Skip to main content
Version: v2.0 (latest)

Registering Your Application (iPortal)

Before you can call OIDC Web, register your application as an OIDC client. You do this in iPortal, iProov's centralized, secure customer engagement platform. iPortal gives you a single interface to:

  • register and configure your applications (OIDC clients) and the service providers they run against,
  • invite team members and manage their access,
  • raise support tickets, and
  • access detailed usage reports and look up individual transactions.

If you do not yet have access to iPortal, contact your organization's primary iPortal administrator or your iProov Customer Success representative.

Create an Application

In iPortal, an application is your OIDC client. Open Applications in the left-hand navigation and click Create application. The form has two halves: Application settings (the OIDC client itself) and Service provider settings (the iProov service the client runs against — see below).

Fill in Application settings:

FieldWhat it is
Application NameYour own name for the application; appears in the iPortal applications list.
Client NameThe client name shown to the end user on the verification page.
GDPR ReasonThe reason shown to the user for the request — e.g. "Creating an account" or "Identification".
Policy URIA link to your privacy/usage policy, shown to the user. Must resolve to a valid web page.
Logo ImageYour logo, displayed on the hosted verification page.
Login redirect URI(s)The exact redirect URIs your client uses; add every one.
Logout redirect URI(s)Where the user is sent after the session ends.
Frontchannel / Backchannel logoutLogout-notification URIs for your client.
Token Endpoint AuthenticationYour client-authentication method (see Client Authentication).
Pre-loaded QueryPre-configured authorization parameters; leave blank unless your iProov contact advises otherwise.
Extra scopesScopes added to every authorization request from this client — use it to pre-configure a faceauth_*_only scope (see Scopes).
Server key typeThe algorithm OIDC Web uses to sign ID tokens. RSA RS256 is widely supported; RSA PS256 or ECDSA is required for FAPI.
Use Private Key JWT auth / Use MTLS authAsymmetric client authentication and certificate-bound tokens.
Enable CIBATurn on decoupled authentication (see CIBA).

The form also exposes advanced switches — Developer use only, Allow Demo User, Return transaction-id in id_token, Return userinfo claims in id_token, and Do not hash login_hint. Leave these at their defaults unless your iProov contact advises otherwise. (Do not hash login_hint changes how login_hint maps to biometric profiles and requires the value to be a valid UUID; see Choosing the Authentication Mode.)

Service Provider Settings

Every application belongs to a service provider (SP) — the iProov service your usage is reported and billed against. You set this up in the Service provider settings panel of the same Create application form:

  • Service Location — the iProov region that performs the verification (for example, Europe Multitenant). Pick the location closest to your users for the lowest latency.
  • Environment — the SP environment type (see the table below).
  • Service Provider — choose Create new service provider to provision a new one, or select an existing SP to reuse it for this application.
  • Service Provider Name — when creating a new SP, give it a meaningful, descriptive name.

Recommended naming conventions for a new service provider

  • Direct customers: <customer name>.<product or use case>.<country or region>.<environment> — for example, WaterlooBank.banking.uk.prod.
  • Partners: <partner name>.<end customer name>.<product or use case>.<country or region>.<environment> — for example, Microsoft.WaterlooBank.banking.uk.prod.

Environment types:

TypeDescriptionRestrictionsIntended use
Development (dev)Some biometric and security tests are disabled by default, so development tooling can be used.Fair-use transaction and TPS/TPM policy applies. The SP is suspended after 12 months with no traffic.Development; functional and integration testing.
Test (test)All biometric and security tests are enabled. Suitable for demos and for testing against threat methods (consult iProov's rules of engagement first). The Secured by iProov logo is shown.Development tooling may cause transactions to be rejected. Fair-use transaction and TPS/TPM policy applies. The SP is suspended after 12 months with no traffic.User-acceptance testing, pre-production, threat-method testing, demos.
Production (prod)All biometric and security tests are enabled. For production traffic only.TPS/TPM limits follow your contract. All transactions are billable per your contract.Production only.

Click Create. iPortal provisions the application and issues your client_id (and a client secret, where your authentication method uses one). Keep these safe — you'll use them in every flow in Part B. To edit an application or its settings later, open it from the Applications list.

Invite Your Team

Invite colleagues so they can manage service providers, read reports, and raise support tickets:

  1. Log in to iPortal.
  2. Go to Users › Invite New Users.
  3. Assign roles — select Admin for users who need to manage (and remove) other users.
  4. See Help & Support in iPortal for the full list of access rights.

Reports and Transaction Lookup

iPortal also gives you self-service insight into your iProov usage:

  • Reporting — detailed dashboards and reports with daily, hourly, and monthly usage data, plus historical trends to help you understand performance and user behavior.
  • Transaction lookup / username search — drill into an individual transaction. When a verification fails, iPortal surfaces diagnostic information that helps you understand the user's journey.

A note on the registration API. OIDC Web also exposes a standards-based OpenID Connect Dynamic Client Registration endpoint. We recommend managing clients through iPortal, the supported path that keeps your configuration consistent. If you need to register clients programmatically via the API, contact iProov first. We will advise on whether the API fits your use case and how to enable it.