Skip to main content
Version: v2.0 (latest)

Decoupled Authentication (CIBA)

Client-Initiated Backchannel Authentication (CIBA) lets the device that requests authentication differ from the device where the user verifies. No browser redirect is involved. Use CIBA for call-center identity checks, point-of-sale, app-to-app, and transaction confirmation.

Step 1 — Start the Authentication

Call the backchannel endpoint. The login_hint identifies whose biometric profile to verify against, exactly as in Choosing the Authentication Mode:

curl -s -X POST "$BASE/oidc/v1/authorize_ciba" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d client_id=$CLIENT_ID \
-d scope="openid faceauth_dynamic_only" \
-d login_hint="jane.doe@example.com"

Response:

{ "auth_req_id": "…", "expires_in": 300, "interval": 5 }

Step 2 — Obtain the Tokens

OIDC Web supports poll and ping delivery modes. To poll, call the token endpoint with the CIBA grant:

curl -s -X POST "$BASE/oidc/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=urn:openid:params:grant-type:ciba \
-d auth_req_id=<auth_req_id> \
-d client_id=$CLIENT_ID

Until the user finishes verifying, the token endpoint returns authorization_pending. Honor the interval between polls. On success, you receive the same token response as the authorization-code flow. As with all flows, we recommend signing the backchannel request.