Authentication API - Identity as a Service - Alibaba Cloud Documentation Center

This document provides a comprehensive guide to the authentication process.

The authentication process consists of four main steps:

Initiate an query to retrieve user information and supported two-factor authentication methods.
Log on or register. A successful logon returns a Token. If a FlowType is returned, proceed to the corresponding child flow. If two-factor authentication is enabled, proceed to step three. Otherwise, proceed to step four.
On the client, select a two-factor authentication method. A successful authentication returns a Token. If a FlowType is returned, proceed to the user information completion step. Different FlowType values correspond to different service flows.
Complete all information steps to conclude the logon as either successful or failed, with appropriate error codes for guidance.

1. Prerequisites

Create an application in the Customer Identity and Access Management (CIAM) console. Grant permissions for the authentication API. Obtain the Client_ID and Client_Secret.

When you connect to the CIAM server, use a BearerToken for authentication.

Check token validity
API description:
Ensure the corresponding type of Token is included when calling the detection API.
API endpoint:
Request URI: GET /api/bff/v1.2/developer/ciam/oauth/token/check?access_Token=access_Token
Request Parameters:
Return Parameters:
```
{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1662364827739$c13370e7-22ae-8697-f475-110da21f174f",
    "data": null
}
```

Retrieve logon configuration information

Developers can use this API to customize logon registration forms and obtain related configuration items.

API endpoint

Request URI: GET /api/bff/v1.2/developer/ciam/config/loginpage

Request Parameters

Parameter	Type	Required	Meaning
idaasAppId	String	No	The ID of the application. The server will retrieve it from the Request parameter. If it cannot be retrieved, it will be taken from the request header. If it still cannot be retrieved, the system default application ID will be queried.
userType	String	No	The `code` of the user type. If the code is not found, the server queries the default user type from the system.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1672198428377$205f59b4-8a74-8fcb-19f5-b51e8580cf8f",
    "data": {
        "2factorType": [
            "pwd",
            "sms"
        ],
        "smsEmailCaptchaRisk": {
            "enterpriseUuid": "2bcdef58e8ae5cf6f5b18343bc1fbebc2f64xbYa0yx",
            "riskType": "SMS_EMAIL_CAPTCHA",
            "enabled": false,
            "lockTime": 0,
            "riskTimes": 1,
            "riskTimeRange": 5,
            "ipBlackList": null,
            "historyTimes": 0,
            "pwdCycle": 0,
            "pwdWarnEnable": false,
            "pwdWarnBefore": 0,
            "pwdWarnType": null,
            "pwdRules": 0,
            "pwdLength": 0
        },
        "registerRule": {
            "uuid": "83e0c7d57c5111ed97e700155d6496d5",
            "createTime": 0,
            "archived": false,
            "registerRequired": "phoneNumber,email",
            "sceneType": "LOGIN,REGISTER",
            "userTypeCode": "default",
            "enabled": true,
            "enterpriseUuid": "2bcdef58e8ae5cf6f5b18343bc1fbebc2f64xbYa0yx",
            "enableRegister": true,
            "registerRequiredAttrs": [
                "phoneNumber",
                "email"
            ]
        },
        "userTypes": [],
        "pwdFailRisk": {
            "enterpriseUuid": "2bcdef58e8ae5cf6f5b18343bc1fbebc2f64xbYa0yx",
            "riskType": "PWD_FAIL_CAPTCHA",
            "enabled": false,
            "lockTime": 0,
            "riskTimes": 20,
            "riskTimeRange": 5,
            "ipBlackList": null,
            "historyTimes": 0,
            "pwdCycle": 0,
            "pwdWarnEnable": false,
            "pwdWarnBefore": 0,
            "pwdWarnType": null,
            "pwdRules": 0,
            "pwdLength": 0
        },
        "pwdRule": {
            "enterpriseUuid": "2bcdef58e8ae5cf6f5b18343bc1fbebc2f64xbYa0yx",
            "riskType": "PWD_RULE",
            "enabled": false,
            "lockTime": 0,
            "riskTimes": 0,
            "riskTimeRange": 0,
            "ipBlackList": null,
            "historyTimes": 0,
            "pwdCycle": 0,
            "pwdWarnEnable": false,
            "pwdWarnBefore": 0,
            "pwdWarnType": null,
            "pwdRules": 0,
            "pwdLength": 8
        },
        "usernameRule": {
            "id": 0,
            "createTime": "2023-03-03 15:22",
            "archived": false,
            "updateTime": null,
            "uppercase": true,
            "lowercase": true,
            "number": true,
            "strike": true,
            "underline": true,
            "point": true,
            "emailChar": false,
            "minLength": 4,
            "maxLength": 32,
            "mobileNumAsAccountId": false,
            "enterpriseUuid": null,
            "usernamePolicyUuid": "1938a8f15d35bdd6814839bc8ebcf070lvk6sLvvBpY"
        }
    }
}

Parameter name	Type	Description
2factorType	Array	Supported two-factor authentication methods.
PWD	String	Password mode.
SMS	String	Mobile verification code mode.
EMAIL	String	Email verification code mode.
FINGERPRINT	String	Fingerprint mode.
FACE	String	Face mode.
smsEmailCaptchaRisk	Object	Mobile number/email risk control configuration.
pwdFailRisk	Object	Password risk control configuration.
registerRule	Object	Registration-related rules.
enableRegister	Boolean	Whether to enable registration. Important If this parameter is set to `False`, users cannot register, the registration button is not displayed, and the registration page is inaccessible.
registerRequiredAttrs	Array	Required attributes for registration, optional for PhoneNumber and Email.
pwdRule	Object	Password policy.
usernameRule	Object	Username policy.

Retrieve published terms for the application

Note

For businesses implementing their own logon pages and requiring IDaaS terms information, IDaaS will return the terms record with the highest version number configured for the application.

API endpoint

Request URI: GET /api/bff/v1.2/developer/ciam/consents

Request Parameters

None

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656403156044$499ad3d2-0a72-08c0-f849-3b3e4b6d0530",
    "data": {
        "REGISTER": [
            {
                "versionNumber": "v1.0",
                "versionTitle": "用户注册协议v1.0",
                "versionContentType": "TEXT",
                "publishDate": 1656388386000,
                "expiredDate": null,
                "recordUuid": "7839d3cb448c449d105e4c32cd97c06cEsTyC81Re7c",
                "recordExternalId": "4d05f0fe-7b57-4a9c-a7ad-4624e5d62bb7",
                "consentType": "REGISTER"
            },
            {
                "versionNumber": "v1.0",
                "versionTitle": "用户隐私条款v1.0",
                "versionContentType": "TEXT",
                "publishDate": 1656388390000,
                "expiredDate": null,
                "recordUuid": "95b1c752e2f69f91c6570699e764982dwsyao0iDg6p",
                "recordExternalId": "35058f6e-b131-4b7c-b35c-26f188526167",
                "consentType": "REGISTER"
            },
            {
                "versionNumber": "v1.0",
                "versionTitle": "阿里云 IDaaS CIAM 使用协议",
                "versionContentType": "TEXT",
                "publishDate": 1656388464000,
                "expiredDate": null,
                "recordUuid": "ed61f21663b6079c7622b641fc17fdf3pxkBEJwZqlg",
                "recordExternalId": "569980f9-91b0-40d8-8813-567ef5df6f54",
                "consentType": "GENERAL"
            }
        ],
        "LOGIN": [
            {
                "versionNumber": "v1.0",
                "versionTitle": "用户协议v1.0",
                "versionContentType": "TEXT",
                "publishDate": 1656387390000,
                "expiredDate": null,
                "recordUuid": "4871329e10f51f85eb07d17975b8e4acUhuac1RyyDD",
                "recordExternalId": "58fff533-6887-40cd-a799-1c6d168c5c3a",
                "consentType": "LOGIN"
            },
            {
                "versionNumber": "v1.1",
                "versionTitle": "隐私条款1.0",
                "versionContentType": "TEXT",
                "publishDate": 1656387399000,
                "expiredDate": null,
                "recordUuid": "1e2e5c0eca5cddfeb14f88b44a03a0c3eukUKSIYxyP",
                "recordExternalId": "68dd7e08-0db4-4219-a0b2-2f753593dd6e",
                "consentType": "LOGIN"
            },
            {
                "versionNumber": "v1.0",
                "versionTitle": "阿里云 IDaaS CIAM 使用协议",
                "versionContentType": "TEXT",
                "publishDate": 1656388464000,
                "expiredDate": null,
                "recordUuid": "ed61f21663b6079c7622b641fc17fdf3pxkBEJwZqlg",
                "recordExternalId": "569980f9-91b0-40d8-8813-567ef5df6f54",
                "consentType": "GENERAL"
            }
        ]
    }
}

Parameter name	Type	Required	Content description
Outer key	String	Yes	Type of terms: LOGIN - Terms related to logon. REGISTER: Terms related to registration.
versionNumber	String	Yes	Version name.
versionTitle	String	Yes	Title.
versionContentType	String	Yes	Type of content: PDF \| IMAGE\| WORD\| TEXT.
publishDate	Number	Yes	Publish date.
expiredDate	Number		Expiration date.
recordUuid	String	Yes	Uuid of the associated terms.
recordExternalId	String	Yes	External ID of the associated terms.

View term details

Note

This API returns the terms content in Base64 encoding. Businesses should decode and render it to avoid HTML style conflicts.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/consent

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
includeContent	Boolean	Yes	Whether to include the details of the terms, fixed as True.
recordExternalId	String	Yes	External ID of the terms.
versionNumber	String	No	Version number of the terms.

Return Parameters

{
  "success": true,
  "code": "Operation.Success",
  "message": "Operation.Success",
  "requestId": "1657079658185$d74c4420-5a3e-d57a-a625-02dba1dcab48",
  "data": {
    "versionTitle": "用户协议v1.0",
    "recordExternalId": "58fff533-6887-40cd-a799-1c6d168c5c3a",
    "contentType": "TEXT",
    "versionNumber": "v1.0",
    "base64EncodeContent": "PHA+55m75b2V55u45YWz5p2h5qy+LeeUqOaIt+WNj+iurnYxLjA8L3A+",
    "status": "PUBLISHED"
  }
}

Parameter name	Type	Required	Content description
versionNumber	String	Yes	Version number of the terms.
versionTitle	String	Yes	Title of the terms.
contentType	String	Yes	Type of content: PDF \| IMAGE\| WORD\| TEXT.
base64EncodeContent	String	Yes	Content of the terms, Base64 encoding.
recordExternalId	String	Yes	External ID of the terms.
status	String	Yes	Status of the terms, generally PUBLISHED. Reference values: PREPARING: Not published. PUBLISHED: Published. ARCHIVED: The item has been deactivated.

Retrieve supported authentication sources for the application

Note

Call this API when your service needs to integrate with IDaaS for social logon. IDaaS returns all authentication methods that are configured for the current application. By default, logon with a password or a text message code is available without additional configuration.

API endpoint

Request URI: GET /api/bff/v1.2/developer/ciam/load_enterprise_auths

Request Parameters

None

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1660644717797$c35da4fa-d354-546c-8729-0e411473af14",
    "data": {
        "auths": [
            {
                "enterpriseAuthId": null,
                "authName": "账号密码登录",
                "authType": "usernamePassword",
                "clientId": null,
                "supportOAuth": true
            },
            {
                "enterpriseAuthId": null,
                "authName": "验证码登录",
                "authType": "verifyCode",
                "clientId": null,
                "supportOAuth": true
            },
            {
                "enterpriseAuthId": "dcealipay",
                "authName": "支付宝小程序登录",
                "authType": "alipay",
                "clientId": "asd",
                "supportOAuth": true
            },
            {
                "enterpriseAuthId": "dcewechat1",
                "authName": "移动微信登录",
                "authType": "wechat",
                "clientId": "sad",
                "supportOAuth": true
            },
            {
                "enterpriseAuthId": "dcewechat",
                "authName": "网站微信登录",
                "authType": "wechat",
                "clientId": "asd",
                "supportOAuth": true
            }
        ]
    }
}

Parameter name	Type	Required	Content description
enterpriseAuthId	String	Yes	Authentication source ID.
authName	String	Yes	Authentication source name.
authType	String	Yes	Authentication source type.
clientId	String	Yes	AccessKey of the authentication source.
supportOAuth	Boolean	Yes	Specifies whether OAuth is supported. This is a reserved parameter. The default value is `True`.

Retrieve information about a social authentication source

This API retrieves configuration information for individual social platforms to construct the authorization logon link.

API endpoint

Request URI: GET /api/bff/v1.2/developer/ciam/get_adapter_info

Request Parameters

Parameter name	Type	Required	Content description
enterpriseAuthId	String	Yes	IDaaS authentication source ID, obtainable from the authentication source list.
idaasAppId	String	No	ID of the IDaaS application. If you want to redirect to a specific application after social logon instead of the default user center, you need to pass this parameter.

Return Parameters

{
	"success": true,
	"code": "Operation.Success",
	"message": "Operation.Success",
	"requestId": "1665199025342$d73bd194-ea31-0acc-8da7-9be7e5b7363e",
	"data": {
		"state": "ID:demoidaasappid",
		"authenticateJson": "{\"appId\":\"wxexxxxxc8\",\"appSecret\":\"********\",\"authId\":\"wechat\",\"createTime\":\"2022-06-09 20:32\",\"creator\":\"admin\",\"display\":true,\"enabled\":true,\"enterpriseAuthId\":\"xxxx\",\"enterpriseHost\":\"127.0.0.1\",\"enterpriseId\":\"xxxx\",\"frontCallbackUrl\":\"http://xxxx.com/frontend/login/#/adapterCallback\",\"name\":\"微信登录\",\"redirectUrl\":\"\",\"uuid\":\"702e59b9cdf5dd2617b40572bb9b1efaVUMACThx5C4\"}"
	}
}

Where authenticateJso is a JSON string in the following format:

{
	"appId": "wxexxxxxc8",
	"appSecret": "********",
	"authId": "wechat",
	"createTime": "2022-06-09 20:32",
	"creator": "admin",
	"display": true,
	"enabled": true,
	"enterpriseAuthId": "xxxx",
	"enterpriseHost": "127.0.0.1",
	"enterpriseId": "xxxx",
	"frontCallbackUrl": "http://xxxx.com/frontend/login/#/adapterCallback",
	"name": "微信登录",
	"redirectUrl": "",
	"uuid": "702e59b9cdf5dd2617b40572bb9b1efaVUMACThx5C4"
}

Parameter name	Type	Required	Content description
state	String	Yes	When the input parameter is passed with IdaasAppId, the format of this value is `ID:{idaasAppId}`, otherwise it is a random string.
authenticateJson	String	Yes	Configuration information of the social authentication source.
appId	String	Yes	AppId of the social authentication source, application ID of the third-party social platform.
appSecret	String	No	Secret key of the social authentication source, fixed to return desensitized *, not used by the business side.
authId	String	Yes	Identity of the authentication source.
creator	String	Yes	Creator of the authentication source.
display	Boolean	Yes	Whether to display, fixed as True.
enabled	Boolean	Yes	Whether to enable, fixed as True.
enterpriseAuthId	String	Yes	Authentication source ID.
enterpriseId	String	Yes	Enterprise ID.
frontCallbackUrl	String	Yes	Frontend callback address, corresponding to the callback address configured by the third-party social platform.
name	String	Yes	Name of the authentication source.
enterpriseHost	String	No	Reserved field, can be ignored.
redirectUrl	String	No	Reserved field, can be ignored.
uuid	String	Yes	Uuid of the authentication source.

For example, the WeChat open platform authorization address is assembled as follows:

GET https://open.weixin.qq.com/connect/qrconnect?appid=wxexxxxxc8
	&redirect_uri=http%3A%2F%2Fxxx.com%2Ffrontend%2Flogin%2F%23%2FadapterCallback
	&response_type=code
	&scope=snsapi_login
	&state=xxxx

Important

If your service constructs the authorization URL for the third-party authentication source without using the information from this API, and you need to redirect to an application other than the user center after the social logon, you must generate a state parameter in the ID:{IdaasAppId} format and include it in the authorization URL.

Obtain an image verification code

To effectively prevent automated attacks on text message sending and logon APIs, it is recommended to call this API for an image CAPTCHA before sending text messages or logging on. System risk control logic will also trigger image CAPTCHA verification when enabled.

API endpoint

Request URI: GET /api/bff/v1.2/developer/ciam/captcha

Request Parameters

None

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1660882151242$64308516-92ed-4303-8d3c-47d29c95f2a7",
    "data": {
        "captchaCode": "557c0e18147974608a514a3071110e6bd7W1XxMMVXu",
        "captchaImage": "iVBORw0KGgoAAAANSUhEUgAAAFAAAAAaCAIAAACvsEzwAAABW0lEQVR42u3YMQ7CMAwF0EjcgZWNnZEbcAIuwQILh2Jh4X5QKVL0ZTu20yZNJFplKAmleTg1DuH7Z0fYwBt4Aw91PJ73huD956S0XsIi85wIi7zYM93bvH1pTIYGpxngJHaHG7aFZvFa/wdWAOcWc2QnJOKrB9lvbgjO8cTO4/saWzwfEWymK4ytuMiJlp/r4PPrklrsTyd9IkxUyMYgc6EJRiT2TM3MmquCxVVdCk4wpV8xV8vSM8BxZvj0eo4YW5GEQ7lQ9wdjxvIvZiWGOMTf1hOcS9QKWwRj9uKjJNShRX7WzajlEdDNmJnItSSTkdH0svnmQSw8cAbc5gHz0OngVXdLvLTEOU02cW2bWZqsEf5bVS1pLTHzCRGembrIg6qA+++HcxEmGcssEkmBhYWXWXJ2+APAs23yFMYkOefC2x/shJXuqJzf3bjgRuahwbXMA4GdZj/bBP8A1qgY88PlCaMAAAAASUVORK5CYII="
    }
}

Field name	Type	Example	Content description
captchaCode	String	5c4bc75 ... ... XVH9Lqk	Unique identifier of the image CAPTCHA, required for verification.
captchaImage	String	iVBORw ... ... kSumCC	CAPTCHA image, Base64 format data.

Retrieve a list of user types supported by the system

This API is used to retrieve all user types supported under the current tenant, allowing for user type selection during logon registration.

API endpoint

Request URI: GET /api/bff/v1.2/developer/ciam/config/userTypes

Request Parameters

None

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1673424642819$110ff5f3-e47a-8404-cc3a-282d754fd32c",
    "data": [
        {
            "userTypeName": "普通用户",
            "userTypeCode": "default",
            "uuid": "3762b69d9f2580c7901441719733271b22zUqxkuQDh"
        },
        {
            "userTypeName": "医生",
            "userTypeCode": "doctor"
            "uuid": "3xxxxxd9f2580c7901441719733271b22zUqxkuQDh"
        }
    ]
}

Field name	Type	Example	Content description
userTypeName	String	普通用户	Name of the user type.
userTypeCode	String	default	Code of the user type.
uuid	String	xxxxxxxxx	Uuid of the user type.

Switch account type
During logon registration, users may switch their current logon user type, generating a new flow ID.
API endpoint
Request URI: GET /api/bff/v1.2/developer/ciam/config/change_user_type
Request Parameters
Parameter name
Type
Required
Meaning
fId
String
Yes
The FId before switching the user type. A new FId is generated after the switch.
userType
String
Yes
The code of the new user type.
Return Parameters
```
{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1660882151242$64308516-92ed-4303-8d3c-47d29c95f2a7",
    "data": {
      "fId": "xxxxxxxxxxxx"
    }
}
```
Field name
Type
Example
Content description
fId
String
xxxxxxxxxxx
The new FId generated after switching the user type. Use this new FId for subsequent flows. The old FId is discarded.

2. Logon and registration

Password logon

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/pwd

Content-Type: application/json

Request Parameters

Note

If Sms/account Password Anti-brute-force is enabled, verification through an image CAPTCHA is required once the number of authentication failures surpasses the risk control threshold.

Parameter name	Type	Required	Content description
fId	String	No	The `FId` from the previous flow, if any.
username	String	Yes	Username.
userType	String	No	Custom user type, default is regular user.
password	String	Yes	Password.
response_type	String	No	If you pass `code`, an authorization code is returned. If you pass `Token`, the user's `Token` is returned.
agreeConsent	Boolean	No	Whether the user agrees to the terms (when the application is configured with corresponding terms, this parameter must be passed).
captchaCode	String	No	Unique identifier of the image CAPTCHA, returned by the image verification API.
captchaText	String	No	Image CAPTCHA, filled in according to the numbers displayed in the CAPTCHA image on the API.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656326070459$be264b8d-a6ca-a75c-f224-ade8531cc4af",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYytRODM3QjNnTlQzbmNJNDY3UExuOHNTNXFJNmdMa1doeWJKZHA0ZXZMaHovUmtuV0RTRXZlNUw3T1Jzd0xoMTdWTGw4SE5Va0Z1TWxDR2FGWVliT3JmL3dHMkpodktNZlZ6ZzFKUTROb1UzWDI4bzR6dHhRclZtWlV3dWo2R1NZcTB0alc0akJlQUErUkV4dkExd3VWUEtSdVJZS0dlZkt3Y0JWOVBxMGlkZjZ0dU04Vjlnd3BpSEtFVnhHM0lXVFVlL0hzb2RxMVVMMTVRZWErcTNvOEpDMitoRGozWE1KOS92Yis2YXo0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.c57U7qi46KnVAPnzk2bgHI9sPoUlk93L5mPOq1WRy_s",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelh0UjBGQXd3eDdINTRsWldxNzdCdEhmUUd5UHFPZWVhK3pLNWRxeWFTMEdXb0NmRkJ1Q1Q1TEFvTlhTRVFWVlc1ZGp3eGJsRUZrSjhVaXBpYXoxTXI1Z3ZSV3N0NlRNN2xHR09tbEVETjJJbmg5dkluVEpUd0RNeTFOSEo1WDJqaGRwMlNvUlN0QUxONlZpaTVMakh3dHAxQWdqZlZuRlR1aVI3UWVLUTVsTjBkdnVmOEtHYkFoQ2lENngxalg4VERKOE5PRWNYYTYyRHdEQ0UrSDlRQlcxTzlPL1FWUG9TSXVqT1lGU0IyVkNsbGZGemM4RmhLbGZLRlcyZlNYbFRSY05YNDE5djcvNWpxL3RuUU1EMjl4YkoxbTAySmRTb3NacjIvNjR1dEpMOSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.VjrWftgXUmLD_P9ECVYGwBEzpyrvZcy-hdrAciIp-aU",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg"
    }
}

Verification code logon

Send a verification code

This API is for users to obtain a verification code for SMS verification code logon. CIAM verifies the frequency of SMS sending based on the customer's IP and mobile number. If it exceeds the system risk control threshold, image CAPTCHA verification is enforced. To prevent message flooding, configuring the system risk control policy is strongly recommended.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/obtain_code

Content-Type: application/json

Request Parameters

Note

If Sms/email Anti-brute-force is enabled, image CAPTCHA verification is required once the number of sent verification codes surpasses the risk control threshold.

Parameter name	Type	Required	Content description
fId	String	No	The `FId` from the previous flow, if any.
phoneNumber	String	Yes	The phone number. This parameter is required when `Type` is set to SMS.
phoneRegion	String	No	Mobile area code, default is 86.
type	String	Yes	Verification code type. SMS represents text message, EMAIL represents email.
email	String	No	The email address. This parameter is required when `Type` is set to EMAIL.
language	String	No	Language type for sending the verification code, default is the preferred language.
engineCode	String	No	Gateway code for sending the verification code, default is the preferred gateway of the preferred service provider.
userType	String	No	Custom user type, default is regular user.
captchaCode	String	No	Unique identifier of the image CAPTCHA, returned by the image verification API.
captchaText	String	No	Image CAPTCHA, filled in according to the numbers displayed in the CAPTCHA image on the API.

Return Parameters

Parameter name	Type	Example	Content description
fId	String	sfwf2w233fsfdsddf	Return as is when requesting the verification code.

Verify the verification code

Important

By default, the server retains the Fid for 30 minutes. If you do not perform verification within this period, the verification code expires. After a successful verification, the code immediately becomes invalid to prevent replay attacks. If the number of consecutive verification failures exceeds the threshold set in the system's risk control policy, the code becomes invalid and the user is locked to prevent brute-force attacks.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/verify_code

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
phoneNumber	String	No	This parameter is required when `Type` is set to SMS. The value must be the same as the one used for sending.
email	String	No	The email address. This parameter is required when `Type` is set to EMAIL.
code	String	Yes	Verification code sent by the SMS verification code registration - send verification code API.
fId	String	Yes	Process ID in the return parameters of the SMS verification code registration - send verification code API.
type	String	Yes	Verification code type. SMS represents text message, EMAIL represents email.
responseType	String	No	If you pass `code`, an authorization code is returned. If you pass `Token`, the user's `Token` is returned.
userType	String	No	Custom user type, default is regular user.
agreeConsent	Boolean	No	Whether the user agrees to the terms (when the application is configured with corresponding terms, this parameter must be passed).

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656326070459$be264b8d-a6ca-a75c-f224-ade8531cc4af",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYytRODM3QjNnTlQzbmNJNDY3UExuOHNTNXFJNmdMa1doeWJKZHA0ZXZMaHovUmtuV0RTRXZlNUw3T1Jzd0xoMTdWTGw4SE5Va0Z1TWxDR2FGWVliT3JmL3dHMkpodktNZlZ6ZzFKUTROb1UzWDI4bzR6dHhRclZtWlV3dWo2R1NZcTB0alc0akJlQUErUkV4dkExd3VWUEtSdVJZS0dlZkt3Y0JWOVBxMGlkZjZ0dU04Vjlnd3BpSEtFVnhHM0lXVFVlL0hzb2RxMVVMMTVRZWErcTNvOEpDMitoRGozWE1KOS92Yis2YXo0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.c57U7qi46KnVAPnzk2bgHI9sPoUlk93L5mPOq1WRy_s",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelh0UjBGQXd3eDdINTRsWldxNzdCdEhmUUd5UHFPZWVhK3pLNWRxeWFTMEdXb0NmRkJ1Q1Q1TEFvTlhTRVFWVlc1ZGp3eGJsRUZrSjhVaXBpYXoxTXI1Z3ZSV3N0NlRNN2xHR09tbEVETjJJbmg5dkluVEpUd0RNeTFOSEo1WDJqaGRwMlNvUlN0QUxONlZpaTVMakh3dHAxQWdqZlZuRlR1aVI3UWVLUTVsTjBkdnVmOEtHYkFoQ2lENngxalg4VERKOE5PRWNYYTYyRHdEQ0UrSDlRQlcxTzlPL1FWUG9TSXVqT1lGU0IyVkNsbGZGemM4RmhLbGZLRlcyZlNYbFRSY05YNDE5djcvNWpxL3RuUU1EMjl4YkoxbTAySmRTb3NacjIvNjR1dEpMOSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.VjrWftgXUmLD_P9ECVYGwBEzpyrvZcy-hdrAciIp-aU",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg"
    }
}

Social logon

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/social

Content-Type: application/json

Request Parameters

{
    "enterpriseAuthId": "ciammasterwechat",
    "code": "011RaA1w3Gp0GY234r0w3vhlzU2RaA1P",
    "state": "xxxxx",
    "agreeConsent": true
}

Parameter name	Type	Required	Content description
code	String	Yes	The code returned after a successful authorization logon from a third-party social platform. For the Apple ID platform, you must pass the `Identity_Token` returned by Apple.
state	String	No	The `State` returned after the authorization logon from the third-party social platform is complete.
userType	String	No	Custom user type, default is regular user.
enterpriseAuthId	String	Yes	Authentication source ID.
agreeConsent	Boolean	No	Whether the user agrees to the terms (when the application is configured with corresponding terms, this parameter must be passed).

Return Parameters

With Binding Relationship

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656326070459$be264b8d-a6ca-a75c-f224-ade8531cc4af",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYytRODM3QjNnTlQzbmNJNDY3UExuOHNTNXFJNmdMa1doeWJKZHA0ZXZMaHovUmtuV0RTRXZlNUw3T1Jzd0xoMTdWTGw4SE5Va0Z1TWxDR2FGWVliT3JmL3dHMkpodktNZlZ6ZzFKUTROb1UzWDI4bzR6dHhRclZtWlV3dWo2R1NZcTB0alc0akJlQUErUkV4dkExd3VWUEtSdVJZS0dlZkt3Y0JWOVBxMGlkZjZ0dU04Vjlnd3BpSEtFVnhHM0lXVFVlL0hzb2RxMVVMMTVRZWErcTNvOEpDMitoRGozWE1KOS92Yis2YXo0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.c57U7qi46KnVAPnzk2bgHI9sPoUlk93L5mPOq1WRy_s",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelh0UjBGQXd3eDdINTRsWldxNzdCdEhmUUd5UHFPZWVhK3pLNWRxeWFTMEdXb0NmRkJ1Q1Q1TEFvTlhTRVFWVlc1ZGp3eGJsRUZrSjhVaXBpYXoxTXI1Z3ZSV3N0NlRNN2xHR09tbEVETjJJbmg5dkluVEpUd0RNeTFOSEo1WDJqaGRwMlNvUlN0QUxONlZpaTVMakh3dHAxQWdqZlZuRlR1aVI3UWVLUTVsTjBkdnVmOEtHYkFoQ2lENngxalg4VERKOE5PRWNYYTYyRHdEQ0UrSDlRQlcxTzlPL1FWUG9TSXVqT1lGU0IyVkNsbGZGemM4RmhLbGZLRlcyZlNYbFRSY05YNDE5djcvNWpxL3RuUU1EMjl4YkoxbTAySmRTb3NacjIvNjR1dEpMOSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.VjrWftgXUmLD_P9ECVYGwBEzpyrvZcy-hdrAciIp-aU",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg"
    }
}

No Binding Relationship

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1658980728774$5abe2ca5-a666-dc36-e6eb-2b97e2aa2d0e",
    "data": {
        "fId": "202207281158486517671753087716352_X_ABD",
        "flowType": "NEED_LOGIN_OR_REGISTOR",
        "additional": null
    }
}

State in ID:xx Format Passed to Business Application

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1658980728774$5abe2ca5-a666-dc36-e6eb-2b97e2aa2d0e",
    "data": {
        "redirectUrl": "http://xxx.com/social/callback?idaasAppId=xx&code=xxx&state=xxx"
    }
}

WeChat mini program logon

Silent logon

Silent logon works as follows: First, obtain a temporary code using the Wx.login of the mini program. Then, query the corresponding Openid and Unionid on the server. Check for a binding relationship. If a binding relationship exists, verify the user status and log on. Otherwise, the logon fails. A silent logon failure does not trigger a subsequent flow. Any response that does not return a user Token is considered a silent logon failure. This includes account exceptions and missing binding relationships. Note: In CIAM, mini program authorization logon uses the Unionid to associate with a unique WeChat user. Therefore, when you integrate mini program logon, make sure the mini program is bound to a WeChat Open Platform account. Otherwise, the CIAM mini program logon does not work.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/miniprogram/silent

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
loginCode	String	Yes	The temporary logon credential `code` obtained using wx.login in the WeChat mini program. This `code` cannot be reused.
idaasAppId	String	Yes	Application ID, corresponding to the application ID in the application list under application management in the console.
enterpriseAuthId	String	Yes	Authentication source ID, corresponding to the authentication source ID in the authentication source list in the console.
deviceId	String	No	Optional, mini program end device ID.
userType	String	No	The custom user type. The default value is regular user.

{
    "loginCode": "033nOZZv3GFRJY2Iwf3w3RrQdn1nOZZI",
    "idaasAppId": "{{idaasAppId}}",
    "enterpriseAuthId": "{{enterpriseAuthId}}"
}

Return Parameters

Silent Logon Successful

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656040913922$ca04c8b1-76ea-f3bd-599a-66c3d445259b",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhnSUJxNlhhNmFrWmN6MDNKT0NUWGxrWHpWWVpYUjg3SEo4SzV2SU5WTW1pUi9xNWgxVVZ4SnFrajIvQmRpNHFDSmt6cEhrN3UybTFUL09RblFIR1pBL3FKazhya1hMTmMxVVE3dHlLYlhTbk9OblA1Wmh2Vlp0RXBwem5Xb3oxYU1lQktqbmxOSnpEWGExQlJ1RDNtTXZpM202ZUFrUXJaNVMzakI4M09haVZ0dUtRQnhvVXhHTXVrNGV0Q0pQK2ZzLzFpWW1xNGpsc2M0NkpXNGdVSGc0bU5RbHBHRGJsWEtCMVowMVMrY3A0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.5QXEYp6GlgomFF08zFUkwNt-8cwDPSBV0UpAsg3jRtg",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYWdsOEdINkJXNEF4eTgrYWpOVXl5T0JCeFB6NGRxNmcwRlNvRTJTVGpmclNSZ2lGS0M3Y25YVGFoVXlJVTE0c1Q5QUgwckVIVko3UnY3RVNQYXdrL0dOZ3d4b2tvd25yczMyUEh3RXFGNXlUT3hDQk9kTG1IWXNWMFRHR2FHaTFWcUpERzh2Ui9JOXBtdmZnZlVHUGFGRUJjTVZmVlRBMU1nVWN0cWNpQnlpQTVrSng5QTVuNG9SVXdnMFZ1MWorcEhZQnFUTkp1SVpUQWttWElhcjQyanhHNFdFMVlscC93SUR3NlFFeHR0a3JrUE8rMGdka0llVGttQ0JybGVOZ3MxaVROckIyNUVvRGJwektxcWZyMUhoQ3VjK0JTTmVKYTdmakNmN0VkOCIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.NkmM3xdRMq2xkI_j1A1E7TYUsPZsJn6J2wmJ2gj7Gg4",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg"
    }
}

A silent logon fails if a user Token is not returned. This can happen because of an account exception or a missing binding relationship.

Note

When silent logon fails, WeChat user information will be returned to the business side for use (not mandatory).

{
    "success": false,
    "code": "Operation.Failure",
    "message": "Operation.Failure.Mini.Program.Silent.Login",
    "requestId": "1656572265429$49b433a9-219a-910a-0323-2af4f1f1a9ce",
    "data": {
        "unionid": "o89vut2y09r3zcDIhxoU6sMdjmiw",
        "openid": "oVq2f4m1pC1Z8rhxYNzTtsWKTJFI"
    }
}

Parameter name	Type	Example	Description
unionid	String		The `unionid` of the WeChat user.
openid	String		The `openid` of the WeChat user.

Authorized logon

Authorized logon works as follows: First, obtain a temporary code using the Wx.login of the mini program. Then, obtain the encrypted information of the WeChat user using Wx.getUserProfile. On the server, query the corresponding openid, unionid, and session_key using the LoginCode. Finally, decode the user information based on the session_key. After you obtain the user information, check for a binding relationship. If a binding relationship exists, the logon is successful. Otherwise, proceed to the next step, such as logon or registration.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/miniprogram/authorized

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
loginCode	String	Yes	The temporary logon credential `code` obtained using wx.Login in the WeChat mini program. This `code` cannot be reused.
idaasAppId	String	Yes	Application ID, corresponding to the application ID in the application list under application management in the console.
enterpriseAuthId	String	Yes	Authentication source ID, corresponding to the authentication source ID in the authentication source list in the console.
encryptedData	String	Yes	Encrypted data containing complete user information, including sensitive data, obtained through the wx.getUserProfile API. Refer to: https://developers.weixin.qq.com/miniprogram/dev/api/open-api/user-info/wx.getUserProfile.html.
iv	String	Yes	Initial vector of the encryption algorithm, obtained through the Wx.getUserProfile API. Refer to: https://developers.weixin.qq.com/miniprogram/dev/api/open-api/user-info/wx.getUserProfile.html.
deviceId	String	No	Optional, mini program end device ID.
userType	String	No	Custom user type, default is regular user.
agreeConsent	Boolean	No	Whether the user agrees to the terms (when the application is configured with corresponding terms, this parameter must be passed).

{
    "loginCode": "063oewll2JUCH84Idiol2sxzFd0oewl4",
    "idaasAppId": "{{idaasAppId}}",
    "enterpriseAuthId": "{{enterpriseAuthId}}",
    "encryptedData": "Wp85WrAol3Xq8H/gm0xl5ux25ZZ4snh1uF3wjJ1KfzDP6BLqERNLw1f2wOQ/GRPgBnTUgJXuMUYKVGRY099graBknp0dbyfMoIS1NllnlrwVmrikhnSWwwU0X9iFig9u6fSUtUK69L80hALQ3H0GPDmNo64MWfd3e/bUy1Gfr2Mw2N9useithN6nbvFQlRZDotIb7Yr3fNPYpjXc+a1q/VCf/XYYUR+1gBWd/xXbFBYbrm+1iYbJomNEfRLcgSCU/pNYTzAgmRxn+bt/KUCiuDWXxLjJl1vySmgPre6Use4XJY9jwQIf+EB6C2ja2WQK8pk2wKCmhWoSZxDRoSUZ8gQXOqk6Ef0rWiazte5ibIcw/j5ridkqDctYyOMU1J4DNdRxjohTTgx/3t5BTpzQNcKwuA+SXcj8CRv2kPhgVUM=",
    "iv": "Gv3JeogqQ5eWM93vWSKWPQ==",
    "agreeConsent": true
}

Return Parameters

With Binding Relationship

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656040913922$ca04c8b1-76ea-f3bd-599a-66c3d445259b",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhnSUJxNlhhNmFrWmN6MDNKT0NUWGxrWHpWWVpYUjg3SEo4SzV2SU5WTW1pUi9xNWgxVVZ4SnFrajIvQmRpNHFDSmt6cEhrN3UybTFUL09RblFIR1pBL3FKazhya1hMTmMxVVE3dHlLYlhTbk9OblA1Wmh2Vlp0RXBwem5Xb3oxYU1lQktqbmxOSnpEWGExQlJ1RDNtTXZpM202ZUFrUXJaNVMzakI4M09haVZ0dUtRQnhvVXhHTXVrNGV0Q0pQK2ZzLzFpWW1xNGpsc2M0NkpXNGdVSGc0bU5RbHBHRGJsWEtCMVowMVMrY3A0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.5QXEYp6GlgomFF08zFUkwNt-8cwDPSBV0UpAsg3jRtg",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYWdsOEdINkJXNEF4eTgrYWpOVXl5T0JCeFB6NGRxNmcwRlNvRTJTVGpmclNSZ2lGS0M3Y25YVGFoVXlJVTE0c1Q5QUgwckVIVko3UnY3RVNQYXdrL0dOZ3d4b2tvd25yczMyUEh3RXFGNXlUT3hDQk9kTG1IWXNWMFRHR2FHaTFWcUpERzh2Ui9JOXBtdmZnZlVHUGFGRUJjTVZmVlRBMU1nVWN0cWNpQnlpQTVrSng5QTVuNG9SVXdnMFZ1MWorcEhZQnFUTkp1SVpUQWttWElhcjQyanhHNFdFMVlscC93SUR3NlFFeHR0a3JrUE8rMGdka0llVGttQ0JybGVOZ3MxaVROckIyNUVvRGJwektxcWZyMUhoQ3VjK0JTTmVKYTdmakNmN0VkOCIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.NkmM3xdRMq2xkI_j1A1E7TYUsPZsJn6J2wmJ2gj7Gg4",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg"
    }
}

No binding relationship (requires logon or registration)

Important

The authorization logon for WeChat mini programs is handled in a specific way. If no binding relationship exists, or if a binding relationship exists but the bound user is not found (possibly because of logical deletion or other causes of dirty data), the API does not return FlowType. Instead, it returns an Operation.Failure.User.Not.Exist error code and the FId in the data. This means that when you develop the mini program, you need to check the error message that is returned by the API. If the message is Operation.Failure.User.Not.Exist, it indicates that there is a next step in the current flow, which is one-click logon with a mobile number.

{
    "success": false,
    "code": "Operation.Failure.Social.Login",
    "message": "Operation.Failure.User.Not.Exist",
    "requestId": "1656572612543$ad6dff47-af68-1296-c65b-28e84cf59579",
    "data": {
        "fId": "202206301503325238257221755438080_X_ABD"
    }
}

Parameter name	Type	Example	Description
fId	String		Process ID, returned for the next process.

One-click logon with a phone number

One-click logon with a phone number works as follows: First, obtain a temporary code using the wx.login of the mini program. Then, obtain the encrypted phone number information or phone number code of the WeChat user using wx.getPhoneNumber. On the server, query the corresponding Openid, Unionid, and Session_key using the loginCode. Check if PhoneNumberCode is passed. If it is, use this code to retrieve the user's real phone number from WeChat. Otherwise, decode the user's phone number information based on the Session_key. After you obtain the user information, check for a binding relationship. If a binding relationship exists, the logon is successful. Otherwise, proceed to the next step, such as logon or registration.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/miniprogram/phone

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
fId	String	No	The `Fid` generated by the previous flow, if any.
loginCode	String	Yes	The temporary logon credential `code` obtained using Wx.login in the WeChat mini program. This `code` cannot be reused.
idaasAppId	String	Yes	Application ID, corresponding to the application ID in the application list under application management in the console.
enterpriseAuthId	String	Yes	Authentication source ID, corresponding to the authentication source ID in the authentication source list in the console.
phoneNumberCode	String	Yes	The `code` obtained using GetPhoneNumber in the WeChat mini program. For more information, see https://developers.weixin.qq.com/miniprogram/dev/framework/open-ability/getPhoneNumber.html.
encryptedData	String	Yes	Encrypted data containing complete user information, including sensitive data, obtained through GetPhoneNumber. Refer to: https://developers.weixin.qq.com/miniprogram/dev/framework/open-ability/deprecatedGetPhoneNumber.html.
iv	String	Yes	Initial vector of the encryption algorithm obtained through GetPhoneNumber in the WeChat mini program. Refer to: https://developers.weixin.qq.com/miniprogram/dev/framework/open-ability/deprecatedGetPhoneNumber.html.
deviceId	String	No	Optional, mini program end device ID.
userType	String	No	Custom user type, default is regular user
agreeConsent	Boolean	No	Whether the user agrees to the terms (when the application is configured with corresponding terms, this parameter must be passed)

{
    "fId": "{{fId}}",
    "loginCode": "023arx000zEEHiO6N3arx0D",
    "idaasAppId": "{{idaasAppId}}",
    "enterpriseAuthId": "{{enterpriseAuthId}}",
    "phoneNumberCode": "c773d67f9ca3538ae7da881f0df96c2000bdedc4e",
    "encryptedData": "",
    "iv": "",
    "agreeConsent": true
}

Return Parameters

With Binding Relationship

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656040913922$ca04c8b1-76ea-f3bd-599a-66c3d445259b",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhnSUJxNlhhNmFrWmN6MDNKT0NUWGxrWHpWWVpYUjg3SEo4SzV2SU5WTW1pUi9xNWgxVVZ4SnFrajIvQmRpNHFDSmt6cEhrN3UybTFUL09RblFIR1pBL3FKazhya1hMTmMxVVE3dHlLYlhTbk9OblA1Wmh2Vlp0RXBwem5Xb3oxYU1lQktqbmxOSnpEWGExQlJ1RDNtTXZpM202ZUFrUXJaNVMzakI4M09haVZ0dUtRQnhvVXhHTXVrNGV0Q0pQK2ZzLzFpWW1xNGpsc2M0NkpXNGdVSGc0bU5RbHBHRGJsWEtCMVowMVMrY3A0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.5QXEYp6GlgomFF08zFUkwNt-8cwDPSBV0UpAsg3jRtg",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYWdsOEdINkJXNEF4eTgrYWpOVXl5T0JCeFB6NGRxNmcwRlNvRTJTVGpmclNSZ2lGS0M3Y25YVGFoVXlJVTE0c1Q5QUgwckVIVko3UnY3RVNQYXdrL0dOZ3d4b2tvd25yczMyUEh3RXFGNXlUT3hDQk9kTG1IWXNWMFRHR2FHaTFWcUpERzh2Ui9JOXBtdmZnZlVHUGFGRUJjTVZmVlRBMU1nVWN0cWNpQnlpQTVrSng5QTVuNG9SVXdnMFZ1MWorcEhZQnFUTkp1SVpUQWttWElhcjQyanhHNFdFMVlscC93SUR3NlFFeHR0a3JrUE8rMGdka0llVGttQ0JybGVOZ3MxaVROckIyNUVvRGJwektxcWZyMUhoQ3VjK0JTTmVKYTdmakNmN0VkOCIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.NkmM3xdRMq2xkI_j1A1E7TYUsPZsJn6J2wmJ2gj7Gg4",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg"
    }
}

No binding relationship (requires logon or registration)

Important

The one-click logon with a mobile number for WeChat mini programs has a special behavior. If no binding relationship exists, or if a binding relationship exists but the bound user does not exist (possibly because of logical deletion or dirty data), the API does not return FlowType. Instead, it returns an Operation.Failure.User.Not.Exist exception code and the FId in the `data` field. This means that when you develop the mini program, you must check the error message that is returned by the API. If the message is Operation.Failure.User.Not.Exist, it indicates that the current flow has a next step, and you should direct the user to the H5 logon and registration page.

{
    "success": false,
    "code": "Operation.Failure.Social.Login",
    "message": "Operation.Failure.User.Not.Exist",
    "requestId": "1656573286977$6584dc2c-78b9-d12c-a6db-21ff9a90dac9",
    "data": {
        "fId": "202206301514226999141257494492160_X_ABD",
        "phoneNumber": "xxxx"
    }
}

Parameter name	Type	Description
fId	String	Process ID, returned for the next process.
phoneNumber	String	The currently identified mobile number, which may need to be displayed by the frontend.

App

Obtain an access token

When a mobile app needs to use phone number authentication or IFAA authentication, you must grant authorization to the app. The app obtains this Token to interact with the security authentication product.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/app/safeauth/fetch_accesstoken

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
applicationExternalId	String	Yes	Appid created in security authentication.
mobileExtendParamsJson	String	Yes	JSON information of the mobile end.
mobileExtendParamsJsonSign	String	Yes	JSON signature information of the mobile end.
userId	String	No	User information of the mobile end.

Return Parameters

Parameter name	Type	Example	Content description
access_token	String	eyJhbGciOiJIUzI1N**** ... ... PoKL1O0j0	The `AccessToken` information for security authentication.
expires_in	Long	3600	The expiration time of the `Token`, in seconds.

Error Exception List

errorCode	ErrorMessage	Description
Operation.Success	Operation.Success	Indicates success.
Params.Blank	Params.Blank.ApplicationExternalId	Some required parameters are not specified ApplicationExternalId.
Params.Blank	Params.Blank.MobileExtendParamsJson	Some required parameters are not specified MobileExtendParamsJson.
Params.Blank	Params.Blank.MobileExtendParamsJsonSign	Some required parameters are not specified MobileExtendParamsJsonSign.
Operation.Failure	Operation.Failure.RemoteServerCommonError	Failed to call security authentication service.

Obtain an fId

When you click for more logon methods, you must first obtain an FId.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/app/getFid

Content-Type: application/json

Request Parameters

Parameter name	Type	Example	Content description
deviceId	String	xxxxx	Device ID.
response_type	String	code	The response type. For more information, see the `response_type` of the OAuth protocol.
userType	String	No	Custom user type, default is regular user.

Return Parameters

Parameter name	Type	Example	Content description
fId	String	HbGciOiJIUzI1NiIsI ... ...	Process ID required to enter the logon page.
flowType	String	LOGIN_NEED_REGISTER	Next process type.

Error Exception List

errorCode	ErrorMessage	Description.
Operation.Success	Operation.Success	Indicates success.

Phone number, face, and fingerprint authentication

When the mobile end needs to use mobile number authentication or IFAA authentication, after the mobile end and security authentication pass, an IDToken will be generated for the user. After verifying the IDToken with this API, IDaaS will consider the authentication successful and issue token information.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/app/safeauth/login

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
applicationExternalId	String	Yes	Appid created in security authentication.
idToken	String	Yes	The `Token` issued to the user during security authentication.
userType	String	No	Custom user type, default is regular user.

Return Parameters

Parameter name	Type	Example	Content description
id_token	String	HbGciOiJIUzI1NiIsI ... ... PoKL1O0	User identity information Token.
access_token	String	EyJhbGciOiJIUzI1N**** ... ... PoKL1O0j0	The user access `Token`.
refresh_token	String	YJhbGciOiJIUhbGciOiJIUzI1NiIsI ... ...	Used to refresh the user `Token`.
scope	String	Read	The value.
expires_in	Long	3600	The expiration time of the `Token`, in seconds.

Error Exception List

errorCode	ErrorMessage	Description
Operation.Success	Operation.Success	Indicates success.
Params.Blank	Params.Blank.IdToken	The `IDToken` parameter cannot be empty.
Params.Blank	Params.Blank.ApplicationExternalId	Some required parameters are not specified ApplicationExternalId
Operation.Failure	Operation.Failure.RemoteServerCommonError	Failed to call the security authentication service.
Operation.Failure	Operation.Failure.No.User.Bind	No account information has been bound in security authentication.
Operation.Failure	Operation.Failure.IDaaS.NoUser	No account information has been bound in the CIAM system.
Operation.Failure	Operation.Failure.Service.Internal.Error	The error message returned because an internal error occurred on the broker.

Gesture authentication

When the mobile end needs to use gesture authentication, configure the gesture in the user center to use gesture logon.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/login/app/gesture/login

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
gestureSign	String	Yes	Encrypt the gesture using the username.
userName	String	Yes	Username.
userType	String	No	Custom user type, default is regular user.

Return Parameters

Parameter name	Type	Example	Content description
id_token	String	HbGciOiJIUzI1NiIsI ... ... PoKL1O0	User identity `Token`.
access_token	String	EyJhbGciOiJIUzI1N**** ... ... PoKL1O0j0	The user access `Token`.
refresh_token	String	YJhbGciOiJIUhbGciOiJIUzI1NiIsI ... ...	Used to refresh the user `Token`.
scope	String	Read	The value.
expires_in	Long	3600	Expiration time of the `Token` in seconds

Error Exception List

errorCode	ErrorMessage	Description
Operation.Success	Operation.Success	Indicates success.
Params.Blank	Params.Blank.Gesture.Sign	The `Sign` parameter cannot be empty.
Params.Blank	Params.Blank.User.Username	The `Username` parameter is missing.
Operation.Failure	Operation.Failure.User.Not.Exist	User does not exist.
Operation.Failure	Operation.Failure.User.Not.Bind.Gesture	User has not bound a gesture.
Operation.Failure	Operation_Failure.Gesture.Error	The gesture entered by the user is incorrect.
Operation.Failure	Operation.Failure.Service.Internal.Error	The error message returned because an internal error occurred on the broker.

Registration

Registration: Send a verification code

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/register/obtain_code

Content-Type: application/json

Request Parameters

Note

If Sms/email Anti-brute-force is enabled, image CAPTCHA verification is required once the number of sent verification codes surpasses the risk control threshold.

{
  "fId": "{{fId}}",
	"type":"SMS",
	"phoneNumber":"1510000****",
	"phoneRegion":"",
	"email":"111**@qq.com",
  "userType":"",
	"captchaCode":"",
	"captchaText":""
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` from the previous step in the flow.
type	String	Yes	Verification code type. SMS represents text message, EMAIL represents email.
phoneNumber	String	No	Mobile number, required when Type is SMS.
phoneRegion	String	No	Mobile area code.
email	String	No	Email, required when Type is EMAIL.
captchaCode	String	No	The `code` of the Captcha. This is returned by the API for obtaining the Captcha and is required if a Captcha is present.
captchaText	String	No	User-entered image CAPTCHA, required when there is an image CAPTCHA.
userType	String	No	User type, default is not passed.
language	String	No	Language type for sending the verification code, default is the preferred language.
engineCode	String	No	Gateway code for sending the verification code, default is the preferred gateway of the preferred service provider.
captchaCode	String	No	Unique identifier of the image CAPTCHA, returned by the image verification API.
captchaText	String	No	Image CAPTCHA, filled in according to the numbers displayed in the CAPTCHA image on the API.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1654591263236$eb20f2b1-5afe-72ab-1333-8515f5a68dee",
    "data": {
        "fId": "202206071641032416438565386055680_X_BDE"
    }
}

Registration: Verify the verification code

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/register/submit

Content-Type: application/json

Request Parameters

{
    "fId": "{{fId}}",
    "type": "SMS",
    "code": "000000",
    "phoneNumber": "1511111****",
    "phoneRegion": "86",
    "email": "",
    "username": "test001",
    "password": "966966",
    "userType": "",
    "response_type": "token",
    "agreeConsent": true
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` from the previous step in the flow.
type	String	Yes	Registration type. SMS represents text message, EMAIL represents email.
phoneNumber	String	No	Mobile number, must be passed this time if the verification code was sent by mobile in the previous step.
phoneRegion	String	No	Mobile area code.
email	String	No	Email, must be passed this time if the verification code was sent by email in the previous step.
code	String	No	Verification code for email or mobile number, a new attribute added in the new version (compatible with the old version's SmsCode and EmailCode).
username	String	No	Registered username (logon username).
password	String	No	User password.
userType	String	No	User type, default is not passed.
response_type	String	No	If the value is `code`, an authorization code is returned. If the value is `Token`, the user's `Token` is returned.
agreeConsent	Boolean	Yes	Whether the user agrees to the terms (if terms are not configured, this parameter can be ignored).

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656326070459$be264b8d-a6ca-a75c-f224-ade8531cc4af",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYytRODM3QjNnTlQzbmNJNDY3UExuOHNTNXFJNmdMa1doeWJKZHA0ZXZMaHovUmtuV0RTRXZlNUw3T1Jzd0xoMTdWTGw4SE5Va0Z1TWxDR2FGWVliT3JmL3dHMkpodktNZlZ6ZzFKUTROb1UzWDI4bzR6dHhRclZtWlV3dWo2R1NZcTB0alc0akJlQUErUkV4dkExd3VWUEtSdVJZS0dlZkt3Y0JWOVBxMGlkZjZ0dU04Vjlnd3BpSEtFVnhHM0lXVFVlL0hzb2RxMVVMMTVRZWErcTNvOEpDMitoRGozWE1KOS92Yis2YXo0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.c57U7qi46KnVAPnzk2bgHI9sPoUlk93L5mPOq1WRy_s",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelh0UjBGQXd3eDdINTRsWldxNzdCdEhmUUd5UHFPZWVhK3pLNWRxeWFTMEdXb0NmRkJ1Q1Q1TEFvTlhTRVFWVlc1ZGp3eGJsRUZrSjhVaXBpYXoxTXI1Z3ZSV3N0NlRNN2xHR09tbEVETjJJbmg5dkluVEpUd0RNeTFOSEo1WDJqaGRwMlNvUlN0QUxONlZpaTVMakh3dHAxQWdqZlZuRlR1aVI3UWVLUTVsTjBkdnVmOEtHYkFoQ2lENngxalg4VERKOE5PRWNYYTYyRHdEQ0UrSDlRQlcxTzlPL1FWUG9TSXVqT1lGU0IyVkNsbGZGemM4RmhLbGZLRlcyZlNYbFRSY05YNDE5djcvNWpxL3RuUU1EMjl4YkoxbTAySmRTb3NacjIvNjR1dEpMOSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.VjrWftgXUmLD_P9ECVYGwBEzpyrvZcy-hdrAciIp-aU",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg",
        "idaasCode": null,
        "locked": false,
        "enabled": false,
        "sourceApplicationUuid": null,
        "authId": null,
        "unionId": null,
        "openId": null,
        "phoneRegion": null,
        "createTime": null,
        "uamParams": null
    }
}

3. Two-factor authentication

Verification code method: Send a verification code

Note

When FlowType=NEED_TWO_FACTOR, enter two-factor authentication, only for two-factor authentication with mobile number or email verification code.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/prepare_second_factor

Content-Type: application/json

Request Parameters

Note

If Sms/email Anti-brute-force is enabled, image CAPTCHA verification is required once the number of verification code sendings surpasses the risk control threshold.

{
	"fId":"{{fId}}",
	"type":"SMS",
	"captchaCode":"",
	"captchaText":""
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` of the previous step's flow.
type	String	Yes	The method of two-factor authentication, (currently) optional values: SMS, EMAIL, pass the value according to the selected two-factor authentication.
userType	String	No	Custom user type, default is regular user.
language	String	No	Language type for sending the verification code, default is the preferred language.
engineCode	String	No	Gateway code for sending the verification code, default is the preferred gateway of the preferred service provider.
captchaCode	String	No	Unique identifier of the image CAPTCHA, returned by the image verification API.
captchaText	String	No	Image CAPTCHA, filled in according to the numbers displayed in the CAPTCHA image on the API.

Return Parameters

Unsupported two-factor authentication method

{
    "success": false,
    "code": "Params.Illegal",
    "message": "Operation.Failure.Unsupport.2fa.Type",
    "requestId": "1654681888509$40033cb3-9d4f-4a52-e3a3-447c52c80fb1",
    "data": null
}

Normal

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1654681964158$6b18049f-68ee-0fbc-7128-d5627b387fad",
    "data": {
        "fId": "202206081747411329041361342880768_X_BCD"
    }
}

Verification code method: Authenticate the verification code

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/verify_second_factor

Content-Type: application/json

Request Parameters

{
	"code":"000000",
  "type":"SMS",
	"fId":"{{fId}}"
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` of the previous flow.
type	String	Yes	The method of two-factor authentication, (currently) optional values: SMS, EMAIL, PWD, pass the value according to the selected two-factor authentication.
code	String	Yes	Verification code for mobile or email.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656326070459$be264b8d-a6ca-a75c-f224-ade8531cc4af",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYytRODM3QjNnTlQzbmNJNDY3UExuOHNTNXFJNmdMa1doeWJKZHA0ZXZMaHovUmtuV0RTRXZlNUw3T1Jzd0xoMTdWTGw4SE5Va0Z1TWxDR2FGWVliT3JmL3dHMkpodktNZlZ6ZzFKUTROb1UzWDI4bzR6dHhRclZtWlV3dWo2R1NZcTB0alc0akJlQUErUkV4dkExd3VWUEtSdVJZS0dlZkt3Y0JWOVBxMGlkZjZ0dU04Vjlnd3BpSEtFVnhHM0lXVFVlL0hzb2RxMVVMMTVRZWErcTNvOEpDMitoRGozWE1KOS92Yis2YXo0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.c57U7qi46KnVAPnzk2bgHI9sPoUlk93L5mPOq1WRy_s",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelh0UjBGQXd3eDdINTRsWldxNzdCdEhmUUd5UHFPZWVhK3pLNWRxeWFTMEdXb0NmRkJ1Q1Q1TEFvTlhTRVFWVlc1ZGp3eGJsRUZrSjhVaXBpYXoxTXI1Z3ZSV3N0NlRNN2xHR09tbEVETjJJbmg5dkluVEpUd0RNeTFOSEo1WDJqaGRwMlNvUlN0QUxONlZpaTVMakh3dHAxQWdqZlZuRlR1aVI3UWVLUTVsTjBkdnVmOEtHYkFoQ2lENngxalg4VERKOE5PRWNYYTYyRHdEQ0UrSDlRQlcxTzlPL1FWUG9TSXVqT1lGU0IyVkNsbGZGemM4RmhLbGZLRlcyZlNYbFRSY05YNDE5djcvNWpxL3RuUU1EMjl4YkoxbTAySmRTb3NacjIvNjR1dEpMOSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.VjrWftgXUmLD_P9ECVYGwBEzpyrvZcy-hdrAciIp-aU",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg",
        "idaasCode": null,
        "locked": false,
        "enabled": false,
        "sourceApplicationUuid": null,
        "authId": null,
        "unionId": null,
        "openId": null,
        "phoneRegion": null,
        "createTime": null,
        "uamParams": null
    }
}

Password method: Authenticate the password

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/verify_second_factor

Content-Type: application/json

Request Parameters

{
	"password":"966966",
  "type":"PWD",
	"fId":"{{fId}}"
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` of the previous step in the flow.
type	String	Yes	The method of two-factor authentication, fixed as PWD.
password	String	Yes	Password entered by the user.

Return Parameters

Two-factor authentication failed

{
    "success": false,
    "code": "Operation.Failure",
    "message": "Operation.Failure.User.Password.Error",
    "requestId": "1654747792211$750c5b3e-5dd2-efa1-60a5-1acc88ca1f85",
    "data": null
}

Two-factor authentication successful

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1656326070459$be264b8d-a6ca-a75c-f224-ade8531cc4af",
    "data": {
        "userId": null,
        "uuid": "c0d7ebbae869a76781183310768088543DkolDLzrSB",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbz****.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelhxYytRODM3QjNnTlQzbmNJNDY3UExuOHNTNXFJNmdMa1doeWJKZHA0ZXZMaHovUmtuV0RTRXZlNUw3T1Jzd0xoMTdWTGw4SE5Va0Z1TWxDR2FGWVliT3JmL3dHMkpodktNZlZ6ZzFKUTROb1UzWDI4bzR6dHhRclZtWlV3dWo2R1NZcTB0alc0akJlQUErUkV4dkExd3VWUEtSdVJZS0dlZkt3Y0JWOVBxMGlkZjZ0dU04Vjlnd3BpSEtFVnhHM0lXVFVlL0hzb2RxMVVMMTVRZWErcTNvOEpDMitoRGozWE1KOS92Yis2YXo0IiwiZGF0YUNpcGhlckFsZyI6IkRFRkFVTFQiLCJ0ZW5hbnRLZXlVdWlkIjoiN2FiNDI3ZTEzNDRkZGUwMWM5Zjk3NDcyNzYwMzg0YWJwZnRLTWFuRkVGSCJ9.c57U7qi46KnVAPnzk2bgHI9sPoUlk93L5mPOq1WRy_s",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjkxMGJkMTY4MzFhOTdhZDRhYjdlMGRjMmYzNDY5NTJiaXF6UVdEWWZMbzUifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRG9mVEFpcm1POWJOQ0pWQ29tamxqbGp4dmRHalNET1BtNlhZeEtqWGFrelh0UjBGQXd3eDdINTRsWldxNzdCdEhmUUd5UHFPZWVhK3pLNWRxeWFTMEdXb0NmRkJ1Q1Q1TEFvTlhTRVFWVlc1ZGp3eGJsRUZrSjhVaXBpYXoxTXI1Z3ZSV3N0NlRNN2xHR09tbEVETjJJbmg5dkluVEpUd0RNeTFOSEo1WDJqaGRwMlNvUlN0QUxONlZpaTVMakh3dHAxQWdqZlZuRlR1aVI3UWVLUTVsTjBkdnVmOEtHYkFoQ2lENngxalg4VERKOE5PRWNYYTYyRHdEQ0UrSDlRQlcxTzlPL1FWUG9TSXVqT1lGU0IyVkNsbGZGemM4RmhLbGZLRlcyZlNYbFRSY05YNDE5djcvNWpxL3RuUU1EMjl4YkoxbTAySmRTb3NacjIvNjR1dEpMOSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.VjrWftgXUmLD_P9ECVYGwBEzpyrvZcy-hdrAciIp-aU",
        "expires_in": 179999,
        "scope": "USER_API",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIiwic2NvcGUiOiJjMGQ3ZWJiYWU4NjlhNzY3ODExODMzMTA3NjgwODg1NDNEa29sREx6clNCIDEyMzQ2MTExMUAxMy5jb20gMTU4MDExMTExMDAiLCJsb2dpbk5hbWUiOiJ0ZXN0MDI3IiwiY3VzdG9tZXJJZCI6IjQ0MTIxNjU2Mjk4NDE5NTY4MTkiLCJleHAiOjE2NTY1MDYwODAsImp0aSI6InZRN0Uxa0xPTzVpQ3ZuR2JYTUdkZWciLCJpYXQiOjE2NTYzMjYwODEsIm5iZiI6MTY1NjMyNjAyMX0.CW3d41c7oGP23FU5DKGyiX553qLea09oYS4s-dISnse9iE-gGjZxUEqXlHSgfSERES9VeaaVwXEUqPOGKkHEEW0fQKcS82WTepiy1QHB0WeRzqKQQY9t38Rp-v_uMlpKLhnrfK_q_Q1A9ak5kDlpvidp2p5I84NmnisiQmGW7ep3xzs9V7axV9ump207ek5Bl1fs1kZ2gOUTHyWuQ0XoIDF6NHmUjtpA31jc5a13o-UIgX1Bd3ZNjmFiwm4EQ3xyZci72w0rTV7EyRa4KU7KyBjv-QJGv8T2Y4e2GnI-BiqWsaE1wtImhvXRRQ__MT_lRDph87-7zA4cTWEsZJRSXg",
        "idaasCode": null,
        "locked": false,
        "enabled": false,
        "sourceApplicationUuid": null,
        "authId": null,
        "unionId": null,
        "openId": null,
        "phoneRegion": null,
        "createTime": null,
        "uamParams": null
    }
}

4. Complete your personal information

Send a verification code

When supplementing account information, to supplement the mobile number or email, verify whether the mobile number and email belong to the current user. Therefore, verification code verification is required. This API is used to send mobile number/email verification codes.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/complete/obtain_code

Content-Type: application/json

Request Parameters

Note

If you enable Text Message/Email Brute-force Protection, a Captcha is required for authentication when the number of sent verification codes exceeds the risk control threshold.

{
  "fId": "{{fId}}",
	"type":"EMAIL",
	"email":"te**@test.com",
	"phoneNumber":"1510000****",
	"phoneRegion":"",
  "userType":"",
	"captchaCode":"",
	"captchaText":""
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` from the previous step.
type	String	Yes	Type of bound attribute. SMS represents mobile number, EMAIL represents email.
phoneNumber	String	No	The phone number. This parameter is required when you set `Type` to SMS.
phoneRegion	String	No	Mobile area code.
email	String	No	The email address. This parameter is required when you set `Type` to EMAIL.
language	String	No	Language type for sending the verification code, default is the preferred language.
engineCode	String	No	Gateway code for sending the verification code, default is the preferred gateway of the preferred service provider.
userType	String	No	Custom user type, default is regular user.
captchaCode	String	No	Unique identifier of the image CAPTCHA, returned by the image verification API.
captchaText	String	No	Image CAPTCHA, filled in according to the numbers displayed in the CAPTCHA image on the API.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1654591001075$3b675da5-5564-8ac5-f5cb-278f22c2908a",
    "data": {
        "fId": "20220607163529468654192924672_X_BDE"
    }
}

Parameter name	Type	Example	Description
fId	String		Process ID, returned for the next process.

Add account properties

During user authentication, if you require account properties to be completed, the system returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR after authentication is complete. If the response includes the following content, you must complete the account information:

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1673335017357$4eec4dea-e833-365b-9076-4744fa49ae84",
    "data": {
        "fId": "202301101516523678255186083334144_X_BCDEF",
        "flowType": "NEED_COMPLETE_ACCOUNT_ATTR",
        "additional": {
            "accountAttrs": [
                "username",
                "email",
                "password"
            ],
            "baseAttrs": [
                {
                    "fieldName": "姓名",
                    "dataDictionaryFieldType": "TEXT",
                    "dataDictionaryType": "USER_BASE",
                    "dictionaryValueUuid": "xxxxxxx",
                    "selectFieldOptions": [],
                    "fieldValue": "fullName",
                    "uuid": "46b13e088966a93daa01d42ccacc0e88zk8mIRyXO0J",
                    "customAttributes": []
                }
            ]
        }
    }
}

This API is used to supplement account attributes (mobile number, email, username, password, etc.) and basic user attributes (profile picture, nickname, name, gender, birthday, etc.).

Note

This API may also return pending user extension attributes in some scenarios, and the frontend needs to adapt accordingly.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/complete/account_attr

Content-Type: application/json

Request Parameters

{
    "fId": "xxxxxx",
    "email": "te**@test.com",
    "emailCode": "000000",
    "phoneNumber": "1510000****",
    "phoneRegion": "86",
    "smsCode": "000000",
    "username": "test"
}

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` from the previous step.
username	String	No	Username, whether this value is required depends on whether the login or registration API returns flowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `data.additional.accountAttrs` in the returned data contains the `Username` attribute.
password	String	No	Password, whether this value is required depends on whether the login or registration API returns flowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.accountAttrs` in the returned data contains the `Password` attribute.
email	String	No	Email, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.accountAttrs` in the returned data contains the `Email` attribute.
phoneNumber	String	No	Mobile number, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.accountAttrs` in the returned data contains the `PhoneNumber` attribute.
phoneRegion	String	No	Mobile area code, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.accountAttrs` in the returned data contains the `PhoneNumber` attribute.
smsCode	String	No	Mobile verification code, required when the pending attributes include a mobile number.
emailCode	String	No	Email verification code, required when the pending attributes include an email.
displayName	String	No	Display name, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `DisplayName` attribute.
enDisplayName	String	No	English display name, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `EnDisplayName` attribute.
fullName	String	No	Full name, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `FullName` attribute.
gender	String	No	Gender, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Gender` attribute.
birthday	String	No	Birthday, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Birthday` attribute.
country	String	No	Country, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Country` attribute.
region	String	No	Region, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Region` attribute.
province	String	No	Province, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Province` attribute.
city	String	No	City, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `City` attribute.
street	String	No	Street, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Street` attribute.
address	String	No	Detailed address, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Address` attribute.
description	String	No	Personal description, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `Description` attribute.
avatarUuid	String	No	User profile picture, whether this value is required depends on whether the login or registration API returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR, and whether the `Data.additional.baseAttrs` in the returned data contains the `AvatarUuid` attribute.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1671451557868$5296056b-782c-38e6-aaf4-e2a9580055a9",
    "data": {
        "userId": null,
        "uuid": "9c9f2eb104b1dd8ffc21a8c53cf168fc6LJFouMQJNH",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUyZTE0MTNmNGRiMzgwOTA4YjRlZDNlYjZmOGJmMDhhMURvZjZDblc0V0QifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRHB3Z1ozS3IyQU01T21FQmx5MDJlNzJ4dmRHalNET1BtNlhZeEtqWGFrelhzR2wwVVRtWEdxNm9mK2FLUzJJNllWOG9rZkRlQlIzb2JTbSt2Y0c3TTRPTm9KTDR6cG11ajZXNENwQTNkeTJQRHBOV0dkRktOeks1cmF2eERJcmJTZUtnMmp4bmFGN2R6SXlBS2xzcnc2eGJzODJuNU5INk5uSnZPZ2NHVW5LRlBqOG4xZHhVTHlLOHlIUk4rRUtMeWJIczcxbmVIeFFzM2pNbi9UaERzdDBuSStmVTI4LzFhMVV6RGd4MXRLUDBkbmNwS3owSGVwbWV5WnF1ZGppWXlZbjN1eVBibWg2SVBuNG1FWGdVbzNQeGp5dDNXRTlkQS9HSmJqR2t2N1NKRzJ4TlRlZnk0ejNhRXZ2UHNmemJpbm5kaG9jVFRrb2ZnbVdyLyt4Ky8yQWx3NFZMZHV5enZHR01jcUpLK3ZNNFE9PSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.5T7iDRsl8FXZN1A-tFPepPS_huDSw8CRHuaCefBSyLs",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUyZTE0MTNmNGRiMzgwOTA4YjRlZDNlYjZmOGJmMDhhMURvZjZDblc0V0QifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRHB3Z1ozS3IyQU01T21FQmx5MDJlNzJ4dmRHalNET1BtNlhZeEtqWGFrelhzR2wwVVRtWEdxNm9mK2FLUzJJNllWcUNrRUtQbHpoOEw1ajVqRHJzM0VKRWNSd3ZxNGpGU0QvSjJ6VTc4VGlvTkFsb1VseVpYZ0dMMGV0V0pzT2ZuU2RyZCsrSjNLYTU3Mi8rbDdEd3VPeDF4V09VT2xpVDB5QnhseU5peVI4ZW5BaVhlMUxtSkxxWnlPSVNJdDlZU3VFdk9oTlBXbXkwalRMNVpSZGkxZWtQaXpERVhxTDdTQnc2UkgxVHViTjRkVUlLN0w3TFBXc3FITnVuSm9YcjNQTmJVcXh4M09OV1I0K0dMWFl0dmRSWDV4UjBnYzllZnk5ZkZpZk9oeFdYWWs5cTREdmw5cnR5dTdqc25iUit4czZYWjhoYms2VWp2MEo2YVFLdmE3dWpGMlBlc3oyRVo3V3NnUVVZVmY5SDY2ZGhnUTJGTnhYd3JBVlJnMnRvSzNjM1VWOUJ4RkNub0NFbytEWkxWN1giLCJkYXRhQ2lwaGVyQWxnIjoiREVGQVVMVCIsInRlbmFudEtleVV1aWQiOiI3YWI0MjdlMTM0NGRkZTAxYzlmOTc0NzI3NjAzODRhYnBmdEtNYW5GRUZIIn0.ZfQ4O1u1lHDIynAg63FpUfBS6BJslza6S33NvzdqMxs",
        "expires_in": 719999,
        "scope": "USER_API,openid,profile",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiI5YzlmMmViMTA0YjFkZDhmZmMyMWE4YzUzY2YxNjhmYzZMSkZvdU1RSk5IIiwiYXVkIjoiZTJlMTQxM2Y0ZGIzODA5MDhiNGVkM2ViNmY4YmYwOGExRG9mNkNuVzRXRCIsImV4cCI6MTY3MjE3MTU2OCwiaWF0IjoxNjcxNDUxNTY5LCJqdGkiOiJrQ050MEpmbkVJZWZWbUdla0Z3QkpBIiwibmJmIjoxNjcxNDUxNTA5LCJ1c2VybmFtZSI6ImQxMjM0NTYiLCJleHRlcm5hbElkIjpudWxsLCJuaWNrbmFtZSI6IlIyMDIyMTEyODE2MTQxMDE2MjE5MDA1OTUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJSMjAyMjExMjgxNjE0MTAxNjIxOTAwNTk1In0.NXAqFDXtnqIYc08LzEmvCLkuRtiG9UIYpT-v3gka4eHUmWdxb0sAg3WuOWP_VXqWb2EkzFN1Jeo4x--WywBnpkwJ8OXR6GTnLu9eaxxktM7zrrQ-brriCeTm8Oi8UZrRm3ronY_7VvTXgKVNY1hiqbQyQGDp6zo5QdiBRbSyqXvHXkIrz2-R8716TxeGSmPV2PQMGjaFFNCQWgXXDOEX_8TK6TOtRy-nYIe39NeYGWT6X5-IrslsKKTKW3yjc6227EHQtCZjIxK51Ys7hQh-ahoQUbyPFJUQeFbbkRiXokOBIloWfoWWBCsXTfILWJm3wrq9lHyvlavUT64291k8RA"
    }
}

Add extension properties

During user authentication, if you require account extension properties to be completed, the system returns FlowType=NEED_COMPLETE_EXTENSION_ATTR after authentication is complete. If the response includes the following content, you must complete the account information:

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1672307673561$a48a5b6a-baa8-dd7f-a805-d070a5f856b1",
    "data": {
        "fId": "202212291754332256045602524457984_X_BCDF",
        "flowType": "NEED_COMPLETE_EXTENSION_ATTR",
        "additional": {
            "dataDictionaries": [
                {
                    "needRelation": false,
                    "fieldName": "性别",
                    "dataDictionaryFieldType": "SELECT",
                    "dataDictionaryType": "UD_ACCOUNT",
                    "enterpriseUuid": "2bcdef58e8ae5cf6f5b18343bc1fbebc2f64xbYa0yx",
                    "needShow": true,
                    "fieldValue": "sex",
                    "uuid": "cc4d7cbfda2ebc0437921ab3fe900f7fylI7pPzLC9C",
                    "enabled": true,
                    "required": false,
                    "readonly": false,
                    "unique": false,
                    "dictionaryValueUuid": "0646c123295b07b93570b43c2e0b057ebEIKJZzEvWG",
                    "selectFieldOptions": [
                        {
                            "optionLabel": "男",
                            "optionValue": "男",
                            "optionId": "2fe9693edc921a4ae0bdd2e7653aafd4GW1e6uZFSgS",
                            "uuid": "077d6c18b9168aad2451ad063f5e4588O3zhBpn50y3"
                        },
                        {
                            "optionLabel": "女",
                            "optionValue": "女",
                            "optionId": "a547a2535e1aae7d2631e9e613e6824fmP9dg8SNfkr",
                            "uuid": "52f2a4b11b168696a64ee144f7b2729akjuANhofvcG"
                        }
                    ],
                    "modifiable": true,
                    "needSensitive": false,
                    "customAttributes": []
                }
            ]
        },
        "userList": null
    }
}

This API is used to supplement the extension attributes of the account.

Note

This API may also return pending user account attributes in some scenarios, and the frontend needs to adapt accordingly. Refer to 2.4.4 for account attribute content.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/complete/extension_attr

Content-Type: application/json

Request Parameters

{
  "fId":"xxxxxxxxx",
  "dataDictionaryValues": [
    {
      "uuid": "0646c123295b07b93570b43c2e0b057ebEIKJZzEvWG",
      "dictionaryUuid": "cc4d7cbfda2ebc0437921ab3fe900f7fylI7pPzLC9C",
      "dictionaryValue": "男"
    },
    {
      "uuid": "880490b6d30c8c0f2612d3df8b2aae0bSUfpHl5rVsq",
      "dictionaryUuid": "0fe64d5bf628a7*******3573de77f238x5hv7TROSWB",
      "dictionaryValue": "Value of the extension attribute"
    }
  ]
}

Parameter name	Type	Required	Content description
fId	String	Yes	Process ID, generated by the previous process.
dataDictionaryValues	Array	Yes	Values of the extension attributes, array type.
uuid	String	No	Uuid of the extension attribute value, when the login or registration API returns FlowType=NEED_COMPLETE_EXTENSION_ATTR, this value corresponds to the `Data.additional.dataDictionaries[0].dictionaryValueUuid` in the returned data.
dictionaryUuid	String	Yes	Uuid of the extension attribute, when the login or registration API returns FlowType=NEED_COMPLETE_EXTENSION_ATTR, this value corresponds to the `Data.additional.dataDictionaries[0].Uuid` in the returned data.
dictionaryValue	String	Yes	Value of the extension attribute, entered by the user.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1671451557868$5296056b-782c-38e6-aaf4-e2a9580055a9",
    "data": {
        "userId": null,
        "uuid": "9c9f2eb104b1dd8ffc21a8c53cf168fc6LJFouMQJNH",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUyZTE0MTNmNGRiMzgwOTA4YjRlZDNlYjZmOGJmMDhhMURvZjZDblc0V0QifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRHB3Z1ozS3IyQU01T21FQmx5MDJlNzJ4dmRHalNET1BtNlhZeEtqWGFrelhzR2wwVVRtWEdxNm9mK2FLUzJJNllWOG9rZkRlQlIzb2JTbSt2Y0c3TTRPTm9KTDR6cG11ajZXNENwQTNkeTJQRHBOV0dkRktOeks1cmF2eERJcmJTZUtnMmp4bmFGN2R6SXlBS2xzcnc2eGJzODJuNU5INk5uSnZPZ2NHVW5LRlBqOG4xZHhVTHlLOHlIUk4rRUtMeWJIczcxbmVIeFFzM2pNbi9UaERzdDBuSStmVTI4LzFhMVV6RGd4MXRLUDBkbmNwS3owSGVwbWV5WnF1ZGppWXlZbjN1eVBibWg2SVBuNG1FWGdVbzNQeGp5dDNXRTlkQS9HSmJqR2t2N1NKRzJ4TlRlZnk0ejNhRXZ2UHNmemJpbm5kaG9jVFRrb2ZnbVdyLyt4Ky8yQWx3NFZMZHV5enZHR01jcUpLK3ZNNFE9PSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.5T7iDRsl8FXZN1A-tFPepPS_huDSw8CRHuaCefBSyLs",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUyZTE0MTNmNGRiMzgwOTA4YjRlZDNlYjZmOGJmMDhhMURvZjZDblc0V0QifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRHB3Z1ozS3IyQU01T21FQmx5MDJlNzJ4dmRHalNET1BtNlhZeEtqWGFrelhzR2wwVVRtWEdxNm9mK2FLUzJJNllWcUNrRUtQbHpoOEw1ajVqRHJzM0VKRWNSd3ZxNGpGU0QvSjJ6VTc4VGlvTkFsb1VseVpYZ0dMMGV0V0pzT2ZuU2RyZCsrSjNLYTU3Mi8rbDdEd3VPeDF4V09VT2xpVDB5QnhseU5peVI4ZW5BaVhlMUxtSkxxWnlPSVNJdDlZU3VFdk9oTlBXbXkwalRMNVpSZGkxZWtQaXpERVhxTDdTQnc2UkgxVHViTjRkVUlLN0w3TFBXc3FITnVuSm9YcjNQTmJVcXh4M09OV1I0K0dMWFl0dmRSWDV4UjBnYzllZnk5ZkZpZk9oeFdYWWs5cTREdmw5cnR5dTdqc25iUit4czZYWjhoYms2VWp2MEo2YVFLdmE3dWpGMlBlc3oyRVo3V3NnUVVZVmY5SDY2ZGhnUTJGTnhYd3JBVlJnMnRvSzNjM1VWOUJ4RkNub0NFbytEWkxWN1giLCJkYXRhQ2lwaGVyQWxnIjoiREVGQVVMVCIsInRlbmFudEtleVV1aWQiOiI3YWI0MjdlMTM0NGRkZTAxYzlmOTc0NzI3NjAzODRhYnBmdEtNYW5GRUZIIn0.ZfQ4O1u1lHDIynAg63FpUfBS6BJslza6S33NvzdqMxs",
        "expires_in": 719999,
        "scope": "USER_API,openid,profile",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiI5YzlmMmViMTA0YjFkZDhmZmMyMWE4YzUzY2YxNjhmYzZMSkZvdU1RSk5IIiwiYXVkIjoiZTJlMTQxM2Y0ZGIzODA5MDhiNGVkM2ViNmY4YmYwOGExRG9mNkNuVzRXRCIsImV4cCI6MTY3MjE3MTU2OCwiaWF0IjoxNjcxNDUxNTY5LCJqdGkiOiJrQ050MEpmbkVJZWZWbUdla0Z3QkpBIiwibmJmIjoxNjcxNDUxNTA5LCJ1c2VybmFtZSI6ImQxMjM0NTYiLCJleHRlcm5hbElkIjpudWxsLCJuaWNrbmFtZSI6IlIyMDIyMTEyODE2MTQxMDE2MjE5MDA1OTUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJSMjAyMjExMjgxNjE0MTAxNjIxOTAwNTk1In0.NXAqFDXtnqIYc08LzEmvCLkuRtiG9UIYpT-v3gka4eHUmWdxb0sAg3WuOWP_VXqWb2EkzFN1Jeo4x--WywBnpkwJ8OXR6GTnLu9eaxxktM7zrrQ-brriCeTm8Oi8UZrRm3ronY_7VvTXgKVNY1hiqbQyQGDp6zo5QdiBRbSyqXvHXkIrz2-R8716TxeGSmPV2PQMGjaFFNCQWgXXDOEX_8TK6TOtRy-nYIe39NeYGWT6X5-IrslsKKTKW3yjc6227EHQtCZjIxK51Ys7hQh-ahoQUbyPFJUQeFbbkRiXokOBIloWfoWWBCsXTfILWJm3wrq9lHyvlavUT64291k8RA",
        "uamParams": null
    }
}

Skip adding account information

During user authentication, if you require account properties to be completed, the system returns FlowType=NEED_COMPLETE_ACCOUNT_ATTR or FlowType=NEED_COMPLETE_EXTENSION_ATTR after authentication is complete. Users can choose to skip adding this information during registration. You can use this API operation to skip adding account information, which includes both account properties and extension properties.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/complete/ignore

Content-Type: application/json

Request Parameters

{
    "fId": "xxxxx"
}

Parameter name	Type	Required	Content description
fId	String	Yes	Process ID, generated by the previous process.

Return Parameters

{
    "success": true,
    "code": "Operation.Success",
    "message": "Operation.Success",
    "requestId": "1671451557868$5296056b-782c-38e6-aaf4-e2a9580055a9",
    "data": {
        "userId": null,
        "uuid": "9c9f2eb104b1dd8ffc21a8c53cf168fc6LJFouMQJNH",
        "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUyZTE0MTNmNGRiMzgwOTA4YjRlZDNlYjZmOGJmMDhhMURvZjZDblc0V0QifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRHB3Z1ozS3IyQU01T21FQmx5MDJlNzJ4dmRHalNET1BtNlhZeEtqWGFrelhzR2wwVVRtWEdxNm9mK2FLUzJJNllWOG9rZkRlQlIzb2JTbSt2Y0c3TTRPTm9KTDR6cG11ajZXNENwQTNkeTJQRHBOV0dkRktOeks1cmF2eERJcmJTZUtnMmp4bmFGN2R6SXlBS2xzcnc2eGJzODJuNU5INk5uSnZPZ2NHVW5LRlBqOG4xZHhVTHlLOHlIUk4rRUtMeWJIczcxbmVIeFFzM2pNbi9UaERzdDBuSStmVTI4LzFhMVV6RGd4MXRLUDBkbmNwS3owSGVwbWV5WnF1ZGppWXlZbjN1eVBibWg2SVBuNG1FWGdVbzNQeGp5dDNXRTlkQS9HSmJqR2t2N1NKRzJ4TlRlZnk0ejNhRXZ2UHNmemJpbm5kaG9jVFRrb2ZnbVdyLyt4Ky8yQWx3NFZMZHV5enZHR01jcUpLK3ZNNFE9PSIsImRhdGFDaXBoZXJBbGciOiJERUZBVUxUIiwidGVuYW50S2V5VXVpZCI6IjdhYjQyN2UxMzQ0ZGRlMDFjOWY5NzQ3Mjc2MDM4NGFicGZ0S01hbkZFRkgifQ.5T7iDRsl8FXZN1A-tFPepPS_huDSw8CRHuaCefBSyLs",
        "token_type": "bearer",
        "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUyZTE0MTNmNGRiMzgwOTA4YjRlZDNlYjZmOGJmMDhhMURvZjZDblc0V0QifQ.eyJjaXBoZXJUZXh0IjoiVkh3YXpxZTdVb1owNEs5TTlnN2pqLzUvTEhSc2ZyOG1wVHU0TWdUckYwTGJLZ0ZLaHl0ckRsTktUa2FYUzMxRU1kRE1GWE1iWlZLYXd2SzM2OWk1SGZzZk1rSjcyRHFnbCtUMHZTVzFKRHB3Z1ozS3IyQU01T21FQmx5MDJlNzJ4dmRHalNET1BtNlhZeEtqWGFrelhzR2wwVVRtWEdxNm9mK2FLUzJJNllWcUNrRUtQbHpoOEw1ajVqRHJzM0VKRWNSd3ZxNGpGU0QvSjJ6VTc4VGlvTkFsb1VseVpYZ0dMMGV0V0pzT2ZuU2RyZCsrSjNLYTU3Mi8rbDdEd3VPeDF4V09VT2xpVDB5QnhseU5peVI4ZW5BaVhlMUxtSkxxWnlPSVNJdDlZU3VFdk9oTlBXbXkwalRMNVpSZGkxZWtQaXpERVhxTDdTQnc2UkgxVHViTjRkVUlLN0w3TFBXc3FITnVuSm9YcjNQTmJVcXh4M09OV1I0K0dMWFl0dmRSWDV4UjBnYzllZnk5ZkZpZk9oeFdYWWs5cTREdmw5cnR5dTdqc25iUit4czZYWjhoYms2VWp2MEo2YVFLdmE3dWpGMlBlc3oyRVo3V3NnUVVZVmY5SDY2ZGhnUTJGTnhYd3JBVlJnMnRvSzNjM1VWOUJ4RkNub0NFbytEWkxWN1giLCJkYXRhQ2lwaGVyQWxnIjoiREVGQVVMVCIsInRlbmFudEtleVV1aWQiOiI3YWI0MjdlMTM0NGRkZTAxYzlmOTc0NzI3NjAzODRhYnBmdEtNYW5GRUZIIn0.ZfQ4O1u1lHDIynAg63FpUfBS6BJslza6S33NvzdqMxs",
        "expires_in": 719999,
        "scope": "USER_API,openid,profile",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEiLCJzdWIiOiI5YzlmMmViMTA0YjFkZDhmZmMyMWE4YzUzY2YxNjhmYzZMSkZvdU1RSk5IIiwiYXVkIjoiZTJlMTQxM2Y0ZGIzODA5MDhiNGVkM2ViNmY4YmYwOGExRG9mNkNuVzRXRCIsImV4cCI6MTY3MjE3MTU2OCwiaWF0IjoxNjcxNDUxNTY5LCJqdGkiOiJrQ050MEpmbkVJZWZWbUdla0Z3QkpBIiwibmJmIjoxNjcxNDUxNTA5LCJ1c2VybmFtZSI6ImQxMjM0NTYiLCJleHRlcm5hbElkIjpudWxsLCJuaWNrbmFtZSI6IlIyMDIyMTEyODE2MTQxMDE2MjE5MDA1OTUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJSMjAyMjExMjgxNjE0MTAxNjIxOTAwNTk1In0.NXAqFDXtnqIYc08LzEmvCLkuRtiG9UIYpT-v3gka4eHUmWdxb0sAg3WuOWP_VXqWb2EkzFN1Jeo4x--WywBnpkwJ8OXR6GTnLu9eaxxktM7zrrQ-brriCeTm8Oi8UZrRm3ronY_7VvTXgKVNY1hiqbQyQGDp6zo5QdiBRbSyqXvHXkIrz2-R8716TxeGSmPV2PQMGjaFFNCQWgXXDOEX_8TK6TOtRy-nYIe39NeYGWT6X5-IrslsKKTKW3yjc6227EHQtCZjIxK51Ys7hQh-ahoQUbyPFJUQeFbbkRiXokOBIloWfoWWBCsXTfILWJm3wrq9lHyvlavUT64291k8RA"
    }
}

5. Other APIs

Forgot password
The user inputs a mobile number or email to begin the password recovery process. If the provided unique identifier is valid, IDaaS will issue an OTP verification code, which remains valid for 15 minutes, to the mobile phone.

Send a verification code

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/forgot_password/send

Content-Type: application/json

Request Parameters

Parameter name	Type	Required	Content description
fId	String	No	The `FId` from the previous step in the flow, such as switching the user type.
phoneNumber	String	Yes	Mobile number, required when Type=SMS.
phoneRegion	String	No	Mobile area code, default is 86.
type	String	Yes	Type of password recovery. SMS represents mobile number, EMAIL represents email.
email	String	Yes	Email, required when Type=EMAIL.
language	String	No	Language type for sending the verification code, default is the preferred language.
engineCode	String	No	Gateway code for sending the verification code, default is the preferred gateway of the preferred service provider.
userType	String	No	Custom user type, default is Default.

Return Parameters

Parameter name	Type	Content description
fId	String	Process ID, required for the next process request API.

{
  "success": true,
  "code": "Operation.Success",
  "message": "Operation.Success",
  "requestId": "1672232351358$83cbe428-a81c-039e-3d14-04614f31b52c",
  "data": {
    "fId": "d587561e6b8dad2ab2b90715d5f74372ysYHVUMy2AR"
  }
}

Verify the verification code

Use the current API to confirm if the OTP verification code is accepted. Once verified, you can set a new password.

API endpoint

Request URI: POST /api/bff/v1.2/developer/ciam/forgot_password/verify

Content-Type: application/json

Request Parameters

Note

If Sms/email Anti-brute-force is enabled, image CAPTCHA verification is required once the number of verification code send attempts surpasses the risk control threshold.

Parameter name	Type	Required	Content description
fId	String	Yes	The `FId` from the previous step in the flow.
type	String	Yes	The type of attached property. SMS represents a phone number, and EMAIL represents a mailbox.
code	String	Yes	Verification code entered by the user.
phoneNumber	String	No	Mobile number, required when Type is SMS.
phoneRegion	String	No	Mobile area code.
email	String	No	Mailbox, when Type is EMAIL this value is required.
captchaCode	String	No	Unique identifier of the image CAPTCHA, returned by the image verification API.
captchaText	String	No	Image CAPTCHA, filled in according to the numbers displayed in the CAPTCHA image on the API.

Return Parameters

Parameter name	Type	Content description
fId	String	Process ID, required for the next process to be returned as is.

{
  "success": true,
  "code": "Operation.Success",
  "message": "Operation.Success",
  "requestId": "1662014149034$463a0625-928e-3951-d004-2bd553d9da51",
  "data": {
    "fId": "64075566080ea2757ada330861adc94a7HjhIK08J25"
  }
}

Submit a new password
Once the user has been verified and has retrieved the ForgotPasswordId, they can use this API to set a new password.
API endpoint
Request URI: POST /api/bff/v1.2/developer/ciam/forgot_password/update_pwd
Content-Type: application/json
Request Parameters
Parameter name
Type
Required
Content description
newPassword
String
Yes
New password entered by the user.
fId
String
Yes
Process ID, returned by the previous API.
Return Parameters
```
{
  "success": true,
  "code": "Operation.Success",
  "message": "Operation.Success",
  "requestId": "1662014236325$ffee369b-f927-abdf-0585-48c2a5c69506",
  "data": null
}
```