Get Certificate

curl --request GET \
  --url https://api.example.com/{base_url}/otk-service/v1/certificates/:journeyToken \
  --header 'Accept: <accept>' \
  --header 'Content-Type: <content-type>' \
  --header 'x-transaction-key: <x-transaction-key>'

{
    "success": true,
    "data": {
        "uaekyc_id": 12345,
        "certificate_base64": "data:image/jpeg;base64,/9j/4AAQ...",
        "certificate_etag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
        "issued_on": "2025-01-15T10:30:45.123Z",
        "expires_on": "2026-01-15T10:30:45.123Z",
        "active_status": {
            "code": "ACTIVE",             // ACTIVE | REVOKED | EXPIRED
            "messages": ""
        },
        "last_updated": "2025-01-15T14:30:45.123456+04:00"
    },
    "message": "Retrieved certificate details successfully",
    "signature": "abcdef123...",
    "meta": { "timestamp": "2025-05-13T10:15:30.456Z", "filters": {} },
    "errors": []
}

GET

{base_url}

otk-service

certificates

:journeyToken

Get Certificate

curl --request GET \
  --url https://api.example.com/{base_url}/otk-service/v1/certificates/:journeyToken \
  --header 'Accept: <accept>' \
  --header 'Content-Type: <content-type>' \
  --header 'x-transaction-key: <x-transaction-key>'

{
    "success": true,
    "data": {
        "uaekyc_id": 12345,
        "certificate_base64": "data:image/jpeg;base64,/9j/4AAQ...",
        "certificate_etag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
        "issued_on": "2025-01-15T10:30:45.123Z",
        "expires_on": "2026-01-15T10:30:45.123Z",
        "active_status": {
            "code": "ACTIVE",             // ACTIVE | REVOKED | EXPIRED
            "messages": ""
        },
        "last_updated": "2025-01-15T14:30:45.123456+04:00"
    },
    "message": "Retrieved certificate details successfully",
    "signature": "abcdef123...",
    "meta": { "timestamp": "2025-05-13T10:15:30.456Z", "filters": {} },
    "errors": []
}

Certificates are valid for one year from issuance. When revoked or expired, certificate_base64 and certificate_etag will be null.

Authentication

x-transaction-key

string

required

Your API key. Get your key →

string

required

Must be application/json

Content-Type

string

required

Must be application/json

Path Parameters

journeyToken

string

required

UUID v4 of the journey from the Create Journey API (36 characters).

Code Examples

curl "{base_url}/otk-service/v1/certificates/{journeyToken}" \
  -H "x-transaction-key: your-api-key" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json"

Response Fields

Field	Type	Presence	Description
`success`	boolean	Always	Whether the request was successful.
`message`	string	Always	Human-readable status message.
`data.uaekyc_id`	integer	Always	Unique UAE KYC identifier for this customer (same as `uaeKycId` in the Customer Details API, different casing).
`data.certificate_base64`	string (Base64)	Optional	JPEG, typically 100–800 KB. Base64-encoded certificate image. `null` when the certificate is revoked or expired.
`data.certificate_etag`	string	Optional	ETag hash for client-side caching (32 characters). `null` when revoked or expired.
`data.issued_on`	string (ISO 8601)	Always	Certificate issuance date.
`data.expires_on`	string (ISO 8601)	Always	Certificate expiration date. Certificates are valid for one year from issuance.
`data.active_status.code`	string	Always	Certificate status: `ACTIVE` (valid), `REVOKED` (manually revoked), or `EXPIRED` (past expiry date).
`data.active_status.messages`	string	Always	Additional context about the certificate status (empty when active).
`data.last_updated`	string (ISO 8601)	Always	Timestamp of the last modification to this certificate record.
`signature`	string	Always	Cryptographic signature for response verification.
`meta.timestamp`	string (ISO 8601)	Always	Server-side timestamp of the response.
`errors`	array	Always	List of error objects. Each contains `code`, `type`, and `message`.

Next Steps

Check active_status.code before using the certificate

ACTIVE → The certificate is valid. Display or use it for downstream processes.

REVOKED → Do not display. certificate_base64 will be null.

EXPIRED → Initiate a Re-KYC journey to issue a new one.

Cache the certificate using the ETag

Use certificate_etag for client-side caching. Compare the ETag on subsequent requests to avoid downloading the same image repeatedly.

Monitor certificate expiry

Store expires_on in your system and set up reminders or automated Re-KYC flows before certificates expire. Use the Stale Residents API to identify customers approaching expiry.

Verify the response signature

Use the signature field to verify response integrity before displaying or storing the certificate.

{
    "success": true,
    "data": {
        "uaekyc_id": 12345,
        "certificate_base64": "data:image/jpeg;base64,/9j/4AAQ...",
        "certificate_etag": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
        "issued_on": "2025-01-15T10:30:45.123Z",
        "expires_on": "2026-01-15T10:30:45.123Z",
        "active_status": {
            "code": "ACTIVE",             // ACTIVE | REVOKED | EXPIRED
            "messages": ""
        },
        "last_updated": "2025-01-15T14:30:45.123456+04:00"
    },
    "message": "Retrieved certificate details successfully",
    "signature": "abcdef123...",
    "meta": { "timestamp": "2025-05-13T10:15:30.456Z", "filters": {} },
    "errors": []
}

Get Verification Status API

Revoked Certificates History

Overview

API Key Management

Journey APIs

Remote Verification

Certificate APIs

Validation APIs

Response Integrity

Get Certificate

Authentication

Path Parameters

Code Examples

Response Fields

Next Steps

Overview

API Key Management

Journey APIs

Remote Verification

Certificate APIs

Validation APIs

Response Integrity

​Authentication

​Path Parameters

​Code Examples

​Response Fields

​Next Steps

Authentication

Path Parameters

Code Examples

Response Fields

Next Steps