API Reference

API Reference

Complete reference for the MID REST API. All endpoints require authentication via the X-Mobid-Key header.

Consent Sessions

Create and manage user consent flows for identity verification and data sharing.

POST
/v1/service/consents/search

Create a new consent session

GET
/v1/service/consents/:id

Retrieve consent session details

PUT
/v1/service/consents/:id

Update an existing consent

DELETE
/v1/service/consents/:id

Revoke a consent session

Create consent session
curl -X POST 'https://api.mobid.io/v1/service/consents/search' \
  -H 'Content-Type: application/json' \
  -H 'X-Mobid-Key: qk_your_api_key' \
  -d '{
    "recipient": "+1234567890",
    "purpose": "identity_verification",
    "scope": ["name", "email", "phone"],
    "callbackUrl": "https://yourapp.com/callback"
  }'
Response
{
  "code": 200,
  "message": "Consent session created",
  "data": {
    "id": "cs_abc123",
    "status": "pending",
    "recipient": "+1234567890",
    "purpose": "identity_verification",
    "scope": ["name", "email", "phone"],
    "expiresAt": "2025-01-15T12:00:00Z",
    "qrCode": "https://api.mobid.io/qr/cs_abc123"
  }
}

FIDO / WebAuthn

Passwordless authentication using FIDO2 and WebAuthn standards.

POST
/v1/auth/fido/register/begin

Begin FIDO2 registration

POST
/v1/auth/fido/register/complete

Complete FIDO2 registration

POST
/v1/auth/fido/authenticate/begin

Begin FIDO2 authentication

POST
/v1/auth/fido/authenticate/complete

Complete FIDO2 authentication

FIDO2 Flow

FIDO2 operations follow a two-step pattern: begin (server generates a challenge) and complete (client signs the challenge with a biometric authenticator).

Device Management

Manage registered devices and their authentication capabilities.

GET
/v1/devices

List all registered devices

GET
/v1/devices/:id

Get device details

DELETE
/v1/devices/:id

Deregister a device

POST
/v1/devices/:id/block

Block a device

Client Management

Manage API clients, credentials, and access permissions.

GET
/v1/clients

List all clients

POST
/v1/clients

Create a new client

GET
/v1/clients/:id

Get client details

PUT
/v1/clients/:id

Update client configuration

DELETE
/v1/clients/:id

Delete a client

POST
/v1/clients/:id/regenerate-key

Regenerate client API key

Enrollments

User enrollment and identity provisioning endpoints.

POST
/v1/enrollments

Create a new enrollment

GET
/v1/enrollments/:id

Get enrollment status

POST
/v1/enrollments/:id/verify

Verify enrollment with biometrics

QR Code Operations

Generate and manage QR codes for authentication and consent flows.

POST
/v1/qr/generate

Generate a new QR code

GET
/v1/qr/:id

Get QR code status

GET
/v1/qr/:id/image

Get QR code image (PNG/SVG)

Rate Limits

PlanRequests/minDaily LimitConcurrent
Free601,0005
Basic ($79/mo)30050,00025
Growth ($149/mo)1,000500,00050
Enterprise ($499/mo)CustomUnlimitedCustom

Error Responses

CodeTypeDescription
400bad_requestThe request was malformed or missing required fields
401unauthorizedInvalid or missing API key
403forbiddenAPI key lacks required permissions
404not_foundThe requested resource does not exist
409conflictThe request conflicts with an existing resource
422validation_errorRequest body failed validation
429rate_limitedToo many requests — retry after cooldown
500server_errorInternal server error (rare)

Webhooks

Configure webhook endpoints to receive real-time event notifications.

EventTrigger
consent.createdNew consent session initiated
consent.approvedRecipient approved the consent
consent.rejectedRecipient rejected the consent
consent.expiredConsent session timed out
auth.successSuccessful authentication event
auth.failedFailed authentication attempt
device.registeredNew device registered
device.deregisteredDevice was removed
enrollment.completedUser enrollment finished
mandate.signedDigital mandate was signed

Webhook Security

Always verify webhook signatures using your webhook secret. Respond with a 200 status within 5 seconds to avoid retries.