Going live for the first time
We recommend you read this guide to help us make your initial integration and testing experience as smooth as possible.
Live checks cannot be requested without valid billing information, so please add billing information to your account in your Onfido Dashboard.
You can generate live API tokens on the ‘Tokens’ page of your Onfido Dashboard.
Make sure to update your production system to use the live token.
You must never use API tokens in the frontend of your application or malicious users could discover them in your source code. You should only use them on your server.
We highly recommend that you rotate live API tokens when staff members with access to those tokens leave your organisation. You could consider creating a leaver’s process which covers this.
Read more about token security and rotation in the API documentation.
We've marked in our API documentation the points where you'll either send personal data to Onfido, or process biometric personal data yourself. For example, if you're integrating to use one of our Facial Similarity reports.
Always make sure you inform your users about this, obtain any necessary permissions, and take steps to ensure that you are meeting your other obligations under applicable data privacy laws.
Unless contractually agreed otherwise, the maximum rate in production is 400 requests per minute.
Sandbox requests are rate limited to 30 per minute.
To lower the possibility you'll be rate-limited, we recommend:
- running non essential or routine batch API jobs outside your peak hours
- throttling batch jobs
- implementing an exponential back-off approach for requests essential to your verification process, with an initial delay of 30 seconds
- prioritising requests that are essential to verify an active user
- setting up monitors and alerts for error responses on our API
We manage a status page to keep our customers updated on any ongoing incidents affecting our service.
We recommend you subscribe to updates as you first integrate with Onfido. If you have any questions, please email our Client Support team.
You can select the option to "subscribe to updates" to get real-time updates via:
- text message (SMS)
- Atom or RSS feed
Read more about webhooks in the API documentation.
Upon receiving a webhook notification, you should acknowledge success by responding with an HTTP 20x response within 10 seconds. Otherwise, we will attempt to resend the notification 5 times according to the following schedule:
- 30 seconds after the first attempt
- 2 minutes after the first attempt
- 15 minutes after the first attempt
- 2 hours after the first attempt
- 10 hours after the first attempt
We also use circuit breaking for webhooks: if any 5 requests to the same webhook fail in a row, then that webhook will be disabled for one minute.
Make sure to update webhook endpoints to handle live check/report status update events.