Skip to main content

Onfido

Community-contributed integration

This integration is community-maintained. Reference: ory/integrates/identity-verification/onfido.

Onfido is a global identity verification platform that composes document, biometric, motion, and database checks through configurable workflows. This integration creates an Onfido applicant and workflow run from Ory Actions during registration, consumes Onfido's HMAC-signed callback when the workflow finishes, and gates sign-in on the stored verification status.

Endpoints

PathTriggerAuthPurpose
POST /onfido/initiatesync registration.afterX-Webhook-SecretCreates an Onfido applicant + workflow run with custom_data.kratos_identity_id; returns the SDK token to the client; writes the Onfido IDs to metadata_public.
POST /onfido/callbackasync, FROM OnfidoX-SHA2-Signature (HMAC-SHA256 of raw body)Resolves the Kratos identity via custom_data.kratos_identity_id; PATCHes status (approved / review / declined) onto the identity.
POST /onfido/validatesync login.after, can_interrupt: trueX-Webhook-SecretBlocks login when metadata_public.onfido.status == "declined".

Required env vars

ORY_WEBHOOK_SECRET        Bearer / X-Webhook-Secret value Ory sends
KRATOS_ADMIN_URL          Ory Network admin URL (or self-hosted Kratos admin)
ORY_API_KEY               Ory admin API token (identities:write)
ONFIDO_API_TOKEN          Onfido API token
ONFIDO_REGION             EU | US | CA  (selects API base host)
ONFIDO_WORKFLOW_ID        Workflow id (defines what checks run)
ONFIDO_WEBHOOK_TOKEN      HMAC secret for /onfido/callback
PORT                      default: 3000

Run

cd webhook/
cp .env.example .env
npm install
npm start              # runs `tsx server.ts`

Configure Ory

  1. Use ory-actions.yaml as the snippet for selfservice.flows.{registration,login}.after.hooks.
  2. The body templates are in jsonnet/.
  3. The /onfido/callback URL must be publicly reachable; configure it under Onfido Dashboard → Webhooks with the matching ONFIDO_WEBHOOK_TOKEN.
  4. The Onfido SDK token returned by /onfido/initiate is short-lived — use it to render the verification UI immediately.

Resources

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free