Delegated Verification Guide
Issue Cardless ID credentials to your verified users via trusted issuer API
Overview
Delegated verification allows trusted issuers (banks, government agencies, employers, universities, etc.) to issue Cardless ID credentials to their users without requiring them to go through a full identity verification flow.
This is ideal for organizations that have already verified their users' identities and want to provide them with portable, privacy-preserving digital credentials.
Issuer Registry & Security Audit Required
Cardless ID maintains an Algorand smart contract that serves as a registry of trusted issuers. Only credentials issued by addresses in this on-chain registry will be recognized as valid by verifiers in the Cardless ID ecosystem.
Before production deployment: Your organization must complete a security audit and approval process. We review your verification procedures, security practices, and compliance measures before adding your issuer address to the registry.
How It Works
┌─────────────┐ ┌──────────────┐
│ Bank/DMV │ │ Cardless ID │
│ (Issuer) │ │ Platform │
└─────────────┘ └──────────────┘
│ │
│ │
│ 1. POST /api/delegated-verification/issue
│ - API Key │
│ - User's wallet address │
│ - Identity data │
│─────────────────────────────────────────>│
│ │
│ 2. Verify API key │
│ 3. Generate credential │
│ 4. Store on Algorand │
│ │
│ 5. Return credential ID │
│<─────────────────────────────────────────│
│ │
│ 6. Notify user │
│ "Your Cardless ID is ready!" │Use Cases
1. Banks (KYC Completed)
Banks that have completed Know Your Customer (KYC) verification can issue Cardless ID credentials to their account holders.
Example: Chase Bank issues Cardless ID to verified customers, allowing them to prove age without sharing banking information.
2. Government Agencies (DMV, Social Security)
Government agencies that issue identity documents can directly issue digital credentials.
Example: California DMV issues Cardless ID when renewing driver's license.
3. Universities (Student Credentials)
Universities can issue credentials to enrolled students for age verification and student discounts.
Example: Stanford issues Cardless ID to all students for campus events and online student discounts.
4. Employers (Employee Verification)
Employers can issue credentials to employees for workplace access and benefits.
Example: Google issues Cardless ID to employees for building access and corporate discounts.
5. Healthcare Providers
Healthcare organizations can issue credentials to patients for age-gated services.
Example: Kaiser Permanente issues Cardless ID to patients for prescription refills requiring age verification.
Getting Started
Step 1: Request API Key
Contact Cardless ID to request an API key for your organization:
Include: Organization name, type, contact email, website, use case, expected volume
Step 2: Receive Credentials
You'll receive:
- API Key:
api_key_example_not_real_xxxxxxxxxxxxxxxx - Documentation: This guide
- Sandbox API Key: For testing
Step 3: Integrate API
Use the API endpoint to issue credentials to your users.
API Reference
Endpoint
POST https://cardlessid.com/api/delegated-verification/issueRequest Body
{
"apiKey": "your_api_key_here_not_a_real_key_example",
"walletAddress": "MWCAXBUMUK3I2NTVEHDA6JVQ2W7IMKJUJSGEKQTRMFYYE3W6GJUSHUAGJM",
"identity": {
"firstName": "Jane",
"lastName": "Doe",
"dateOfBirth": "1990-01-15",
"documentNumber": "D1234567",
"documentType": "government_id",
"issuingCountry": "US",
"issuingState": "CA"
}
}Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
apiKey | string | Yes | Your API key from Cardless ID |
walletAddress | string | Yes | User's Algorand wallet address (58 characters) |
identity.firstName | string | Yes | User's middle name |
identity.middleName | string | Yes | User's middle name |
identity.lastName | string | Yes | User's last name |
identity.dateOfBirth | string | Yes | Date of birth (YYYY-MM-DD format) |
identity.documentNumber | string | No | ID document number |
identity.documentType | string | No | drivers_license, passport, or government_id |
Response (Success)
{
"success": true,
"credentialId": "cred_1234567890_abc123",
"walletAddress": "MWCAXBUMUK3I2NTVEHDA6JVQ2W7IMKJUJSGEKQTRMFYYE3W6GJUSHUAGJM",
"compositeHash": "a1b2c3d4e5f6...",
"sessionId": "session_1234567890",
"issuer": {
"name": "Example Bank",
"type": "bank"
}
}Error Responses
401 Unauthorized
{
"error": "Invalid API key"
}400 Bad Request
{
"error": "Invalid Algorand wallet address. Must be 58 characters."
}Implementation Examples
Node.js / TypeScript
import fetch from 'node-fetch';
async function issueCardlessId(
walletAddress: string,
userData: {
firstName: string;
lastName: string;
dateOfBirth: string;
}
) {
const response = await fetch('https://cardlessid.com/api/delegated-verification/issue', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
apiKey: process.env.CARDLESSID_API_KEY,
walletAddress,
identity: userData
})
});
if (!response.ok) {
const error = await response.json();
throw new Error(`Failed to issue credential: ${error.error}`);
}
const result = await response.json();
console.log('Credential issued:', result.credentialId);
return result;
}
// Usage
await issueCardlessId(
'MWCAXBUMUK3I2NTVEHDA6JVQ2W7IMKJUJSGEKQTRMFYYE3W6GJUSHUAGJM',
{
firstName: 'Jane',
lastName: 'Doe',
dateOfBirth: '1990-01-15'
}
);Python
import requests
import os
def issue_cardless_id(wallet_address, user_data):
response = requests.post(
'https://cardlessid.com/api/delegated-verification/issue',
json={
'apiKey': os.environ['CARDLESSID_API_KEY'],
'walletAddress': wallet_address,
'identity': user_data
}
)
response.raise_for_status()
result = response.json()
print(f"Credential issued: {result['credentialId']}")
return result
# Usage
issue_cardless_id(
'MWCAXBUMUK3I2NTVEHDA6JVQ2W7IMKJUJSGEKQTRMFYYE3W6GJUSHUAGJM',
{
'firstName': 'Jane',
'lastName': 'Doe',
'dateOfBirth': '1990-01-15'
}
)cURL
curl -X POST https://cardlessid.com/api/delegated-verification/issue \
-H "Content-Type: application/json" \
-d '{
"apiKey": "your_api_key_here_not_a_real_key_example",
"walletAddress": "MWCAXBUMUK3I2NTVEHDA6JVQ2W7IMKJUJSGEKQTRMFYYE3W6GJUSHUAGJM",
"identity": {
"firstName": "Jane",
"lastName": "Doe",
"dateOfBirth": "1990-01-15",
"documentNumber": "D1234567",
"documentType": "government_id",
"issuingCountry": "US",
"issuingState": "CA"
}
}'Best Practices
Security
- • Store API keys in environment variables
- • Never commit API keys to version control
- • Rotate regularly (every 90 days)
- • Use separate keys for dev/staging/production
Error Handling
- • Retry failed requests with exponential backoff
- • Log all errors for debugging
- • Provide clear error messages to users
- • Monitor API usage and errors
User Experience
- • Explain what Cardless ID is
- • Show benefits to users
- • Help users download wallet app
- • Confirm successful issuance
Compliance
GDPR (European Union)
- Right to access: Users can request credential data
- Right to erasure: Users can request credential revocation
- Data minimization: Only required fields are transmitted
- Lawful basis: Legitimate interest or consent
CCPA (California)
- Data disclosure: Users can request information about data collection
- Right to delete: Users can request credential deletion
- No sale of data: Credentials are not sold to third parties
HIPAA (Healthcare)
- Protected Health Information (PHI) is not stored in credentials
- Only age/identity information is included
- Credentials are encrypted on blockchain
- Audit logs track all issuance
Related Documentation
Ready to Get Started?
Request API KeySupport
- 📧 Email: me@djscruggs.com
- 🐛 Issues: GitHub Issues
- 💬 Community: Discord (coming soon)