Overview
All DIDx:Verify API endpoints require an OAuth2 Bearer token with the sc-citizen scope.
Obtaining a Token
Use the OAuth2 client_credentials grant with your clientId and clientSecret:
curl -X POST "https://citizen.uat.securecitizen.cloud/connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=your_client_id&client_secret=your_client_secret&scope=sc-citizen"
Response
{
"access_token": "eyJhbGciOiJSUzI1NiIsI...",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "sc-citizen"
}
Using the Token
Include the token as a Bearer token in all API requests:
-H "Authorization: Bearer <access_token>"
Checking System Status
Before making verification calls, you can check whether the Department of Home Affairs (DHA) systems are online:
curl -X GET "https://citizen.uat.securecitizen.cloud/Citizen/Status" \
-H "Authorization: Bearer <access_token>"
Consent Requirement
Every API request that processes personal information requires "ConsentReceived": true in the request body. This documents that you have obtained the subject’s informed consent to process their personal data, as required by POPIA.
{
"ConsentReceived": true,
...
}
Requests with ConsentReceived: false will be rejected. This field is audited and required for regulatory compliance.
HTTP Status Codes
| Code | Meaning |
|---|
200 | Success |
401 | Unauthenticated — token is missing or expired |
403 | Unauthorized — your token doesn’t have access to this resource |
500 | Internal server error |
504 | Backend gateway error — DHA is unavailable |
