created but not yet opened. |
link_opened | The link has been opened in a browser but the app has not yet been launched. |
app_opened | The app has been launched. |
id_scanned | The user has scanned their ID. |
face_scanned | The user has scanned their face. |
consent_given | The user has consented to sharing their data with you. |
RequestProperties
The type RequestProperties
has the following fields:
RequestProperties struct | |
---|---|
phone ITU E.184 phone number string (optional) | The person's phone number |
legal_name string (optional) | The person's name from their identity document |
legal_first_name string (optional) | The given name (first name) from their identity document |
legal_last_name string (optional) | The family name (last name) from their identity document |
name string (optional) | The person's preferred name |
first_name string (optional) | The person's preferred given (first) name |
last_name string (optional) | The person's preferred family (last) name |
birth_date RFC 3339 date string (optional) | The person's date of birth |
email RFC 822 email address string (optional) | Verified email address |
unverified_email RFC 822 email address string (optional) | The email address provided by a user but not verified |
age_over_18 boolean (optional) |
|
age_over_21 boolean (optional) |
|
profile_picture URL string (optional) | A URL to the person's preferred profile picture. Nametag checks that the image provided is the same person as pictured on their identity document. |
address string (optional) | Verified postal address |
govtid_details GovtidDetailsValue
(optional) | Additional information about the identity document presented by the user |
GovtidDetailsValue
The type GovtidDetailsValue
has the following fields:
GovtidDetailsValue struct | |
---|---|
type GovtidType
| The type of the identity document. Possible values are |
issuer string (optional) | The issuer of the identity document, an ISO 3166-1 alpha 3 country code optionally followed by a jurisdiction code, e.g. |
number string (optional) | The unique number of the identity document |
expiration RFC 3339 date string (optional) | The date when the identity document expires |
GovtidType
The enumeration GovtidType
can have the following values:
GovtidType enum | |
---|---|
passport | The user presented a passport. |
driver_license | The user presented a driver license or similar card-based ID document. |
RequestMobileDevice
The type RequestMobileDevice
has the following fields:
RequestMobileDevice struct | |
---|---|
os string | The full operating system name and version of the mobile device |
version string | The version of the Nametag app |
ios boolean |
|
android boolean |
|
full_app boolean |
|
app_clip boolean |
|
instant_app boolean |
|
remote_address string (optional) | The IP address of the mobile device (This field is |
remote_address_location Location
(optional) | The location of the mobile device based on its IP address (This field is |
Location
The type Location
has the following fields:
Location struct | |
---|---|
business boolean (optional) | Whether the location is a business. |
city string (optional) | The city of the location. |
country string (optional) | The country of the location. |
latitude floating-point number | The latitude of the location. |
longitude floating-point number | The longitude of the location. |
po_box boolean (optional) | Whether the location is a PO box. |
residential boolean (optional) | Whether the location is residential. |
subdivision string (optional) | The subdivision of the location (e.g. the state or province). |
RequestBrowser
The type RequestBrowser
has the following fields:
RequestBrowser struct | |
---|---|
user_agent string | The browser's user agent |
remote_address string (optional) | The IP address of the browser (This field is |
remote_address_location Location
(optional) | The location of the browser based on its IP address (This field is |
RequestDetails
The documentation for this type is available to customers with an NDA in place. Please contact help@nametag.co for more information.
Example: When the request is complete
$ curl -u :$APIKEY \
-X GET \
https://nametag.co/api/requests/32478070-6fc9-4b26-8f2c-5269f1222c6f
{
"id": "32478070-6fc9-4b26-8f2c-5269f1222c6f",
"status": "shared",
"scopes": ["nt:phone", "nt:legal_name"],
"label": "Ref Customer #41471",
"link": "https://nametag.co/i/utl2ffahuw7lqf"
"subject": "ewyzkwmoor5xg5ead2zjswudjq@5lsqfg1luqzb9s.nametag.co"
}
Update a request
Method: PATCH
URL: https://nametag.co/api/requests/REQUEST-ID
Authentication: API key
Request: A JSON object with the following fields:
UpdateRequestRequest struct | |
---|---|
label string (optional) | An internal label for this request. You can use this field to help you track the request in your own systems. Nametag stores this field, but does not process it. |
Response: none
Example:
$ curl -u :$APIKEY \
-X PATCH \
https://nametag.co/api/requests \
-d '{
"label": "updated label text"
}'
Cancel a request
Abort a request, invalidating the link for this request that was returned or sent via SMS when it was created. If the user has opened the request on their mobile device, it will close with a message that the request was canceled. A request is valid for 168 hours (7 days) from its creation unless it is canceled.
Method: DELETE
URL: https://nametag.co/api/requests/REQUEST-ID
Authentication: API key
Example:
When the request is complete:
$ curl -u :$APIKEY \
-X DELETE \
https://nametag.co/api/requests/32478070-6fc9-4b26-8f2c-5269f1222c6f
Response:
On success the response will be the HTTP code 204
(No content
) with an empty body.
People API
The People API allows you to fetch and manage the data that people have shared with you.
Get properties
Method: GET
URL: https://nametag.co/people/SUBJECT/properties/SCOPES
Authentication: API key for any subject, or an ID token is if SUBJECT is special value me
.
Parameters:
-
SUBJECT - The subject you got back from the token endpoint which uniquely identifies the person. You can use the special value
me
with ID token authentication to fetch information about the person for whom the ID token was issued. -
SCOPES - A comma-separated list of the scopes you want to fetch.
Response:
{
"subject": "SUBJECT",
"properties": [ PROPERTY, ... ]
"requests": [ REQUEST, ... ]
}
The response contains the following fields:
PropertiesResponse struct | |
---|---|
subject string | The subject of the request. This is the person whose properties are being requested. |
requests List of PropertyResponseRequest
| The requests that were made to get the properties. |
properties List of PropertyResponse
| Properties of the person. |
The response contains a list of properties that you requested. Each PROPERTY has the following fields:
PropertyResponse struct | |
---|---|
expires RFC 3339 date-time string (optional) | When your access to this data expires |
scope Scope
| The Scope you requested. |
value string (optional) | The value of the property. The type of this field varies depending on the scope. See this table. |
status integer | A value that tells you the disposition of the property. The value |
Each request describes a single request for information. The REQUEST has the following fields:
PropertyResponseRequest struct | |
---|---|
id string | A unique identifier for the request. |
created_at RFC 3339 date-time string | The time that the request was initiated |
status integer | The status of the request, 200 means accepted, 403 means rejected or canceled. |
scopes List of Scope
| The scopes requested |
Errors:
- 400 Bad Request - The one or more of the scopes provided are invalid or not registered.
Example:
$ SUBJECT="vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co"
$ curl -u ":$API_KEY" \
"https://nametag.co/people/$SUBJECT/properties/nt:email,nt:legal_name"
{
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"properties": [
{
"expires": 1637321520,
"scope": "nt:email",
"value": "ross@nametag.co",
"status": 200
},
{
"expires": 1637321520,
"scope": "nt:legal_name",
"value": "Ross Kinder",
"status": 200
}
],
"requests": [
{
"created_at": "2022-12-18T19:15:42.315853Z",
"id": "f5cb153e-b96a-42c6-a1c0-f5a27d065fea",
"scopes": [
"nt:email",
"nt:legal_name"
],
"status": 200
}
]
}
Example: using the ID token
$ ID_TOKEN="eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJvaXQiLCJleHAiOjIxNDc0ODM2NDcsImlhdCI6MTYzNzIzNTEyNSwiaXNzIjoibmFtZXRhZy5jbyIsIm5iZiI6MTYzNzIzNTEyNSwic3ViIjoidmtsamlwa2FpbzJhcDY2M2RvNTRyNWZwMmFANWxzcWZnMWx1cXpiOXMubmFtZXRhZy5jbyJ9.P-elo7PUVC9dIBSV_UgoFbaHc2yATNOj8jumVTF_3izs9QqZ4lslvUsfCnogc1l7oEpowCR9d2j42J6J-5LWjw"
$ curl -u ":$ID_TOKEN" \
"https://nametag.co/people/$SUBJECT/properties/nt:email,nt:legal_name"
{
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"properties": [
{
"expires": 1637321520,
"scope": "nt:email",
"value": "ross@nametag.co",
"status": 200
},
{
"expires": 1637321520,
"scope": "nt:legal_name",
"value": "Ross Kinder",
"status": 200
}
]
}
Delete properties
A person may revoke your access to a scope at any time. Less commonly, you can also remove a user’s access, for example if a user deletes their account or requests that their data be unshared via your app.
Method: DELETE
URL: https://nametag.co/people/SUBJECT/properties/SCOPES
Authentication: API key for any subject. ID token is if the subject is special value me
.
Parameters:
- SUBJECT - The subject you got back from the /token endpoint which uniquely
identifies the person. You can use the special value
me
with ID token authentication to revoke a scope on behalf of a person to whom the ID token was issued. - SCOPES - A comma-separated list of the scopes you want to revoke.
Request: none
Response: none
Example:
CLIENT_ID=obo0jukwhhlbo8
CLIENT_SECRET=ed1227ffbd35ff2b83bc8bd2c6af6473e596be875f094ef08da6a3c041d584f0
SUBJECT=vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co
curl -u "$CLIENT_ID:$CLIENT_SECRET" \
-X DELETE \
"https://nametag.co/people/$SUBJECT/properties/nt:email,nt:legal_name"
Get properties in bulk
This endpoint returns properties for multiple people at a time. For each person, specify the subject and the scopes you are requesting. The response will contain an object for each of the subjects you provided.
Note: We recommend a batch size of around 512 people per request. The Nametag API does not strictly limit the number of items that you request, but the requests that are too large may fail due to timeouts or size restrictions on the response.
Method: POST
URL: https://nametag.co/people/bulk
Authentication: API key
Request:
BulkRequest struct | |
---|---|
requests List of BulkRequestItem
| A list of property requests, one for each person about whom you are requesting information. |
Each item in requests
is an object consisting of the following fields:
BulkRequestItem struct | |
---|---|
subject string | The subject of the request. This is the person whose properties are being requested. |
scopes List of Scope
| Which scopes you are requesting for this person. |
Response:
The response will contain one entry corresponding to item in the requests
list.
BulkResponse struct | |
---|---|
data List of PropertiesResponse
| A list of responses for each person requested. |
Example:
$ curl -u ":$API_KEY" https://nametag.co/people/bulk \
-d '{
"requests": [
{
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"scopes": [
"nt:email",
"nt:legal_name"
]
}
]
}'
{
"data": [
{
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"properties": [
{
"expires": 1637321520,
"scope": "nt:email",
"value": "alice@example.com",
"status": 200
},
{
"expires": 1637321520,
"scope": "nt:legal_name",
"value": "Alice Smith",
"status": 200
}
]
}
]
}
Compare values
This endpoint compares a set of expected values of a scope for a subject and returns a confidence score that tells you if the subject matches what you expect.
This is useful if your user already has an account with your service and you need to connect them to a Nametag subject.
Note: For now, the only supported scope is
nt:legal_name
.
Method: POST
URL: https://nametag.co/people/:subject/compare
Authentication: API key
Request body:
SubjectComparisonRequest struct | |
---|---|
expectations List of Expectation
| A list of expectations to compare against the person's properties. |
Expectation struct | |
---|---|
scope Scope
| The scope you are comparing against. |
value string | The value you expect the person to have for this scope. |
Response:
The response will contain one entry corresponding to each item in the
expectations
array. The scope and value from the request will be echoed
back as scope and expected, respectively. The value is the actual value of the scope (as would be returned from the get properties endpoint. The confidence that the expected data matches the actual value of the scope is returned as a float in the range 0.0-1.0 as match_confidence.
ComparisonResult struct | |
---|---|
confidence floating-point number | A number between 0 and 1 that represents Nametag's confidence that the value matches the expected value. A value of 1 means Nametag is very confident that the values match, while 0 means that the values do not match at all. |
comparisons List of Comparison
| A list of comparisons between the expected and actual values. |
Comparison struct | |
---|---|
scope Scope
| The scope being compared. |
expected string | The expected value for this scope. |
actual string | The actual value for this scope. |
match boolean | True if the |
match_confidence floating-point number | A number between 0 and 1 that represents Nametag's confidence that the values match. A value of 1 means Nametag is very confident that the values match, while 0 means that the values do not match at all. |
Example:
$ curl -u :$APIKEY \
-X POST \
https://nametag.co/people/$SUBJECT/compare \
-d '{
"expectations": [
{
"scope": "nt:legal_name",
"value": "Alice Smith",
}
]
}'
{
"confidence": 0.9,
"comparisons": [
{
"scope": "nt:legal_name",
"expected": "Alice Smith",
"value": "Alice Catherine Smith",
"match_confidence": 0.96,
"match": true
}
]
}
Compare selfie
This is useful if your want to tell if a photo of a user matches the photo on their government ID.
This endpoint compares a photo you upload to the subject’s validated selfie photo provided as
part of scanning their government ID. The user must have successfully validated at least one
selfie photo against their government ID for this endpoint to return a result. The user must
have authorized the nt:profile_picture
scope.
For the best results, please upload a photo that is within these parameters:
- the photo has only one face in it
- the overall scene in the photo is not too dark or too bright
- the image file size should not exceed 5MB
- the image file dimensions should be at least 100x100 pixels per side on the image but no larger than 10,000 pixels per side
- for images that are larger than 100 by 100 pixels, the face should occupy at least 100x100 pixels
Note: Although the
nt:profile_picture
scope is required, this endpoint does not compare the uploaded photo against the profile picture. Instead, it compares the actual selfie(s) provided by the subject.
Method: POST
URL: https://nametag.co/people/:subject/compare/selfie
Authentication: API key
Request body: JPEG image data (Content-Type: image/jpeg
)
Response:
CompareSelfieResult struct | |
---|---|
match boolean | True if the |
confidence floating-point number | A number between 0 and 1 that represents Nametag's confidence that the values match. A value of 1 means Nametag is very confident that the values match, while 0 means that the values do not match at all. |
Webhooks
Webhooks allow you to handle events initiated by Nametag. When events of interest occur, our service will make an HTTPS request to your service. Webhooks are configured on a per-environment basis in the developer console.
Authentication: Your service should verify that the requests to your webhook endpoint actually originate from Nametag. Each request to your service includes a header X-Nametag-Signature
whose value is the hex-encoded HMAC-SHA256 of the body of the request using the webhook’s SHARED-SECRET as the key. The shared secret can be found in the developer console.
Note: You must validate the raw bytes of the request body before you parse the JSON content. Any minor changes to whitespace, field order, or new fields will cause the signature validation to fail.
Example: Verifying the signature on the command line.
WEBHOOK_SHARED_SECRET="webhook-683fb6598c7faa4f05e4e693d3686f5faa6b9cd7bb646c5254edd3cb880f4225"
X_NAMETAG_SIGNATURE="e51e995e66aabc85f5f15f3c9dcdf859757aa117fd7ab13ccb61c54057d744f3"
ACTUAL_SIGNATURE=$(echo -n '{"event_type":"share",'\
'"subject":"vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",'\
'"request":"f9cbc40a-5da2-4f1c-84a6-f8e097fca03c",'\
'"scopes":["nt:email","nt:name","nt:legal_name"]}' |\
openssl dgst -sha256 -hmac "$WEBHOOK_SHARED_SECRET" |\
awk '{print $2}')
if [ "$ACTUAL_SIGNATURE" = "$X_NAMETAG_SIGNATURE" ]; then
echo "Signature matched, process request"
else
echo "Signature did not match, reject request"
fi
Retries: If your service returns an error status code (>= 400), or if we cannot connect due to a network or certificate error, then Nametag will retry the request up to five times at 30 second intervals. You can see a history of our attempts to deliver webhooks in the developer console.
Note: Your service must present a valid, publicly trusted SSL/TLS certificate. For development, we recommend ngrok. For production use we recommend Let’s Encrypt
Share event
This event is emitted whenever a person shares information with you, or when they update information they have previously shared.
Event type: share
Request body:
WebhookPayloadShare struct | |
---|---|
event_type string | Always |
subject string | The subject that shared the data |
request string (optional) | The ID of the most recent request which was returned by the create a request API, if used. This field may be omitted when the user changes shared data outside the context of a pending request, such as by using the "Vault" tab in the Nametag app. |
org_name string (optional) | The currently configured name of the environment that generated the webhook |
env_name string (optional) | The currently configured name of the organization in which the environment is configured |
scopes List of Scope
| The list of currently shared scopes |
Example: (whitespace has been added to the response for clarity)
POST https://example.com/webhook HTTP/1.1
Date: Thu, 18 Nov 2021 11:55:09 GMT
Content-type: application/json
User-agent: Nametag-Webhooks/20211116T214921.7e635fd.ci
X-Nametag-ID: 925dfd28-5213-42d9-9320-f1f6d0c8de09
X-Nametag-Signature: c47c087cef9d7816fd625a4383c73ee67de833cbf4376f45aa8a9ef1277c7c81
{
"event_type": "share",
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"request": "f9cbc40a-5da2-4f1c-84a6-f8e097fca03c",
"env_name": "Live",
"org_name": "My Company",
"scopes": [
"nt:email",
"nt:legal_name",
"nt:name"
]
}
Revoke event
This event is emitted when a person revokes access to information they’ve previously shared with you.
Event type: revoke
Request body:
WebhookPayloadReject struct | |
---|---|
event_type string | Always |
subject string | The Subject that initially shared the data |
request string (optional) | The ID of the most recent request which was returned by the create a request API, if used. This field may be omitted when the user changes shared data outside the context of a pending request, such as by using the "Vault" tab in the Nametag app. |
org_name string (optional) | The currently configured name of the organization in which the environment is configured |
env_name string (optional) | The currently configured name of the environment that generated the webhook |
scopes List of Scope
| The list of revoked scopes |
Example: (whitespace has been added to the response for clarity)
POST https://trynametag.com/webhook HTTP/1.1
Date: Thu, 18 Nov 2021 11:55:23 GMT
Content-type: application/json
User-agent: Nametag-Webhooks/20211116T214921.7e635fd.ci
X-Nametag-ID: 4f94f7a0-5bdf-409b-ae84-2aff8c95eab0
X-Nametag-Signature: b7aad74f36f50e7b15112bea178b25001c45726715cf19a4328e5b22f89a9b7f
{
"event_type": "reject",
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"env_name": "Live",
"org_name": "My Company",
"scopes": [
"nt:email",
"nt:legal_name",
"nt:name"
]
}
Recover event
This event is emitted just before a person recovers an account using a connected directory service such as Entra ID or Okta.
Event type: recover
Request body:
WebhookPayloadRecover struct | |
---|---|
event_type string | Always |
subject string | The Nametag identifier of the person who recovered an account |
language string | The language preferences of the user, as reported by their browser's |
directory string | The ID of the directory service that was used to recover the account |
external_id string | The ID of the user in the directory. |
action RecoveryKind
| The type of recovery that occurred, either |
org_name string | The currently configured name of the organization in which the environment is configured |
env_name string | The currently configured name of the environment that generated the webhook |
date RFC 3339 date-time string | The time when the recovery completed. |
Response body: (optional)
WebhookResponseRecover struct | |
---|---|
deny_user_message string (optional) | Specified then the recovery operation is not allowed and the user is presented with the specified message. Use |
Example: (whitespace has been added to the response for clarity)
POST https://example.com/webhook HTTP/1.1
Date: Thu, 18 Nov 2021 11:55:09 GMT
Content-type: application/json
User-agent: Nametag-Webhooks/20211116T214921.7e635fd.ci
X-Nametag-ID: 2744d75e-0eb9-448d-8b70-cd59ee5a8471
X-Nametag-Signature: a83e8857e70bcbd923d7180582b5877123e732d25fefc4af170f83a94c250c09
{
"event_type": "recover",
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"language": "en-US,en;q=0.9",
"directory": "132bf0fb-55dd-4b19-ad54-e43a85c8bd50",
"external_id": "alice@example.com",
"action": "reset-password",
"env_name": "My Environment",
"org_name": "My Company"
}
Rejecting a recovery operation
Unlike the other webhooks, Nametag can optionally process the response your server sends to from the webhook. This allows you implement logic to prevent us from performing a recovery operation. This process looks like this:
To reject the recovery operation your webhook handler must:
- Respond with an HTTP status code of 200
- Set the
Content-type
response header toapplication/json
- The response body must contain a valid JSON document like:
The deny_user_message
field is a user-facing message that will be displayed to the user. If this
field is absent or null, then Nametag assumes that you want to allow the recovery to continue.
If you serve users in multiple languages, use the language
field of the request to determine
how deny_user_message
should be translated.
Request event (beta)
This event is emitted whenever a request changes status. It contains the same information as the get request endpoint.
Event type: request
Request body:
WebhookPayloadRequest struct | |
---|---|
event_type string | Always |
event RequestEventType
| The reason this event was emitted. |
request Request
| Information about the request |
The event_type
field will have one of the following values:
RequestEventType enum | |
---|---|
request_created | A new request has been initiated and recorded in the system. |
request_accepted | The request was completed. |
request_rejected | The request was rejected because the evidence presented was insufficient or invalid. |
request_canceled | The request has been canceled by the user or system before completion. |
request_app_opened | The user opened the Nametag app. |
request_email_selected | The user selected which email address they will share. |
request_link_opened | The request link was opened in the browser. |
request_selfie_verified | The user's selfie has been successfully verified against their ID and the selfie chain. |
request_label_changed | The request label was updated. |
request_data_deletion_status_changed | An OAuth authorization code has been issued as part of the request. |
request_oauth_code_issued | An OAuth access token has been issued following successful authentication. |
request_oauth_token_issued | The request has exceeded the allowed time limit and is no longer valid. |
request_expired | The user started scanning their ID. |
scan_started | The user uploaded an image of the front of their ID. |
scan_front_image_added | The user uploaded an image of the back of their ID. |
scan_back_image_added | The user uploaded an image of their selfie. |
scan_selfie_image_added | The user uploaded an image of their second selfie (in PAD mode only) |
scan_selfie_smile_added | Aadhaar details have been added to the scan request. |
scan_aadhaar_added | The user finished scanning their ID. |
scan_aadhaar_otp_added | The user canceled the ID scan before they finished. |
scan_finished | Nametag rejected the user's ID and the user has appealed. |
scan_aborted | A Nametag reviewer has reviewed the user's appeal and accepted it. |
scan_appealed | A Nametag reviewer has reviewed the user's appeal and rejected it. |
scan_appeal_accepted | The user's scanned ID is valid. |
scan_appeal_rejected | The user's scanned ID is invalid. |
scan_accepted | The end user has provided consent for biometric data collection. |
scan_rejected | The end user has revoked consent or authorization for the request. |
biometric_consent | You (the requestor) have revoked authorization for the request. |
end_user_revoke | A phone number has been added to the user's vault. |
vendor_revoke | The added phone number has been successfully verified. |
vault_phone_added | A verification request for the phone number has been resent. |
vault_phone_verified | The phone number has been removed from the user's vault. |
vault_phone_resent | An email address has been added to the user's vault. |
vault_phone_deleted | The added email address has been successfully verified. |
vault_email_added | A verification request for the email address has been resent. |
vault_email_verified | The email address has been removed from the user's vault. |
vault_email_resent | A profile picture has been added to the user's vault. |
vault_email_deleted | The profile picture has been removed from the user's vault. |
vault_profile_picture_added | The user's preferred name has been set in the vault. |
vault_profile_picture_removed | The profile picture has been reviewed and accepted. |
vault_preferred_name_set | The profile picture has been reviewed and rejected. |
profile_picture_accepted | The user's vault and all associated data have been deleted. |
profile_picture_rejected | |
vault_deleted |
Accounts API
An account represents a user entry in a directory. Accounts are created from the directory synchronization process, which runs automatically every hour, or when you press the “Sync Now” button in the console.
List Accounts
Method: GET
URL: https://nametag.co/api/accounts
Authentication: API key
Response:
AccountsList struct | |
---|---|
accounts List of Account
| The list of accounts |
Each item in accounts
is an object consisting of:
Account struct | |
---|---|
id string | The Nametag identifier for the account. |
directory_identifiers List of string | The identifiers for the account used by the directory (typically an email address, username) |
directory_immutable_identifier string | The unchanging identifier for the account used by the directory. Most directories have an UUID or other opaque identifier that doesn't change even when |
name string | The person's name, according to the directory |
subject string (optional) | The Nametag Subject for this person, if the account has been bound to a |
have_birth_date boolean (optional) | true if the person's expected birth date has been set for the directory. |
photo AccountPhoto
(optional) | A verified photo of the person that you provide. If this field is set prior to being bound to a |
An AccountPhoto
is an object with the following fields:
AccountPhoto struct | |
---|---|
sha256 string | The SHA256 hash of the uploaded image. |
created_at RFC 3339 date-time string | The time when the image was added. |
Get an account
Fetches a single account. The ACCOUNT-ID can be either the id
, one of the directory_identifiers
or directory_immutable_identifier
for the account.
Method: GET
URL: https://nametag.co/api/accounts/ACCOUNT-ID
Authentication: API key
Response: Account
{
"id": "f3a579f8-bf03-4d1d-a582-b9ff801d0ab5",
"directory_identifiers": ["alice@example.com"],
"directory_immutable_identifier": "1904df08-b3b2-41b3-80d9-52cea873f62a",
"name": "Alice Smith",
"subject": "vkljipkaio2ap663do54r5fp2a@5lsqfg1luqzb9s.nametag.co",
"birth_date": "1989-12-13",
"photo": {
"sha256": "324a68d4a6185dd91a77c13950eb93853c9b00752ad072c248f96643b1289f4e",
"created_at": "2023-07-10T14:03:13Z"
}
}
Update an account
Updates an account. The ACCOUNT-ID can be either the id
, one of the directory_identifiers
or directory_immutable_identifier
for the account.
Method: PATCH
URL: https://nametag.co/api/accounts/ACCOUNT-ID
Authentication: API key
Request:
All fields of the request are optional. If you omit a field, it will not be changed. The request may contain the following fields:
AccountUpdateRequest struct | |
---|---|
birth_date string (optional) | The subject's date of birth. If this is set prior to the account being bound to a |
subject string (optional) | The subject for this person. Set this to an empty string to remove the binding for this person. |
Response: none
Add a photo
Adds a photo to an account. The ACCOUNT-ID can be either the id
, one of the directory_identifiers
or directory_immutable_identifier
for the account.
Method: PUT
URL: https://nametag.co/api/accounts/ACCOUNT-ID/photo
Authentication: API key
Request: JPEG image
This request will fail if the account is already bound to a subject
and that person’s
provided selfie does not match the photo you upload. It will also fail if the photo is
not a valid JPEG image, or does not contain exactly one legible face.
Note: Photos must not be larger than 7MB
Bulk update accounts
Method: PATCH
URL: https://nametag.co/api/accounts
Authentication: API key
Request:
AccountBulkUpdateRequest struct | |
---|---|
accounts List of AccountBulkUpdateRequestItem
| A list of account update operations |
An AccountBulkUpdateRequestItem
is an object with the following fields:
AccountBulkUpdateRequestItem struct | |
---|---|
birth_date string (optional) | The subject's date of birth. If this is set prior to the account being bound to a |
id string | The unique identifier of the account. This can be the Nametag ID |
subject string (optional) | The subject for this person. Set this to an empty string to remove the binding for this person. |
Response:
AccountBulkUpdateResponse struct | |
---|---|
results List of AccountBulkUpdateResponseItem
|
An AccountBulkUpdateResponseItem
is an object with the following fields:
AccountBulkUpdateResponseItem struct | |
---|---|
status AccountBulkUpdateStatus
| |
id string | The account identifier provided in the request |
error string (optional) | A description of the error that occurred. |
A AccountBulkUpdateStatus
is one of the following values:
AccountBulkUpdateStatus enum | |
---|---|
204 | The account was updated |
400 | One of the fields to be updated is malformed, e.g. the subject is not valid or not for the environment of the account. |
404 | An account matching the specified ID could not be found |
409 | Multiple accounts with the specified identifier were found |
Bulk photo upload
Adds multiple photo to an account.
Method: POST
URL: https://nametag.co/api/account/photos
Authentication: API key
Query parameters:
Parameter | Description |
---|---|
directory |
Required The ID of the directory to associate photos with. |
Request: Zip archive containing JPEG or PNG images
You must provide a zip archive. Each file in the zip archive should be named as ACCOUNT-ID.jpeg
or ACCOUNT-ID.png
. The ACCOUNT-ID can be either the id
, one of the directory_identifiers
or directory_immutable_identifier
for the account. Each image will be associated with an existing account in the same manner as the Add photo endpoint above.
Note: The uploaded file may not be larger than 500MB. Split your bulk imports into parts and call this API repeatedly if you need to upload more than 500MB worth of images.
Response:
BulkUploadAccountPhotosResponse struct | |
---|---|
files List of BulkUploadAccountPhotosResponseItem
| A list of responses, each corresponding to a file in the uploaded archive. |
BulkUploadAccountPhotosResponseItem struct | |
---|---|
filename string | The name of the file |
account_id string (optional) | The Nametag identifier for the account that matched this file. If this field is absent, then the file was not matched to an existing account. |
directory_identifiers List of string (optional) | The identifiers for the account used by the directory (typically an email address, username) |
directory_immutable_identifier string (optional) | The unchanging identifier for the account used by the directory. Most directories have an UUID or other opaque identifier that doesn't change even when |
status integer | This field is 200 if adding the photo was successful, 404 if an account could not be found, 400 if the image is invalid, or 422 if the image contains multiple faces, doesn't match the existing selfie, or no face at all. |
error string (optional) | A human readable error message describing the reason a file could not be processed. |
Example:
$ ls bulk
alice@example.com.jpg
bob@example.com.jpg
charlotte@example.com.jpg
danielle@example.com.jpg
ed@example.com.jpg
$ zip -r bulk.zip bulk
$ curl -u :$APIKEY \
https://nametag.co/api/account/photos?directory=b8e62529-a26f-4f2e-b4c4-b78ef85e75d6 \
--upload-file bulk.zip
{
"files": [
{
"filename": "bulk/alice@example.com.jpg",
"account_id": "6572dcdd-c3e4-4e7b-b59a-a4ef25a613cb",
"directory_identifiers": [
"alice@example.com"
],
"directory_immutable_identifier": "ffbb4ab9-c5ae-47c2-916b-35212115285b",
"status": 200
},
{
"filename": "bulk/bob@example.com.jpg",
"account_id": "48b6f6fa-1ad8-4d53-861a-cdfd5c0e3376",
"directory_identifiers": [
"bob@example.com"
],
"directory_immutable_identifier": "8eca86c8-cee7-4eda-98e2-c89cbef25f6c",
"status": 200
},
{
"filename": "bulk/charlotte@example.com.jpg",
"account_id": "086b62c8-05cc-4895-a58b-caada9d10074",
"directory_identifiers": [
"charlotte@example.com",
"charlotte@example.net",
],
"directory_immutable_identifier": "27c97d75-01ce-4fd0-ad66-743c87574725",
"status": 200
},
{
"filename": "bulk/danielle@example.com.jpg",
"status": 404,
"error": "account not found"
},
{
"filename": "bulk/ed@example.com.jpg",
"account_id": "ef5deae7-1f2c-48a7-b1f1-70d8ddda75c7",
"directory_identifiers": [
"ed@example.com"
],
"directory_immutable_identifier": "17937a5a-484f-488d-935b-67b919b8cc29",
"status": 200
}
]
}
Configuration API
Use the configuration API to manage the configuration of your organizations and environments. All requests to the configuration API are authenticated with API keys.
Organization
An organization is a singleton that represents global state about your relationship to Nametag.
Get
Get the organization.
Method: GET
URL: https://nametag.co/api/org
Authentication: API key
Response:
Org struct | |
---|---|
name string | The name of the organization, typically the name of your company |
role Role
| Your role in the organization. |
envs List of string | A list of the environment IDs that you have access to. |
Example:
$ curl -u :$APIKEY https://nametag.co/api/org
{
"name": "Acme Corp",
"role": "admin",
"envs": [
"cfln7ldhawwlen",
"nwixcd2qkbth7h"
]
}
List members
Returns a list of the members of your organization
Method: GET
URL: https://nametag.co/api/org/members
Authentication: API key
Request: none
Response:
ListOrgMembersResponse struct | |
---|---|
members List of OrgMember
| A list of each member of the organization |
Each ORG-MEMBER is an object consisting of:
OrgMember struct | |
---|---|
member_id string | A unique identifier of the member. |
role Role
| The person's role on the organization. One of |
envs List of string | The list of environments the member has access to. If the list contains |
name string | The name of the member. |
email string | The email address of the member. |
profile_picture URL string | The URL of the profile picture of the member. |
invite_pending boolean | True if the member has been invited to the organization but has not yet signed in. |
requests_count integer (optional) | The number of request the member has sent. |
The Role enumeration has one of the following values:
Role enum | |
---|---|
limited | A limited user can make requests and see responses to their request, but they cannot see responses to other people's requests. |
limited_plus | Like |
user | A normal member of the organization. Can manage requests but not environments or members. |
admin | An administrator of the organization. Admins can invite new members, update member roles, and remove members. |
owner | The owner of the organization. The owner has full control over the organization, including the ability to delete it. |
Invite a person to your organization
Invites a new person to join your organization. This API sends an email to the address specified. When the person accepts the invitation, they will have joined the organization. The person must use the Nametag app to authenticate prior to joining the organization.
Method: POST
URL: https://nametag.co/api/org/members
Authentication: API key
Request:
InviteOrgMemberRequest struct | |
---|---|
email RFC 822 email address string | The email address of the person you want to invite. |
envs List of string | The list of environments the member will have access to. If the list contains |
role Role
| The role to be assigned to the new member. |
Response: none
Remove an organization member
Removes a person from an organization.
Method: DELETE
URL: https://nametag.co/api/org/members/MEMBER-ID
Authentication: API key
Request: none
Response: none
Set a member’s role
Assign a role to a member
Method: PATCH
URL: https://nametag.co/api/org/members/MEMBER-ID
Request:
UpdateOrgMemberRequest struct | |
---|---|
envs List of string (optional) | The list of environments the member will have access to. If the list contains |
role Role
(optional) | The role to be assigned to the member. |
The role must be one of reader
, or admin
. You must have at least one active member marked as admin
.
Response: none
Environment
An environment is the unit of privacy isolation in Nametag. The Environment object contains the following fields:
Env struct | |
---|---|
id string | The identifier for this environment |
name string | The internal name for this environment |
public_name string | The name of the environment that is shared with people |
logo_url URL string | A URL to your logo, which is displayed in the Nametag mobile app. |
terms_of_service_url URL string | The URL of the terms of service. Formerly, this URL was provided to end-users in the Nametag mobile app, but it |
callback_urls List of URL string | A list of valid URLs for use as OAuth 2.0 callback URLs. |
webhooks List of WebhookDefinition
| A list of webhooks. |
templates List of Template
| A list of request templates. |
storage EnvStorage
(optional) |
The type WebhookDefinition
defines a webhook. It contains the following fields:
WebhookDefinition struct | |
---|---|
id string | A unique identifier for the webhook definition. |
url string | The URL in your service that should be called, e.g. |
enabled boolean | If true, then calls to this webhook should be made. |
events List of WebhookEventType
| The names of the events that should be sent. |
WebhookEventType enum | |
---|---|
share | Send Share events to this webhook |
reject | Send Reject events to this webhook |
recover | Send Recover events to this webhook |
request | Send Request events to this webhook |
The type EnvStorage
defines the configuration of enterprise data custody.
It contains the following fields:
EnvStorage struct | |
---|---|
s3_bucket_us string (optional) | The S3 bucket for data stored in the United States. Must be in the us-east-2 AWS region. |
s3_bucket_eu string (optional) | The S3 bucket for data stored in Europe. Must be in the eu-west-1 AWS region. |
s3_bucket_in string (optional) | The S3 bucket for data stored in India. Must be in the ap-south-1 AWS region. |
aws_role_arn string (optional) | The role Nametag should use to access the S3 buckets. |
azure_blob_us string (optional) | Azure Blob Storage presigned (SAS) URL. Should be in the eastus region. |
azure_blob_eu string (optional) | Azure Blob Storage presigned (SAS) URL. Should be in the northeurope region. |
azure_blob_in string (optional) | Azure Blob Storage presigned (SAS) URL. Should be in the centralindia region. |
Template
The type Template
defines a request template. A request template provides greater control over
your request than is possible with the create a request endpoint.
It contains the following fields:
Template struct | |
---|---|
id string | A unique identifier for the template |
created_at RFC 3339 date-time string | When the template was created |
name string | A descriptive name of the template |
headline string | The text that appears at the top of the mobile app when showing the request |
qr_headline string | The text that appears above the QR code when directing the user from desktop to mobile. |
expiration_text string | The text that describes when the request expires. This should include |
accept_text string | The text on the accept button in the mobile app. |
accepted_text string | The text that appears on the confirmation view after a request has been accepted. |
install_message_sms string | The contents of the SMS message sent to users to direct them to the mobile app. This must contain the |
is_default boolean | If true then this is the default template used when a template is not explicitly specified. There must be exactly one default template. |
scope_definitions List of TemplateScopeDefinition
| A list of scopes that are requested when requests are created with this template. |
scopes_expire_in integer | How long the data sharing authorization should last, in seconds. |
enabled boolean | If true, then this template is enabled for requests. The default template must be enabled. |
require_selfie_reverification boolean | If true, existing users must provide a new selfie to validate their identity. |
TemplateScopeDefinition
The type TemplateScopeDefinition
defines a scope that is requested when a request is created with a template. It contains the following fields:
TemplateScopeDefinition struct | |
---|---|
scope Scope
| The name of the scope that is requested |
restrict_email_domains List of string (optional) | If the scope definition is for nt:email or similar, require that the email domain match one of the provided values. If the scope definition is not for email, or if the list is empty, then emails from any domain are allowed. |
List environments
Returns a list of all environments that you have access to.
Method: GET
URL: https://nametag.co/api/envs
Authentication: API key
Response:
ListEnvsResponse struct | |
---|---|
envs List of Env
| A list of all your environments. |
Example:
$ curl -u :$APIKEY https://nametag.co/api/envs
{
"envs": [
{
"id": "5lsqfg1luqzb9s",
"name": "Sidecar Production",
"public_name": "Sidecar",
"description": "Like Uber, but for rides in motorcycle sidecars.",
"logo_url": "https://nametagusercontent.com/app-icons/fa21/f7d7/fa21f7d7e4d2eacec7331de48df71e29cfe5fca2d8c629634e9e69a2042c26b9",
"terms_of_service_url": "https://example.nametag.co/terms",
"callback_urls": [
"https://trynametag.com/callback"
],
"webhook_shared_secret": "webhook-683fb6598c7faa4f05e4e693d3686f5faa6b9cd7bb646c5254edd3cb880f4225",
"webhooks": [
{
"url": "https://trynametag.com/webhook",
"enabled": true,
"events": [
"share",
"reject"
]
}
]
}
]
}
Create
Creates a new environment
Method: POST
URL: https://nametag.co/api/envs
Authentication: API key
Request: empty
Response:
CreateEnvResponse struct | |
---|---|
id string | The unique identifier of the environment |
Example:
$ curl -u :$APIKEY \
-X POST \
https://nametag.co/api/envs
{
"id": "x0n8vfkfcmh3ks"
}
Get
Fetch the settings for an environment.
Method: GET
URL: https://nametag.co/api/envs/ENV-ID
Authentication: API key
Response: an Env object
Example:
$ curl -u :$APIKEY https://nametag.co/api/envs/x0n8vfkfcmh3ks
{
"id": "5lsqfg1luqzb9s",
"name": "Sidecar Production",
"public_name": "Sidecar",
"description": "Like Uber, but for rides in motorcycle sidecars.",
"logo_url": "https://nametagusercontent.com/app-icons/fa21/f7d7/fa21f7d7e4d2eacec7331de48df71e29cfe5fca2d8c629634e9e69a2042c26b9",
"terms_of_service_url": "https://example.nametag.co/terms",
"callback_urls": [
"https://trynametag.com/callback"
],
"webhook_shared_secret": "webhook-683fb6598c7faa4f05e4e693d3686f5faa6b9cd7bb646c5254edd3cb880f4225",
"webhooks": [
{
"url": "https://example.com/webhook",
"enabled": true,
"events": [
"share",
"reject"
]
}
]
}
Update
Change settings for an environment. All the request fields are optional, and only fields that are provided will be changed.
Method: PATCH
URL: https://nametag.co/api/envs/ENV-ID
Authentication: API key
Request:
Each field of the request is optional. Refer to the Environment object for descriptions of each field.
EnvUpdateRequest struct | |
---|---|
name string (optional) | Update the name of the environment, for internal use. |
public_name string (optional) | Update the public-facing name for your environment, typically your company or brand name. |
callback_urls List of URL string (optional) | Set the list of allowed OAuth 2.0 callback URLs |
terms_of_service_url string (optional) | Update the terms of service URL. |
remove_webhooks List of string (optional) | Remove webhooks from the environment (IDs of the webhooks to remove) |
add_webhooks List of WebhookDefinition
(optional) | Add webhooks to the environment |
update_webhook WebhookDefinitionUpdate
(optional) | |
storage EnvStorage
(optional) |
To modify a webhook, include both the remove_*
and add_*
in the same request. For example, to replace an
webhook, include both remove_webhooks
and add_webhooks
in your request.
Example:
$ curl -u :$APIKEY https://nametag.co/api/envs/x0n8vfkfcmh3ks -X PATCH -d '{
"name": "Example app",
"remove_webhook": ["https://example.com/webhook"],
"add_webhook": [
{
"url": "https://example.com/webhook2",
"enabled": true,
"events": ["share", "reject"]
}
]
}'
Update the logo
Method: POST
URL: https://nametag.co/api/envs/ENV-ID/logo
Authentication: API key
Request: A PNG, SVG, or JPEG of your service’s logo. Set the Content-type
request header to one of image/png
, or image/svg+xml
, or image/jpeg
.
Response: none
Example:
$ curl -u :$APIKEY \
-X POST \
-H "Content-type: image/png" \
-T "logo512.png" \
https://nametag.co/api/envs/x0n8vfkfcmh3ks/logo
# check the environment
$ curl -u :$APIKEY https://nametag.co/api/envs/x0n8vfkfcmh3ks | jq -r .logo_url
https://nametagusercontent.com/app-icons/fa21/f7d7/fa21f7d7e4d2eacec7331de48df71e29cfe5fca2d8c629634e9e69a2042c26b9
Remove
Remove an environment.
Method: DELETE
URL: https://nametag.co/api/envs/ENV-ID
Request: none
Response: none
$ curl -u :$APIKEY \
-X DELETE \
https://nametag.co/api/envs/x0n8vfkfcmh3ks
Templates
A template defines certain parameters for a request. A request can be created with
the template
query parameter to /authorize to pre-fill the request with the parameters
defined in the template.
Note: there are no APIs for listing or fetching templates. Instead, they are returned as part of the
GET /env/:env
API.
You must always have exactly one template that is the default. The default template is used when a request is created without specifying a template.
Create a template
Creates a new template.
All fields in the request body are optional, if not provided they will have their default values.
Method: POST
URL: https://nametag.co/api/envs/ENV-ID/templates
Request:
CreateTemplateRequest struct | |
---|---|
name string | A descriptive name of the template |
headline string (optional) | The text that appears at the top of the mobile app when showing the request |
qr_headline string (optional) | The text that appears above the QR code when directing the user from desktop to mobile. |
expiration_text string (optional) | The text that describes when the request expires. This should include |
accept_text string (optional) | The text on the accept button in the mobile app. |
accepted_text string (optional) | The text that appears on the confirmation view after a request has been accepted. |
install_message_sms string (optional) | The contents of the SMS message sent to users to direct them to the mobile app. This must contain the |
is_default boolean (optional) | If true then this is the default template used when a template is not explicitly specified. There must be exactly one default template. |
scope_definitions List of TemplateScopeDefinition
(optional) | A list of scopes that are requested when requests are created with this template. |
scopes_expire_in integer (optional) | How long the data sharing authorization should last, in seconds. |
enabled boolean (optional) | If true, then this template is enabled for requests. The default template must be enabled. |
require_selfie_reverification boolean (optional) | If true, existing users must provide a new selfie to validate their identity. |
Response:
CreateTemplateResponse struct | |
---|---|
id string | The unique identifier of the template |
Example:
$ curl -u :$APIKEY \
-X POST \
https://nametag.co/api/envs/x0n8vfkfcmh3ks/templates \
-d '{"name": "Transaction Authorization"}'
{"id": "a7da6fc2-ba44-44df-a863-3ac9f58b5ba6"}
Modify a template
Updates a template. The request body may contain any of the fields from the Template object. Fields that are omitted remain unchanged.
Method: PATCH
URL: https://nametag.co/api/envs/ENV-ID/templates/TEMPLATE-ID
Request:
UpdateTemplateRequest struct | |
---|---|
name string (optional) | A descriptive name of the template |
headline string (optional) | The text that appears at the top of the mobile app when showing the request |
qr_headline string (optional) | The text that appears above the QR code when directing the user from desktop to mobile. |
expiration_text string (optional) | The text that describes when the request expires. This should include |
accept_text string (optional) | The text on the accept button in the mobile app. |
accepted_text string (optional) | The text that appears on the confirmation view after a request has been accepted. |
install_message_sms string (optional) | The contents of the SMS message sent to users to direct them to the mobile app. This must contain the |
is_default boolean (optional) | If true then this is the default template used when a template is not explicitly specified. There must be exactly one default template. |
scope_definitions List of TemplateScopeDefinition
(optional) | A list of scopes that are requested when requests are created with this template. |
scopes_expire_in integer (optional) | How long the data sharing authorization should last, in seconds. |
enabled boolean (optional) | If true, then this template is enabled for requests. The default template must be enabled. |
require_selfie_reverification boolean (optional) | If true, existing users must provide a new selfie to validate their identity. |
Response: none
Example:
Update the headline for a template:
$ curl -u :$APIKEY \
-X PATCH \
https://nametag.co/api/envs/x0n8vfkfcmh3ks/templates/a7da6fc2-ba44-44df-a863-3ac9f58b5ba6
{
"headline": "ACME needs to know who you are"
}
Delete a template
Removes a template.
Method: DELETE
URL: https://nametag.co/api/envs/ENV-ID/templates/TEMPLATE-ID
Request: none
Response: none
Example:
Update the headline for a template:
$ curl -u :$APIKEY \
-X DELETE \
https://nametag.co/api/envs/x0n8vfkfcmh3ks/templates/a7da6fc2-ba44-44df-a863-3ac9f58b5ba6
Directories
A directory represents a connection to an external directory, which enables self-service account recovery and/or validating the identity of users in the directory.
Create
Create a directory.
Method: POST
URL: https://nametag.co/api/directories
Request:
CreateDirectoryRequest struct | |
---|---|
env string | The ID of the environment to create this directory for |
kind DirectoryKind
| The type of directory to create |
credentials Credentials
(optional) | Credentials to access the directory. Provide credentials for directories that require it |
DirectoryKind enum | |
---|---|
azure-ad | An Entra ID (formerly Azure Active Directory) directory |
okta | An Okta directory |
duo | An Duo Security directory |
onelogin | An OneLogin directory |
Credentials struct | |
---|---|
account string (optional) |
|
partition string |
|
secret string |
|
Response:
CreateDirectoryResponse struct | |
---|---|
id string | The unique identifier for the directory. |
redirect_url string (optional) | The OAuth 2.0 redirect URL to authorize the directory. If the directory uses OAuth 2.0 for authorization (e.g. |
List
Fetches information about each directory
Method: GET
URL: https://nametag.co/api/directories
Response:
- The count field is the number of entries in the directory, as of the most recent synchronization.
GetDirectoriesResponse struct | |
---|---|
directories List of Directory
| A list of all directories. |
Directory struct | |
---|---|
id string | The unique identifier for the directory. |
env string | The environment this directory belongs to. |
kind DirectoryKind
| The kind of directory this is |
name string | The internal name of the directory. |
mfa_policy RecoveryPolicyRules
| The policy governing MFA reset |
password_policy RecoveryPolicyRules
| The policy governing password reset |
unlock_policy RecoveryPolicyRules
| The policy governing account unlock |
temporary_access_pass_policy RecoveryPolicyRules
| The policy governing generating a temporary access pass. |
temporary_access_pass_lifetime_minutes integer (optional) | The validity period of a temporary access pass in minutes. |
temporary_access_pass_reusable boolean (optional) | True if temporary access passes can be used more than once. If unspecified, temporary access passes are usable only once. |
credentials PartialCredentials
(optional) | The directory credentials used, not including any secret values. |
last_sync_started_at RFC 3339 date-time string (optional) | When the last sync started. |
last_sync_completed_at RFC 3339 date-time string (optional) | When the last sync completed |
last_sync_error string (optional) | An error describing the failure of the last sync, or null if the last sync was successful. |
count integer (optional) | The number of accounts in the directory. |
needs_reconnect boolean (optional) | If the directory needs to reconnect. |
sync_running boolean | true if the directory sync is currently running |
birth_date_hmac_secret_exists boolean | true if a shared secret for birth date HMACs has been set |
PartialCredentials struct | |
---|---|
account string |
|
partition string |
|
RecoveryPolicyRules struct | |
---|---|
groups List of GroupRecoveryPolicy
| A list of policies to apply based on an Account's group membership. |
default RecoveryPolicy
| The default policy when the account is not a member of any of the groups in the |
GroupRecoveryPolicy struct | |
---|---|
group DirectoryGroup
| The group to which this policy applies. |
policy RecoveryPolicy
| The policy to apply when the account is a member of the group. |
DirectoryGroup struct | |
---|---|
directory_immutable_identifier string | The unique identifier for the group. |
name string | The display name of the group. |
RecoveryPolicy enum | |
---|---|
name_match | The operation can proceed if the name on the account matches the person's legal name. If the Account is augmented with a birth date, then the birth date must match. If the account is augmented with a photo, then only the photo must match. |
name_and_birth_date | The operation can proceed if both the name and birth date match between the Account and the person's ID. If the account is augmented with a photo, then only the photo must match. |
photo | The operation can only proceed if the account is augmented with a photo and the photo matches the person's ID. |
disabled | The operation is disabled. |
Delete
Deletes a directory
Method: DELETE
URL: https://nametag.co/api/directories/DIRECTORY-ID
Request: none
Response: none
Synchronize
Trigger synchronization of the directory.
Note: Synchronization happens automatically once per hour.
Method: POST
URL: https://nametag.co/api/directories/DIRECTORY-ID/sync
Request: none
Response: none
Authorize
Return a URL, which when visited in a browser, will initiate or refresh the connection between Nametag and the directory. Completing this flow will replace any existing authorization, if present.
Method: GET
URL: https://nametag.co/api/directories/DIRECTORY-ID/authorize
Request: none
Response:
OAuth2AuthorizeResponse struct | |
---|---|
redirect_url string | The URL to redirect the user to authorize the directory. |
API Keys
As mentioned in Authentication above, API keys are used to authenticate request to the Nametag API. An API key may be global (meaning it applies to all Environments), or it may be local (it applies only to one environment).
List
List the API Keys that you have access to.
Method: GET
URL: https://nametag.co/api/apikeys
Authentication: API key
Response:
ListAPIKeysResponse struct | |
---|---|
apikeys List of APIKey
| A list of API keys |
Each item of apikeys
is an object that contains the following fields:
APIKey struct | |
---|---|
id string | The unique identifier for the API key |
name string | A descriptive name for the API key |
created_at RFC 3339 date-time string | When the API key was created |
enabled boolean | |
envs List of string | The unique identifier for the environments this API key belongs to, or |
role Role
| The role assigned to the API key. The role determines what actions the API key can perform. |
Example:
$ curl -u :$APIKEY https://nametag.co/api/apikeys
{
"apikeys": [
{
"id": "06c6a11a-c78e-488f-9b58-f73362309ea0",
"envs": ["*"],
"name": "Staging API Key",
"created_at": "2022-03-15T22:39:59Z",
"role": "admin",
"enabled": true
}
]
}
Create
Create a new API key. This request takes an optional name for the API key to create and returns the newly created API key secret string that must be stored for future usage.
Note: The full API key secret is not stored by Nametag, so be sure to copy the response somewhere safe.
Method: POST
URL: https://nametag.co/api/apikeys
Authentication: API key
Request:
CreateAPIKeyRequest struct | |
---|---|
name string (optional) | A descriptive name for the API key |
enabled boolean (optional) |
|
envs List of string | The unique identifier for the environments this API key belongs to, or |
role Role
(optional) | The role to be associated with the API key. The role determines what actions the API key can perform. |
Response:
CreateAPIKeyResponse struct | |
---|---|
id string | The unique identifier for the API key |
key string | The full secret API key |
Example: Creating a global API key
curl -u :$APIKEY \
-X POST \
https://nametag.co/api/apikeys \
-d '{
"name": "Staging API Key",
"role": "admin",
"enabled": true
}'
{
"id": "3p0wjj3b7vyia5",
"key": "3p0wjj3b7vyia5V2JCNoO3TqHpjT"
}
Example: Creating an environment-scoped API key
curl -u :$APIKEY \
-X POST \
https://nametag.co/api/apikeys \
-d '{
"name": "Staging API Key",
"envs": ["obo0jukwhhlbo8"],
"role": "user",
"enabled": true
}'
{
"id": "3p0wjj3b7vyia5",
"key": "3p0wjj3b7vyia5V2JCNoO3TqHpjT"
}
Get
Fetch information about an API key
Method: GET
URL: https://nametag.co/api/apikeys/API-KEY-ID
Authentication: API key
Request: none
Response: an APIKey object
curl -u :$APIKEY \
https://nametag.co/api/apikeys/3p0wjj3b7vyia5
{
"id": "3p0wjj3b7vyia5",
"envs": ["obo0jukwhhlbo8"],
"name": "Staging API Key",
"created_at": "2022-03-15T22:39:59Z",
"role": "user",
"enabled": true
}