Skip to main content

Security Architecture

UIP is built on a zero-trust, zero-knowledge architecture. Your biometric data never leaves your device, personal information is encrypted with AES-256, and all communications use end-to-end encryption.

Zero-Knowledge Architecture

UIP verifies identity without storing personal data. Biometrics are processed locally on the user’s device.

AES-256 Encryption

All personally identifiable information is encrypted at rest with AES-256-GCM, the strongest commercially available encryption.

On-Device Biometrics

Biometric templates never leave the user’s device. Authentication happens locally with cryptographic proof sent to verify completion.

End-to-End Encryption

All API communications, webhooks, and messages are encrypted in transit. HTTPS is required for all webhook URLs.

Biometric Security

UIP uses government-grade biometric verification with multiple layers of fraud prevention:

Liveness Detection

The UIP app performs real-time liveness checks during biometric scans to prevent attacks using photos, videos, or masks. Users must demonstrate live presence through interactive prompts.
Biometric data (fingerprint templates, facial geometry) is processed entirely on the user’s device. Only cryptographic proofs are transmitted — never raw biometric data.
Identity verification is performed through Didit, a government-grade verification provider. Users scan official documents (passport, driver’s license, national ID) with live selfie matching.
Multi-factor anti-spoofing combines document authenticity checks, biometric liveness detection, and cross-reference validation to prevent identity fraud.

API Security

Authentication

All API requests require Bearer token authentication: 
Authorization: Bearer YOUR_API_KEY
API keys are SHA-256 hashed before storage — UIP never stores plaintext keys. Keys support two authentication modes:

Direct API Keys

Standard UUID-format API keys for businesses making direct API calls. Full access to all endpoints.

Delegation Tokens

Platform delegation tokens (uip_at_ prefix) generated via the Authorize API. Scoped access based on granted permissions.

Rate Limiting

UIP enforces rate limits to ensure fair usage and system stability:
ScopeLimitWindow
Global (per IP)500 requests1 minute
Per API Key300 requests1 minute
Authorize endpoint100 requests1 minute
When rate limited, the API returns HTTP 429 with Retry-After and X-RateLimit-Remaining headers.

SSRF Protection

Webhook URLs are validated against SSRF attacks. UIP blocks webhook delivery to:
  • Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Loopback addresses (127.0.0.0/8, ::1)
  • Link-local addresses (169.254.0.0/16)
  • IPv6 unique local addresses (fc00::/7)

Webhook Signature Verification

All webhook payloads include an X-UIP-Signature header containing an HMAC-SHA256 signature. Verify this signature to ensure webhook authenticity: 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(JSON.stringify(payload))
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
Always verify webhook signatures. Without verification, attackers could send fake webhook payloads to your endpoint.

Data Protection

Encryption at Rest

All PII (names, dates of birth, countries) is encrypted using AES-256-GCM before storage. Encryption keys are managed separately from encrypted data.

Encryption in Transit

All API communications use TLS 1.2+. Webhook URLs must use HTTPS — HTTP endpoints are rejected.

Data Minimization

UIP follows the principle of least privilege for data:
  • Only return identity fields explicitly requested in requested_data
  • Session data expires automatically (5 minutes for identify/sign sessions)
  • Completed session data is returned once via polling and then cleared
  • Audit records store only what’s needed for legal compliance

Compliance

GDPR

Zero-knowledge architecture with user-controlled data. No personal data stored without explicit consent.

eIDAS

Electronic signatures meet EU requirements for advanced electronic signatures with identity verification.

ESIGN Act

Signatures comply with US Electronic Signatures in Global and National Commerce Act.

SOX

Audit trails support Sarbanes-Oxley compliance with permanent, tamper-evident records.

Security Best Practices

Store Keys Securely

Use environment variables or secrets management. Never commit API keys to version control.

Verify Webhooks

Always validate the X-UIP-Signature header before processing webhook payloads.

Use HTTPS

All webhook URLs must use HTTPS. API calls are HTTPS-only by default.

Minimize Data Requests

Only request the identity fields you need. Users are more likely to approve minimal data requests.