UIDAI Stub

Complete ASA/CDAC Onboarding-Ready UIDAI Virtual Endpoint for Auth v2.5 and e-KYC.

Explore API

Overview

The UIDAI Stub provides a simulated environment for testing Aadhaar-based authentication and e-KYC workflows. It enforces strict v2.5 shape checks and follows the official UIDAI specification for request/response payloads.

Auth v2.5 Ready

Enforces mandatory elements: <Uses>, <Meta>, <Skey>, <Data>, <Hmac>, and <Signature>.

e-KYC via Rad

Correctly derives e-KYC from the <Rad> element, which must contain the Base64-encoded Auth XML.

Audit Logging

Built-in audit trails with automatic redaction of sensitive fields (PID, Skey, Hmac) to ensure security compliance.

Onboarding Ready

Designed specifically to pass ASA/CDAC onboarding reviews with deterministic response toggles.

Aadhaar Vault (SQLite)

Simulates the mandatory Vault service that replaces Aadhaar numbers with Reference Keys for secure storage.

Implementation Roadmap

Moving from a local application to a UIDAI-integrated system involves a multi-step workflow. Here is the complete lifecycle of a transaction:

1. Preparation & Hardware

  • Install a UIDAI-certified RD Service (Mantra, Morpho, etc.) on the client machine.
  • Ensure the device reachability via http://localhost:11100 (standard RD port).
  • Cryptography: This stub uses real RSA/AES encryption. Keys are located in /keys.
  • Rotate Keys: To generate new keys, run php generate_keys.php.

2. Frontend Workflow (Capture PID)

The frontend must call the RD Service to capture biometric data. This results in an encrypted PID block.

// Example JS to call RD Service
fetch('http://localhost:11100/rd/capture', {
    method: 'CAPTURE',
    body: '<PidOptions ver="1.0">...</PidOptions>'
}).then(res => res.text()).then(xml => {
    // Send this PID XML to your backend
});

3. Backend Workflow (Build Auth XML)

Construct the official Auth v2.5 XML. This is the core document that identifies the resident.

Required Blocks:

  • <Uses>: Defines what you are matching (pi, pa, bio, otp).
  • <Meta>: Device and environment metadata.
  • <Skey>: Encrypted session key used for PID.
  • <Data>: The actual encrypted PID block.
  • <Hmac>: Hash of the PID for integrity.

4. e-KYC Transformation (The "Rad" Step)

To request e-KYC data, you do not call the Auth endpoint directly. Instead, you wrap the Auth XML inside a Kyc request.

// PHP Example
$fullAuthXml = "<Auth...>...</Auth>"; 
$base64Rad = base64_encode($fullAuthXml);

$kycRequest = '<Kyc ver="2.5" ra="F" rc="Y" lr="N" de="N" pfr="Y">
  <Rad>' . $base64Rad . '</Rad>
</Kyc>';

5. Handling the Response

The stub returns a <Resp> block. Inside the textContent is the Base64-encoded KycRes.

// 1. Decode the outer Resp payload
$kycResXml = base64_decode($respContent);

// 2. Parse KycRes to get User Data
// Payload contains: <Poi> (Name/DOB), <Poa> (Address), <Pht> (Photo)

6. Aadhaar Vault (Tokenization)

UIDAI mandates that you do not store Aadhaar numbers in your own DB. Instead, you send the Aadhaar to the Vault and get a Reference Key.

// Call the Vault Endpoint
$payload = json_encode(["aadhaar" => "999988887777"]);
$response = curl_post("/uidai/vault", $payload);
// Output: {"reference_key": "4e1a-8b2c-..."}

Quick Testing with cURL

You can test the stub instantly using your terminal. Use these commands to verify the endpoints on the live server.

1. Health Check

Verify the stub is alive and responding.

curl -X GET https://agribid.auction/index.php/health

2. Aadhaar Vault (Tokenize)

Exchange a raw Aadhaar number for a secure Reference Key.

curl -X POST https://agribid.auction/index.php/uidai/vault \
-H "Content-Type: application/json" \
-d '{"aadhaar": "999988887777"}'

3. Aadhaar Vault (Retrieve)

Retrieve the original Aadhaar number using a Reference Key.

curl -X POST https://agribid.auction/index.php/uidai/vault/retrieve \
-H "Content-Type: application/json" \
-d '{"reference_key": "YOUR_REFERENCE_KEY"}'

4. Biometric Auth (v2.5)

Test the core authentication logic with a sample XML payload.

curl -X POST https://agribid.auction/index.php/uidai/auth \
-H "Content-Type: text/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?><Auth uid="999988887777" tid="registered" ac="public" sa="public" ver="2.5" txn="STUB_TXN_001" lk="STUB_LK"><Uses pi="y" pa="y" pfa="n" bio="y" bt="FMR" otp="n" pin="n"/><Meta udc="device123" pip="127.0.0.1" lot="P" lov="18.52,73.85"/><Skey ci="20251222">BASE64_SKEY</Skey><Data type="X">BASE64_PID</Data><Hmac>BASE64_HMAC</Hmac><Signature>EXISTENCE_CHECK_ONLY</Signature></Auth>'

Interactive API Reference

Use the interactive Swagger UI below to test the endpoints directly from your browser. Note that for Auth/KYC endpoints, you should provide valid XML payloads.

Moving to Production

Once you pass the onboarding review with this stub, transitioning to the official ASA/CDAC production environment requires minimal changes:

1. Update CryptoProvider

Replace StubCryptoProvider with a real implementation that uses openssl for RSA/AES and XMLDSig (C14N).

2. Swap Keys

Replace dummy files in /keys with official Certificates and Private Keys issued by your ASA.

3. Update Endpoint

Point your backend to the ASA Gateway URL (e.g., https://production-gateway.asa.in/kyc).

Security & Compliance

To pass the UIDAI audit, your application must adhere to the following security standards. This stub already implements the following:

The "Layman's" Implementation Guide

If you're not a cryptography expert, don't worry! Here is how you connect your website/app to this stub in plain English.

🚀 Step 1: Hide your Keys (ENV Setup)

Think of keys as your ATM PIN. You don't write them in your code; you put them in a "Secret Folder" called .env.

# Your .env file
UIDAI_PRIVATE_KEY_PATH="/var/www/keys/stub_private.pem"
UIDAI_CERT_PATH="/var/www/keys/stub_public.crt"
REDIS_URL="redis://127.0.0.1:6379"

🔄 Step 2: The "Translator" (JSON to XML)

Apps speak JSON (Simple), but UIDAI speaks XML (Complex). Your backend acts as the translator.

JSON Request
XML Formatter
UIDAI Stub

🧠 Step 3: The "Short-term Memory" (Redis)

Getting data from UIDAI is slow/expensive. Once you get the XML response, decrypt it and save it in Redis for 10-15 minutes.

  • Why? If the user refreshes the page, you don't have to ask UIDAI again!
  • How? Store it with a key like kyc_999988887777.

🏁 Step 4: Back to Simple (Final JSON)

Finally, take that complex XML result, turn it back into a simple JSON list (Name, Gender, Photo URL), and send it to your Mobile App.

💡 The Complete Flow Summary:

App (JSON)Backend (Convert to XML)EncryptUIDAI Stub (Process)Receive XMLDecryptSave to RedisReturn JSON to App

Error Code Reference

This stub simulates standard UIDAI error codes. Below are the most common ones you'll encounter during testing.

Auth API Errors (<Info err="">)

Code Meaning Condition (Stub Logic)
0 Success Auth processed successfully
100 Invalid Aadhaar UID not 12 digits
101 Invalid XML Malformed tags or missing blocks
102 Invalid Version ver attribute is not 2.5
105 Invalid Signature Missing or invalid XMLDSig block
122 Biometric Mismatch Returned when force_auth_success is false

e-KYC Response Errors (<Resp err="">)

Code Meaning Trigger
540 Missing Rad The <Rad> element is empty or missing
541 Invalid Version Kyc ver is not 2.5
542 No Consent Resident consent rc is not 'Y'
546 Auth in Rad Failed The Auth XML inside Rad failed basic validation
547 KYC Not Requested Uses pi or pa are not set to 'y'

Configuration Reference

The stub behavior is driven by config.php. You can customize the response data here.

// Example config.php
"force_auth_success" => true,
"force_kyc_success"  => true,
"sample_kyc" => [
    "uid" => "999988887777",
    "name" => "STUB USER",
    "dob" => "1999-01-01",
    "address" => [...]
]