Getting started
Introduction
The CAMARA KYC Match API provides a standardized mechanism to customer with the ability to compare the information it (Service Provider, SP) has for a particular user with that on file (and verified) by the user's Operator in their own KYC records, in order for the SP to confirm the accuracy of the information and provide a specific service to the user
API Scope
The current API implementation is applicable to any mass-market Orange France mobile customer, including SOSH customers.
Subscribe to the API
You get the Authorization header credentials when you register your application on the Orange Developer Console.
API Authentication
HTTPS requests to the REST API are protected with CIBA 3-Legged OAuth.
In short, the API Invoker (e.g. Application Backend or Aggregator) before to request SIM swap check, needs to request a Three-Legged Access Token from Orange Authorization Server. The process follows the OpenID Connect Client-Initiated Backchannel Authentication (CIBA) flow.
Step 1: request the OAuth authorization code from the user device
The API Invoker provides in the authorization request (/bc_authorize) a login_hint with a valid User identifier together with the application credentials (client_assertion & client_assertion_type) and indicates the Purpose for processing Personal Data. The Orange implementation follows the CAMARA scope definition. The scope must be set to: opendid dpv:<dpvValue> <technicalParameter>. dpv stands for Data Privacy Vocabulary.
Note on JWT usage via client assertion: client_assertion is a JWT used by a client to authenticate itself to an authorization server, while client_assertion_type specifies the type of assertion being used, typically indicating it is a JWT. Together, they facilitate secure client authentication in OAuth 2.0 and OpenID Connect protocols. API consumer as to define JWK keystore in settings tab of the application in Orange Developer
For current implementation only FraudDetectionAndPrevention dpv value is managed, which means that:
- the scope in the
bc-authorizemust be set toopenid dpv:FraudPreventionAndDetection kyc-match:match
Orange Authorization Server will check if the owner of the phone number did not opted-out to authorize access to this data. If this is not the case a response 200 is sent back with a authorization request identifier (auth_req_id). If the resource owner or OpenID Provider denied the request an error 403 Forbidden is sent back.
Request:
curl -X POST \
'https://api.orange.com/openidconnect/ciba/fr/v1/bc-authorize' \
--header 'Accept: */*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'login_hint=336666666' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbGciOiJSUz...1jjGg' \
--data-urlencode 'scope=openid dpv:FraudPreventionAndDetection kyc-match:match'
Response:
200
Content-Type: application/json
{
"auth_req_id": "y_azuw2HT4fWYPb0-0w2DBhaEq8",
"expires_in": 120,
"interval": 2
}
Step 2: Request the OAuth access token
Once the client application gets the authorization code, the API Invoker polls the token endpoint by making an "HTTP POST" request by sending the grant_type (urn:openid:params:grant-type:ciba), auth_req_id (OperatorAuthReqId) and the the application credentials (client_assertion & client_assertion_type) parameters
If the transaction succeeds, in the POST response, the acccess_token is provided.
Request:
curl -X POST \
'https://api.orange.com/openidconnect/ciba/fr/v1/token' \
--header 'Accept: */*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbGciOi....iuT111jjGg' \
--data-urlencode 'auth_req_id=y_azuw2HT4fWYPb0-0w2DBhaEq8' \
--data-urlencode 'grant_type=urn:openid:params:grant-type:ciba'
Response:
200
Content-Type: application/json
{
"access_token": "OFR_28Fp...Jb60y3KPvcZaOTHJ_sFnjOmyHN5PxXG...osYpKu3gA4utWicDw",
"token_type": "Bearer",
"refresh_token": "4bwc0ESC_IAhflf-ACC_vjD_ltc11ne-8gFPfA2Kx16",
"expires_in": 120,
"id_token": "OFR_28Fp...Jb60y3KPvcZaOTHJ_sFnjOmyHN5PxXG...osYpKu3gA4utWicDw"
}
Step 3: Access protected resources using OAuth access token
In order to call our API, the access_token is mandatory.
Specific documentation about match resource is provided below.
API Description
Summary of resources
This API has one resource match. MatchResult attribute provides in the response information about mobile equipment location check.
Summary of methods and URL
| Use case of operation | URL method |
|---|---|
| I want to confirm (using my application server/backend service) the identity of a customer by comparison to MNO user's information. Information which could be provided are phone number, given name, family name, street address, city, country, region, postal code, birthdate, email address, etc. | POST "https://api.orange.com/camara/ofr/kyc-match/v0.2/match" |
Summary of request body parameters
In bold parameters currently available in Orange France API
| Name | Type | Description | Mandatory |
|---|---|---|---|
| phoneNumber | string | Subscriber number in E.164 format (starting with country code). Optionally prefixed with '+' | No |
| idDocument | string | Id number associated to the official identity document in the country. It may contain alphanumeric characters | No |
| name | string | Complete name of the customer, usually composed of first/given name and last/family/sur- name in a country. Depending on the country, the order of first/give name and last/family/sur- name varies, and middle name could be included. It can use givenName, middleNames, familyName and/or familyNameAtBirth. For example, in ESP, name+familyName; in NLD, it can be name+middleNames+familyName or name+middleNames+familyNameAtBirth, etc | |
| givenName | string | First/given name or compound first/given name of the customer | No |
| familyName | string | Last name, family name, or surname of the customer | No |
| nameKanaHankaku | string | Complete name of the customer in Hankaku-Kana format (reading of name) for Japan | No |
| nameKanaZenkaku | string | Complete name of the customer in Zenkaku-Kana format (reading of name) for Japan | No |
| middleNames | string | Middle name/s of the customer | No |
| familyNameAtBirth | string | Last/family/sur- name at birth of the customer | No |
| address | string | Complete address of the customer. For some countries, it is built following the usual concatenation of parameters in a country, but for other countries, this is not the case. For some countries, it can use streetName, streetNumber and/or houseNumberExtension. For example, in ESP, streetName+streetNumber; in NLD, it can be streetName+streetNumber or streetName+streetNumber+houseNumberExtension | No |
| streetName | string | Name of the street of the customer's address. It should not include the type of the street | No |
| streetNumber | string | The street number of the customer's address. Number identifying a specific property on the 'streetName' | No |
| postalCode | string | Zip code or postal code | No |
| region | string | Region/prefecture of the customer's address | No |
| locality | string | Locality of the customer's address | No |
| country | string | Country of the customer's address. Format ISO 3166-1 alpha-2 - example: FR | No |
| houseNumberExtension | string | Specific identifier of the house needed depending on the property type. For example, number of apartment in an apartment building | No |
| birthdate | string | The birthdate of the customer, in ISO 8601 calendar date format (YYYY-MM-DD) | No |
| string | Email address of the customer in the RFC specified format (local-part@domain) | No | |
| gender | string | Gender of the customer (Male/Female/Other) | No |
Summary of response parameters
In bold parameters currently available in Orange France API
| Name | Type | Description | Mandatory |
|---|---|---|---|
| idDocumentMatch | string | Indicates whether Id number associated to the id_document of the customer matches with the one on the Operator's system | No |
| nameMatch | string | Indicates whether the complete name of the customer matches with the one on the Operator's system | No |
| nameMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the name stored in the operator's system | No |
| givenNameMatch | string | Indicates whether the complete given name of the customer matches with the one on the Operator's system | No |
| givenNameMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the given name stored in the operator's system | No |
| familyNameMatch | string | Indicates whether last name/ family name/ surname of the customer matches with the one on the Operator's system | No |
| familyNameMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the family name stored in the operator's system | No |
| nameKanaHankakuMatch | string | Indicates whether complete name of the customer in Hankaku-Kana format (reading of name) for Japan matches with the one on the Operator's system | No |
| nameKanaHankakuMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the name in Hankaku-Kana format stored in the operator's system | No |
| nameKanaZenkakuMatch | string | Indicates whether complete name of the customer in Zenkaku-Kana format (reading of name) for Japan matches with the one on the Operator's system | No |
| nameKanaZenkakuMatchScore | integer | Indicat es the similarity score assigned to the input value when it does not exactly match the name in Zenkaku-Kana format stored in the operator's system | No |
| middleNamesMatch | string | Indicates whether the middle names of the customer matches with the one on the Operator's system | No |
| middleNamesScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the middle names stored in the operator's system | No |
| familyNameAtBirthMatch | string | Indicates whether the Family Name At Birth of the customer matches with the one on the Operator's system | No |
| familyNameAtBirthMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the family name at birth stored in the operator's system | No |
| addressMatch | string | Indicates whether complete address of the customer matches with the one on the Operator's system | No |
| addressMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the address stored in the operator's system | No |
| streetNameMatch | string | Indicates whether the street name of the customer matches with the one on the Operator's system | No |
| streetNameMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the street name stored in the operator's system | No |
| streetNumberMatch | string | Indicates whether the street number of the customer matches with the one on the Operator's system | No |
| streetNumberMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the street number stored in the operator's system | No |
| postalCodeMatch | string | Indicates whether the postal code / zip code of the customer matches with the one on the Operator's system | No |
| regionMatch | string | Indicates whether the region of the customer's address matches with the one on the Operator's system | No |
| regionMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the region stored in the operator's system | No |
| localityMatch | string | Indicates whether the locality of the customer's locality matches with the one on the Operator's system | No |
| localityMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the locality stored in the operator's system | No |
| countryMatch | string | Indicates whether the country of the customer's address matches with the one on the Operator's system | No |
| houseNumberExtensionMatch | string | Indicates whether the house number extension of the customer's address with the one on the Operator's system | No |
| birthdateMatch | string | Indicates whether the birthdate of the customer matches with the one on the Operator's system | No |
| emailMatch | string | Indicates whether the email address of the customer matches with the one on the Operator's system | No |
| emailMatchScore | integer | Indicates the similarity score assigned to the input value when it does not exactly match the email stored in the operator's system | No |
| genderMatch | string | Indicates whether the gender of the customer matches with the one on the Operator's system | No |
Request
curl -X POST "https://api.orange.com/camara/ofr/kyc-match/v0.2/match"
-H "Authorization: Bearer {your access token}"
-H "Cache-Control: no-cache"
-H 'accept: application/json'
-H 'Content-Type: application/json'
-d '{
"phoneNumber": "+33699901040",
"givenName": "Pet er",
"familyName": "Lefebvre",
"address": "14 blevard de Perrier",
"locality": "Gilbert",
"email": "peter.lefebvre@sfr.fr",
"country": "FR",
"postalCode": "44000",
"gender": "FEMALE"
}'
Response
200 Match successful
Content-Type: application/json
{
"givenNameMatch": "false",
"givenNameMatchScore": 96,
"familyNameMatch": "true",
"addressMatch": "false",
"addressMatchScore": 98,
"postalCodeMatch": "true",
"localityMatch": "true",
"countryMatch": "true",
"emailMatch": "true",
"genderMatch": "not_available"
}
Fields description
The response contains
- MatchResult attributes valued to
truewhen user's information matches exactely with information held by the MNO,falsewhen it doesn't match exactly ornot_availablewhen the MNO doesn't hold user's information. - MatchScore, a numerical value that quantifies the similarity between two pieces of text based on the words they contain for some MatchResult attributes in case of value is equal to
false.
Most frequent errors
If invalid input are provided in particular for the device identifier a 400 error is triggered.
HTTP/1.1 400 Invalid input
Content-Type: application/json
{
"code": "INVALID_ARGUMENT",
"status": 400,
"message": "Invalid input"
}
If the network back end is not able to localize the equipment, a 404 error is sent.
HTTP/1.1 404 Not Found
Content-Type: application/json
{
"status": 404,
"code": "NOT_FOUND",
"message": "Unknown Location"
}
If the localisation service is not up and running, a 503 error is sent.
HTTP/1.1 503 Service unavailable
Content-Type: application/json
{
"code": "UNAVAILABLE",
"status": 503,
"message": "Service unavailable"
}
There are some cases where your client application will no longer gain access to API resources, and get an error back.
Please check the following points:
- Here, you attempt to use an expired or revoked access_token and you get an invalid token error. You will have to request a new access_token. As an example:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"code": "UNAUTHENTICATED",
"status": 401,
"message": "Authorization failed: ..."
}
- Here, you removed your subscription to the API so that the capability to generate an access_token is not allowed anymore. As an example:
HTTP/1.1 403 Forbidden
Content-Type: application/json
{
"code": "PERMISSION_DENIED",
"status": 403,
"message": "Operation not allowed: ..."
}
Looking for support ?
Facing technical issue when using this API ? please contact us
History of document
| Version of the document | modification date | description of modifications |
|---|---|---|
| 0.2 | 05/02/2025 | update by Orange CAMARA APIs team |
| 0.1 | 02/12/2024 | initialization by Orange CAMARA APIs team |