General questions :


A: The user exclusively determines which piece of information a service provider can get from Verimi via a consent page. The consent page displays the information chosen to be disclosed to any particular service provider. The user selects the piece of information, which shall be distributed. The piece of information is put inside a "data-basket", which is transferred to the service provider in exchange for the access token. More details about the process can be found here


A: Verimi website is using cookies in order to enhance the customer experience. The Verimi service itself does not use cookies


A: Depending on the specific use case, user data will be trans-mitted by Verimi to the service provider (subject to the user's consent) - The "max." of the data is stored in the data scopes


    A: Linkage can be triggered from both sides:
  • a user has a Verimi account, has logged inside the Verimi portal, and proceeds to link the account to a service provider via the Verimi “My Verimis / Meine Verimis”-section. See: “Link account via Verimi Web”
  • a user is inside a service providers’ web. The service provider has implemented the “Log in with Verimi / Log-in mit Verimi”-button inside its own website. See: “Link account via Service provider

A: Client certificates are issued by Verimi and provisioned to the colleagues directly - please provide the email addresses of the users. Please register hier for UAT Access :


A: You can reach the UAT environment through the native iOS and Android app


A: Test users should be registered by each service provider it-self. This Tutorial will explain ....


A: You will be provided with the PUK number when you activate the two-factor authentication. The PUK is being used to reset your account if you have forgotten your access PIN for the two-factor authentication. It is therefore important to note this PUK number and keep it in a safe place.

Technical Questions:

You will get a 401 Code if :

  • the client_id or the client_secret is missing or wrong.
  • the refresh Token is missing .
  • The scope is wrong .
  • the access Token is wrong or empty .
  • the EUID is missing in the request .

A: UAT environment.

A: Yes, they are OIDC standard.

A: When using scope=id_card or passport it's a mandatory otherwise the user has the option to turn it on or off.


A: 2 FA can be activated on the native mobile apps. This is protected (in addition to the Verimi password) with a fingerprint / PIN. For the implementation the Seal-One module was used.


A:"Login" if you don't use OIDC. "openid" if you use OIDC. You don't get any data with these scopes, you'd need to add scopes for requesting data (like "name"). "userinfo" if you use OIDC in order to get OIDC conform scopes:

  1. "sub": "string",
  2. "name": "string",
  3. "address": "string",
  4. "birthdate": "string",
  5. "email": "string",
  6. "email_verified": true,
  7. "phone_number": "string",
  8. "phone_number_verified": true

A: Name, email, telephone number. They need to be requested, by adding the scopes in the authorisation call, though


    A: Authorization code flow :
  1. ID und access tokens
  2. Support for State und Nonce Parameter

A: The identity owner (end customer) can choose the specific data set (e.g. address, Email, telephone number) to be shared with the service provider. Only one data set can be shared within one transaction.


A: Yes.


A: Password Recovery is displayed via password reset by email. If the user manages verified documents on Verimi, this process is additionally secured by a mandatory 2FA.


A: Yes, it is supported by the native app


A: Verimi makes data privacy easy.Verimi lets you administer your data quickly and safely – at any time. A single registration will enable you to log into many digital services and applications with the Verimi log-in button easily, conveniently and safely


A: just do the normal registration procedure the go on here you will find the verification mail for all the Accounts on the UAT


A: The operating model of Verimi separates the data from the key storage. Verimi manages the data, while encryption, decryption, and key management are performed by a certified trust center using hardware security modules (HSMs). Each user has an individual, hardware-protected key that Verimi has no access to. When the user account is deleted, the associated key is deleted from the trust center. A decryption of user data, even in system backups, is no longer accessible from this point on. The security architecture is published as a white paper, listed here .


A: you just need to fill the Register from and we will send you a Welcome Email.


A: There is one individual certificate and one client secret per environment. The ClientID remains the same.


A: The connection is made via a standard API; this is secured via TLS 1.2 in conjunction with OAuth and OpenID Connect (OIDC).


A: In the event of a business closure, all data will be deleted within 30 days.


A: http will be used whenever we use localhost as a redirect_uri otherwise https will be used


A: You need to add offline to your scope in the Oauth Request .


A: The userinfo is a JSON object with : sub,e-mail,address. The id-token will be used when openID Connect is used. The IDtoken contains various data such as sub , mail , name. Readbasket contains more data than the other two .