Client integration guide
Use your deployed base URL (e.g. https://your-domain.example). All integration routes are POST or GET with JSON unless noted. Send Content-Type: application/json for JSON bodies.
Health
GET /api/health — service status.
Document & OCR
POST /api/process-document — JSON { "image": "<base64>", "document_type": "optional" } or multipart field image.
Face & identity
POST /api/verify-identity — document + live face (see server for field names).
POST /api/passive-liveness — multipart image.
POST /api/combined-liveness — image + optional frames.
POST /api/liveness-check — JSON { "frames": [ "<base64>", ... ] } (active liveness).
Multi-step eKYC flow
- POST /api/ekyc/step1-selfie-liveness —
selfie_image, optional frames
- POST /api/ekyc/step2-document —
front_image, optional back_image
- POST /api/ekyc/step3-face-comparison —
selfie_image, document_image
- POST /api/ekyc/complete — full journey payload (see API implementation)
Orijin journey (Malay)
Session-based flow with IDs returned from create step:
- POST /api/orijin/perjalanan/cipta — create journey
- POST /api/orijin/bacakad, semakmuka, sahkandok, keputusan
- GET /api/orijin/perjalanan/<id> — status
Other
POST /api/compare-sample, POST /api/edc-terminal/placeholder
Dashboard & staff (browser session)
Routes under /dashboard, /api/dashboard-data, and /api/admin/* require staff login when enabled. Initial accounts can be created at /setup (writes data/runtime_auth.json) or via environment variables. /api/admin/* may require the superadmin account if SUPERADMIN_* is set.
CORS & mobile
Server enables CORS for app clients. For cookie-based dashboard access use the same origin. Integration APIs listed above are public to the network (optionally restrict at reverse proxy / WAF).