Skip to main content

Documentation

API Reference

AutoKYC offers REST and GraphQL APIs to orchestrate onboarding, KYB, sanctions screening, liveness checks, and risk decisioning. This overview summarizes authentication, endpoints, and payload conventions before you dive into the detailed schemas.

Base URLs & environments

Production

https://api.autokyc.com/v1/

Global edge with region pinning via X-AutoKYC-Region.

Sandbox

https://sandbox.api.autokyc.com/v1/

Deterministic test data and seeded watchlist scenarios for QA.

GraphQL endpoint: /graphql • REST base path: /v1/*

Authentication & authorization

APIs use bearer tokens scoped to environments and capabilities. Console-generated keys can be rotated via API or Terraform. For client-side integrations, use publishable keys with short-lived session tokens.

  • Server-to-server requests: Authorization: Bearer <AUTOKYC_API_KEY>.
  • GraphQL operations support @requiresScope directives to enforce fine-grained permissions.
  • Webhook signatures validated with HMAC-SHA256 against environment secrets.
  • Audit trails capture IP, service account, and workflow context for every call.

REST resources

REST endpoints follow predictable resource naming aligned to KYC/KYB lifecycle stages. Responses include idempotency metadata and links to related GraphQL nodes.

/kyc/onboard

Create individual onboarding requests, attach documents, and request liveness challenges.

/kyb/entities

Submit business onboarding with UBO declarations, registry lookups, and document packets.

/aml/screenings

Trigger sanctions, PEP, and adverse media screening with dual-provider deduplication.

/risk/cases

Manage escalations, analyst assignments, voting outcomes, and audit notes.

All POST endpoints support Idempotency-Key headers. Error payloads follow RFC 7807 with localized messages.

GraphQL schema highlights

The GraphQL API exposes the same resources with richer filtering, nested relations, and subscription hooks for real-time updates.

  • applicant(id: ID!): Applicant — retrieve status, risk scores, and document metadata.
  • case(id: ID!): Case — includes escalation path, assigned analyst, and webhook delivery state.
  • decisionFeed subscription — stream final decisions, ideal for orchestrating downstream workflows.
  • sdkConfigurations — fetch environment-specific SDK feature flags for web/mobile embeds.

Webhooks & eventing

Webhooks keep your systems in sync with AutoKYC decisions. All events include immutable references to evidence, analyst votes, and rules engine context.

  • kyc.decision.finalised — triggered when an applicant clears KYC or requires escalation.
  • kyb.entity.refresh_due — schedule ongoing due diligence runs and request updated documents.
  • risk.case.escalated — send high-risk cases to your case management system for joint review.
  • Webhook retries for 72 hours with exponential backoff; all payloads signed via X-AutoKYC-Signature.

Verify signatures using the helper functions in the official SDKs or the @autokyc/webhook npm package.

Rate limits & performance

AutoKYC enforces fair use policies per key and per endpoint. Limits scale with your contracted tier and can be adjusted for planned campaigns.

  • Default 500 requests/min per key for onboarding endpoints; bursting to 2,000 with token bucket.
  • Batch endpoints (/kyc/bulk) support up to 500 applicants per request with async polling.
  • GraphQL queries capped at 5,000 points; introspection requires admin scope.

Get started

  1. Create API credentials in the AutoKYC console and scope them to your environments.
  2. Copy one of the quickstart flows from the Docs home page.
  3. Subscribe to webhook events to receive decision outcomes and escalation notices.
  4. Promote to production after passing integration review with the AutoKYC developer success team.

Need help with schema design or migrating from another provider? Talk to developer success.