Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.uip.digital/llms.txt

Use this file to discover all available pages before exploring further.

Security architecture

Biometrics stay on the user’s device, personal data is encrypted with AES-256 at rest, and every critical user action is signed on-device with a private key the server never sees.

On-device biometrics

Biometric templates never leave the user’s device. Authentication happens locally; only a cryptographic signature is sent to the server.

AES-256-GCM at rest

All personally identifiable fields are encrypted at rest with authenticated AES-256-GCM.

ECDSA P-256 signatures

Every identify, sign, and message action is signed on-device with the user’s ECDSA P-256 private key. The public key is registered during enrollment and used for server-side verification.

TLS everywhere

All API traffic and webhook deliveries are HTTPS-only. Webhook endpoints with HTTP URLs are rejected.

Biometric security

UIP uses government-grade biometric verification with multiple layers of fraud prevention:

Liveness detection

The UIP app performs real-time liveness checks during biometric scans to prevent attacks using photos, videos, or masks. Users must demonstrate live presence through interactive prompts.
Biometric data (fingerprint templates, facial geometry) is processed entirely on the user’s device. Only cryptographic proofs are transmitted — never raw biometric data.
Identity verification is performed through a government-grade verification provider. Users scan official documents (passport, driver’s license, national ID) with live selfie matching.
Multi-layer anti-spoofing combines document authenticity checks, biometric liveness detection, and cross-reference validation to prevent identity fraud.

API security

Authentication

All API requests require Bearer token authentication: 
Authorization: Bearer YOUR_API_KEY
API keys have the uip_sk_ prefix. Keys are SHA-256 hashed before storage — UIP never stores plaintext keys. You can rotate or revoke any key at any time from the dashboard.

Rate limiting

UIP enforces rate limits to ensure fair usage and system stability:
ScopeLimitWindow
Global (per IP)500 requests1 minute
Per API Key300 requests1 minute
When rate limited, the API returns HTTP 429 with Retry-After and X-RateLimit-Remaining headers.

SSRF protection

Webhook URLs are validated against SSRF attacks. UIP blocks webhook delivery to:
  • Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Loopback addresses (127.0.0.0/8, ::1)
  • Link-local addresses (169.254.0.0/16)
  • IPv6 unique local addresses (fc00::/7)

Webhook signature verification

All webhook payloads include an X-UIP-Signature header containing an HMAC-SHA256 signature. Verify this signature to ensure webhook authenticity: 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(JSON.stringify(payload))
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
Always verify webhook signatures. Without verification, attackers could send fake webhook payloads to your endpoint.

Data protection

Encryption at rest

All PII (names, dates of birth, document numbers, addresses) is encrypted using AES-256-GCM before storage. Encryption keys are managed separately from the encrypted data.

Encryption in transit

All API communications use TLS 1.2+. Webhook URLs must use HTTPS — HTTP endpoints are rejected.

Data minimization

UIP follows the principle of least privilege for data:
  • Only return identity fields explicitly requested in requested_data
  • Session data expires automatically (about 5 minutes for identify and sign sessions)
  • Completed session data is returned once via polling and then cleared
  • Audit records are append-only and store only what’s needed for legal compliance

Compliance

GDPR

User-controlled data. No personal data stored without explicit consent.

eIDAS

Electronic signatures align with EU requirements for advanced electronic signatures with identity verification.

ESIGN Act

Signatures comply with the US Electronic Signatures in Global and National Commerce Act.

SOX

Audit trails support Sarbanes-Oxley compliance with permanent, tamper-evident records.

Security best practices

Store keys securely

Use environment variables or secrets management. Never commit API keys to version control.

Verify webhooks

Always validate the X-UIP-Signature header before processing webhook payloads.

Use HTTPS

All webhook URLs must use HTTPS. API calls are HTTPS-only by default.

Minimize data requests

Only request the identity fields you need. Users are more likely to approve minimal data requests.