Aadhaar Authentication Basicshttps://developer.uidai.gov.in/site/book/export/html/18 Aadhaar Authentication Basics This book walks you through Aadhaar authentication basics and helps you test using sample authentication client as well as setup development environment using the source code provided. Click on the chapters below to navigate. Introduction Aadhaar authentication is the process wherein Aadhaar Number, along with other attributes, including biometrics, are submitted online to the CIDR for its verification on the basis of information or data or documents available with it. Aadhaar authentication provides several ways in which a resident can authenticate themselves using the system. At a high level, authentication can be ‘Demographic Authentication’ and/or ‘Biometric Authentication’. During the authentication transaction, the resident’s record is first selected using the Aadhaar Number and then the demographic/biometric inputs are matched against the stored data which was provided by the resident during enrolment/update process. Fingerprints in the input are matched against all stored 10 fingerprints. Note: In all forms of authentication the Aadhaar Number needs to be submitted so that authentication is reduced to a 1:1 match. In addition, Aadhaar authentication service only responds with a “yes/no” and no Personal Identity Information (PII) is returned as part of the response. Aadhaar authentication enables agencies to verify identity of residents using an online and electronic means where the agency collects required information from the resident along with resident’s Aadhaar Number and passes the same to UIDAI systems for verification. Aadhaar authentication service provides services to instantly verify the identity of the resident against the available data in CIDR. Based on the needs of the service, different identifiers could be used along with Aadhaar Number. These identifiers could be combination of biometrics (such as fingerprints, iris impressions) and/or demographic information (such as Name, Date of birth, Address) and/or a secret PIN or OTP number known only to the resident. Authentication API Aadhaar authentication service is exposed as stateless service over HTTPS. Usage of open data format in XML and widely used protocol such as HTTP allows easy adoption and deployment of Aadhaar authentication. To support strong end to end security and avoid request tampering and man-in-the-middle attacks, it is essential that encryption of data happens at the time of capture on the capture device. If you have not read the Aadhaar Authentication Specification (version 1.5 Rev 1) document, it's important that you do now before proceeding! 1 of 26 6/12/2012 10:24 AM Aadhaar Authentication Basics https://developer.uidai.gov.in/site/book/export/html/18 Next few chapters takes you through details on running sample application code, setting up source code within Eclipse, and usage of test codes and data. Running Sample Application UIDAI has created a fully working sample Java client application to help the community rapidly develop applications that use Aadhaar authentication. This application is written in Java and demonstrates various features of Aadhaar authentication. This application is provided on an "AS-IS" basis and should not be considered as a supported, production strength software. This chapter covers details about downloading, installing, and running the sample and setting up development environment with the source code. Sample Java application (both binary and source code zip files) to test Aadhaar authentication can be downloaded from here. Running Sample from Distribution When you download the binary distribution using downlink above, you get "auth-client-bin-1.5.zip". Follow steps below to install and run the client. These directions are for Windows OS. If you are using Linux or other OS, you may make appropriate modification to build and run the client. 1. You need Java 1.6 or above installed on your computer and an Internet connection to run this sample. 2. Unzip "auth-client-bin-1.5.zip" into a directory. You will see the following contents. 3. Run "runclient.bat" to run the sample application. 4. In order to use Indian name matching, it is required that the java apps run in UTF-8 character encoding mode. For that, in Java, following VM arguments has to be passed "-Dfile.encoding=UTF8". This is already added to the "runclient.bat" file. 5. This opens a command promt asking for OS type, enter 1 or 2 (based on your OS) and press ENTER. 6. This opens the sample authentication client. See screenshot below. 2 of 26 6/12/2012 10:24 AM 3 of 26 6/12/2012 10:24 AM .Aadhaar Authentication Basics https://developer. AUA code. Sub AUA code are as listed under "Testing Data" page. Ensure license key.in/site/book/export/html/18 7. Click "Edit->Preferences" menu to make sure you see following screen with values.gov.uidai. 10. See "Testing Data" page for details on test data for testing various combinations. Enter "999999990019" in "Aadhaar Number" field and "Shivshankar Choudhury" in the "Name" field. See the following screen 4 of 26 6/12/2012 10:24 AM .gov.Aadhaar Authentication Basics https://developer. Click "Authenticate" button at the bottom right 11.in/site/book/export/html/18 8. Now you are ready to test!! 9. You should see a green tick mark within the "Authentication Status" field.uidai. Follow steps below to setup the client as a development environment. 1.5. If you have issues. first ensure you have followed all steps correctly. Navigate to "auth-client-source-1. You need Java 1. please make sure your Internet connection is working well. 13. This chapter covers details about downloading and setting up development environment. production strength software. try after some time. These directions are for Windows OS.gov. You should now see a directory named "auth-client-source-1. This application is provided on an "AS-IS" basis and should not be considered as a supported. 5 of 26 6/12/2012 10:24 AM . sample Java client with source code is provided to help the community rapidly develop applications that use Aadhaar authentication. If nothing works (!).gov. you get "auth-client-source-1.20 or above. Apache Maven 2. you may make appropriate modification to the instructions below.zip" into a directory.5" directory.2. please write to the discussion group. Sample Java application (both binary and source code zip files) to test Aadhaar authentication can be downloaded from here. You should see the following listing. You can use the source code and setup environment if you want it in other IDEs and build environments.Aadhaar Authentication Basics https://developer. 2.1 or above. If test server (auth. Developing using Sample As explained in previous chapter. Unzip "auth-client-source-1. If you face network or connection errors. If you are using Linux or other OS.6.uidai. Setting up Development Environment When you download the source distribution using downlink above. and Eclipse Java IDE installed on your computer to setup environment based on this page.5" there 3.5.in) is down or not reachable.uidai. This application is written in Java and demonstrates various features of Aadhaar authentication.zip".in/site/book/export/html/18 12. Within "Command Prompt".Aadhaar Authentication Basics https://developer. Make sure all projects are selected. please add it."uidai-auth-client".5" and select the directory This will list 4 projects . change directory ("cd") to "auth-client-source-1. 6. This lanuches an import dialog. 9. "uidai-auth-xsd-model". If "Maven\bin" is not in path. 6 of 26 6/12/2012 10:24 AM . Otherwise "mvn" command will not run. See screen below. You should see "Build Successful" message like below. Launch Eclipse and create a new workspace (or use current workspace if you prefer) Choose "File->Import" menu. 11. 8.in/site/book/export/html/18 4.5" 5. 12. and "uidai-samplegui-app" 13. 10. 7. Run "mvn eclipse:eclipse" command.gov. "uidai-biometric-integration-api". Choose "Existing Projects into Workspace" option and click "Next" Click "Browse" button next to "Select Root Directory" Navigate to "auth-client-source-1.uidai. java" under project "uidai-sample-gui-app" (src/main/java/in/gov/uidai/auth/sampleapp folder) and choose "Run->Run COnfigurations" menu or click "Run" icon on toolbar and choose "Run COnfigurations".gov. in the SampleClientMainFrame. Also.java to the value of the class that implements the API. biometricAPIImplementationClass. Select "SampleClientMainFrame.uidai. Click "Finish" to import all 4 projects into workspace 15. 16.Aadhaar Authentication Basics https://developer. 7 of 26 6/12/2012 10:24 AM . If you have project that provides biometric integration API implementation. update the value of field.in/site/book/export/html/18 14. you will have to add it to the class path of the "uidai-sample-gui-app" project. in/site/book/export/html/18 17. 18. 19. Within "Run Configurations" doalog. following VM arguments has to be passed "-Dfile. This created a new default run configuration for the sample application. Click "Run" button on the bottom right within the "Run Configuration" dialog to run the application. you should see the sample application GUI window. Choose "Edit->Preferences" menu option and ensure you choose appropriate path for public key file and keystore file (they 8 of 26 6/12/2012 10:24 AM . in Java. Click "New Launch Configuration" icon on left top corner within the dialog.encoding=UTF8".Aadhaar Authentication Basics https://developer.gov.uidai. In order to use Indian name matching. For that. 20. it is required that the java apps run in UTF-8 character encoding mode. add this to VM arguments. in/bfd/1.uidai.http://auth. Enter "999999990019" in "Aadhaar Number" field and "Shivshankar Choudhury" in the "Name" field. Binary distribution of sample client is shipped with the first one below."public" License Key ("lk" attribute) : You can use any of the following license keys given below. 12.6/<aua-code>/<1st-digit-of-uid>/<2nd-digit-of-uid>/ OTP URL . Indian Language ASA License key fo testing .Aadhaar Authentication Basics https://developer. BIO-FIR. "MKg8njN6O+QRUmYF+TrbBUCqlrCnbN/Ns6hYbnnaOk99e5UGNhhE/xQ=" . OTP.uidai. PFA. BIO-FMR. If nothing works (!).gov. See the following screen 11. 9. If you have issues.in) is down or not reachable. AUA code.in/site/book/export/html/18 are available under "auth-client-source-1.in/auth/1. If test server (auth.allows usage of PI.5\uidai-auth-client\src\main\resources" folder. If you face network or connection errors. Additional data is available on "Testing Data" page.MMZS5K8bEkGWFQe6y_ruBu9tFR2yQFQkqmECCpp9veRawhue1oGpa4s Public key certificate .6/<aua-code>/<1st-digit-of-uid>/<2nd-digit-of-uid>/ BFD URL . PA. Testing Data Test Codes Test URLs: (remember to append AUA code and first two digits of Aadhaar number) Auth URL .gov. try after some time.uidai.uidai. please write to the discussion group. 8. BIO-IIR.http://auth. Click "Authenticate" button at the bottom right 10.gov.http://auth. Ensure license key. first ensure you have followed all steps correctly. PIN. You should see a green tick mark within the "Authentication Status" field. Sub AUA code are as listed under "Testing Data" page.uidai. please make sure your Internet connection is working well.See chapter on certificates (remember to use Staging/Test certificate for testing and production 9 of 26 6/12/2012 10:24 AM .6/<aua-code>/<1st-digit-of-uid>/<2nd-digit-of-uid>/ Test Codes: AUA Code ("ac" attribute) : "public" Sub-AUA Code ("sa" attribute) .gov.in/otp/1.gov. com street=12 Maulana Azad Marg vtc=New Delhi subdist=New Delhi district=New Delhi state=New delhi pincode=110002 uid=999999990026 name=Kumar Agarwal dob=04-05-1978 dobt=A gender=M phone=2314475929
[email protected] building=IPP.uidai.Keystore in p12 file format (keystore Password: "public". uid=999999990019 name=Shivshankar Choudhury dob=13-05-1968 dobt=V gender=M phone=2810806979 email=sschoudhury@dummyemail. IAP landmark=Opp RSEB Window street=5A Madhuban locality=Veera Desai Road vtc=Udaipur district=Udaipur state=Rajasthan pincode=313001 uid=999999990042 name=Fatima Bedi dob=30-07-1943 dobt=A gender=F phone=2837032088 email=bedi2020@mailserver. All of them have same bio record as given above.gov. Any resemblance to real people is purely coincidental! Sample biometric data given below is "base 64" encoded.com building=K-3A Rampur Garden vtc=Bareilly district=Bareilly state=Uttar Pradesh pincode=243001 uid=999999990057 name=Rohit Pandey dob=08-07-1985 dobt=A gender=M phone=2821096353 10 of 26 6/12/2012 10:24 AM . ALL TEST RECORDS HAVE SAME BIOMETRIC. Alias: "public") Test Data Note: Following data are purely for testing and are not of real residents. Just add the encoded string to "bio" element (remove the newline when you are cutting the data). bio=Rk1SACAyMAAAAADkAAgAyQFnAMUAxQEAAAARIQBqAGsgPgCIAG0fRwC2AG2dSQBVAIUjPABuALShMgCxAL0jMAByAM6lPgCmAN2 kQQBwAN8qNAB1AN8mPADJAOcgOQA8AOorNABoAOomOQC+AO2fMQDFAPqlSgCvAP8lRQB8AQuhPABwAQ4fMgB7ASqcRADAAS4iNwCkAT MeMwCFATYeNwBLATYwMQBWATcoMQCkATecMQBEATwyMgBJAUciQQCkAU8cNQB9AVQWNgCEAVUVRACoAVgYOgBBAV69NgCsAWeYNwAA Following are the test UIDs and their demographic data. Neither Aadhaar numbers nor demographic/biometric data are real and are ONLY available in test system.Aadhaar Authentication Basics https://developer. If you have your own Aadhaar number (real one) then you can use that to test too.in/site/book/export/html/18 certificate for production) Keystore for digital signature for "public" AUA . in/site/book/export/html/18
[email protected] Authentication Basics https://developer.uidai. 26th Main locality=JP Nagar.gov.com building=603/4 Vindyachal street=7TH Road Raja Wadi locality=Neelkanth Valley poname=Ghatkopar (EAST) vtc=Mumbai district=Mumbai state=Maharastra pincode=243001 uid=999922220032 name=Anisha Jay Kapoor gender=F dob=01-01-1982 dobt=V building=2B 203 street=14 Main Road locality=Jayanagar district=Bangalore state=Karnataka pincode=560036 uid=999922220013 name=Nitin Kumar Dixit gender=M dob=02-03-1972 dobt=V building=1190/4 street=5th Cross. phase 1 district=Bangalore state=Karnataka pincode=560078 uid=999922220021 name=Swamynathan Srini gender=M dob=23-01-1947 dobt=V building=34-2 street=K G Lane locality=Sarjapur Area district=Bangalore state=Karnataka pincode=560035 uid=999922220045 name=John Alex Doe gender=M dob=12-09-1973 dobt=V building=78 Block D street=Sarjapura Road locality=Sarjapura district=Bangalore state=Karnataka pincode=560081 uid=999922220050 name=Ali Akbar gender=M dob=14-10-1962 dobt=V building=34 street=Raj Main Street locality=K R puram district=Bangalore state=Karnataka pincode=560078 uid=999922220066 11 of 26 6/12/2012 10:24 AM . cer Following table lists out all production public key certificates issued so far with their expiry date. Certificate Detail uidai_auth_prod. This page contains all certificates available for the ecosystem.gov.cer (latest) Expiry Date 22 Sept 2015 . Production Public Key Certificates Note: Latest production public key certificate will always be available under link https://developer.in/site/sites/default /files/uidai_auth_stage.gov. Developing in C/C++ NOTE: This code is contributed by Geodesic team and is available on as-is basis.in/site/sites/default /files/uidai_auth_prod.uidai. Certificate Detail uidai_auth_stage.cer Following table lists out all staging/testing public key certificates issued so far with their expiry date.in/site/book/export/html/18 name=Amy John gender=F dob=11-07-1987 dobt=V building=A303 street=14th Cross locality=BTM II Layout district=Bangalore state=Karnataka pincode=560035 uid=999922220078 name=Kishore Shah gender=M dob=21-05-1987 dobt=V building=23 Level 1 street=Church Street locality=Central Area district=Bangalore state=Karnataka pincode=560076 Certificate Details Aadhaar authentication requires the identity data of the resident within the XML (PID block) to be encrypted.public key.uidai.uidai.Aadhaar Authentication Basics https://developer.cer (latest) 3 Oct 2013 Expiry Date Staging/Testing Public Key Certificates Note: Latest staging/testing public key certificate will always be available under link https://developer. Sample C application to test Aadhaar 12 of 26 6/12/2012 10:24 AM . AES-256 session key is encrypted using UIDAI's 2048.gov. This sample application is written in C for the GeoAmida device and it demonstrates various features of Aadhaar authentication.5. The below DEFINES values are need to modify before compiling: LICENCE_KEY UIDAI_PUBLIC_CERITIFICATE AUA_PRIVATE_CERTIFICATE . emacs or vim) installed on your development machine and setup the environment variable.9 4. API Error Handling 13 of 26 6/12/2012 10:24 AM . You may use any editor tool (Eclipse. Please follow steps below to setup the client as a development environment. 7.zip".Required for Digital Signature 5. CC = arm-xscale-linux-gnueabi-gcc CFLAGS = -D__XMLSEC_FUNCTION__=__FUNCTION__ -DXMLSEC_NO_XSLT=1 -DXMLSEC_NO_XKMS=1 -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 -DXMLSEC_CRYPTO=\"openssl\" -DUNIX_SOCKETS -D XML_SECURITY LDFLAGS = -lwebcam -lbiometric -lautils -lxml2 -lcurl -lcrypto -lanet -lxmlsec1 -g 9.5" directory. production strength software.in/site/book/export/html/18 authentication can be downloaded from here. Sample Makefile included in the build for Geoamida and gcc version. This application is provided on an "AS-IS" basis and should not be considered as a supported. Navigate to "c-auth-client-source-1.gov. You should see the following listing. change directory ("cd") to "c-auth-client-source-1.Aadhaar Authentication Basics https://developer. Unzip "c-auth-client-source-1. you should see the executable file AuthClient. Run AuthClient. Setting up Development Environment When you download the source distribution from the link above. 10. If you are using Windows or other OS. This chapter covers details about downloading and setting up development environment.5" 8.1. then the Digital Signature will be created along with Auth Xml.8 Digital Signature Generation requires an additional libraries: libXslt >= 1. Within "Command Prompt".uidai. During compilation if the "-D XML_SECURITY" flag is set. You should now see a directory named "c-auth-client-source-1.7. These directions are for Linux OS and ARM devices.2.5.9. 3.zip" into a directory. 1.6 openssl >= 0.24 libxmlsec1 >= 1. On a successful make. Auth Xml API documentation is available under the doc folder 6. you may make appropriate modification to the instructions below. you get "c-auth-client-source-1. LD_LIBRARY_PATH in order to find libraries. It will generate Auth-XML. Dependency Libraries: libxml >= 2.5" there 2. A sample C client with source code is provided to help the community rapidly develop applications that use Aadhaar authentication. house. lname. Operator should re-enter correct details personal information as per the Aadhaar letter. dob. state. API Error Code Description Provision Required in the Application Suggested Message to the User Suggested instructions to the user Probable Reasons 100 “Pi” (basic) attributes User should be allowed of demographic data to re. loc (locality).in/site/book/export/html/18 This page provides guidelines for handling API errors within the application. N should be configurable and should be set as per application requirement. pc (postal pin code). lm (land mark). suggestion for how to handle it. phone. One or more personal address attributes not matching. if the resident is genuine. lname. Ensure correct Aadhaar Information is entered. subdist. street. po (post office) whichever is used for authentication in application Please re-enter your <co (care of). While developing applications. lm (land mark). ensure fingers are clean.uidai. scanner has some dust accumulated. 300 Biometric data did not User should be allowed Please give your match to give his finger prints finger prints again. email whichever is used for authentication in application Please re-enter your <name. AUAs need to decide how to handle the errors gracefully and provide resident/operator friendly messages. vtc.gov. age. dobt.enter his/her personal address attribute like co (care of). For Banking Applications it can be set at a maximum of 5 times) Ensure correct Aadhaar number is entered and try authenticating again with another finger. subdist. dist. po (post office)>. gender. dobt. position of finger not appropriate. ensure fingerprint scanner is clean.enter his/her did not match personal information attributes like name. Operator should re-enter correct details personal information as per the Aadhaar letter. One or more personal information attributes not matching. and probable reasons for the error. dist. ensure finger is not very dry. loc (locality).Aadhaar Authentication Basics https://developer. Follwing table desribes API error codes. exception handling 14 of 26 6/12/2012 10:24 AM . gender. Ensure correct Aadhaar Information is entered. Finger print is not given properly. (E. 200 “Pa” (address) attributes of demographic data did not match User should be allowed to re. street. phone. house. “n” number of times. Simply showing the error on screen is not helpful. vtc. pc (postal pin code). age. scanned finger NFIQ not good After repeated failure. fingers were wet.g. ensure finger is placed correctly. state. possible message to user. dob. email>. This document is an attempt to provide guidelines for doing better error handling. 310 Duplicate fingers used Application should Please try again prompt user to try again with distinct with distinct fingers. Error occurs when same iris is sent as two or more separate records within same request. ensure that the with distinct irises. AUA app should choose either one or another. data for two distinct fingers should either be sent in FMR format or in FIR format. 311 Duplicate Irises used Application should Please try again Operator should prompt user to try again with distinct irises. For two-finger auth.Aadhaar Authentication Basics https://developer. Technical Exception <No> Contact technical helpdesk. 2 different biometric records should be sent. Auth packet cannot mix fingerprint "image" records (FIR) and fingerprint "minutiae" records (FMR). Error occurs when same finger is sent as two or more separate records within same request. Operator should ensure that the resident is providing single finger for authentication. FMR is recommended. etc). 312 FMR and FIR cannot be used in same transaction 313 Single FIR record contains more than one finger Application should Please try again by prompt user to try again placing Single by placing single finger.uidai. If there is a requirement to send 2 fingers. if resident puts same finger again.g. finger on the authentication device. one FIR can contain one or more finger images within itself (like slap. Operator should insure that the resident is providing distinct fingers (two different fingers) for “two finger” authentication. fingers. Please contact UIDAI helpdesk to inform about the issue and to understand the steps for the updation of the biometric information in CIDR. Auth Request has more than 10 finger records 314 Number of FMR/FIR should not exceed 10 Application should ensure that one auth 15 of 26 6/12/2012 10:24 AM . then this happens. Application should ensure that authentication request does not mix FMR and FIR in the same transaction e. UIDAI currently supports single finger record only.in/site/book/export/html/18 provision would need to be followed to provide service. resident is providing distinct irises (two different irises) for authentication. As per ISO spec. in case of two finger authentication.gov. Application should have Please provide correct OTP value. etc) where AUA derives the mobile number from the network provider and passes it on as part of API to use it as a factor. Input not matching with the value in CIDR. 315 Number of IIR should Application should not exceed 2 ensure that one auth request should not contain more than 2 IIR records.Aadhaar Authentication Basics https://developer. If there are repeated failures user is advised to generate new OTP and send the authentication request using the new OTP. 500 Invalid Skeyencryption Use of wrong digital certificate for encryption of AES-256 Key (session key). It should be configurable. 401 "OTP" validation failed Incorrect OTP value is entered. Application should not have hard coded digital certificate information. It should be configurable. This element is meant for self-service transations on mobile (SMS/USSD. 501 Invalid value for “ci” attribute in “Skey” element Application should not have hard coded “ci” attribute value. Contact technical helpdesk. 502 Invalid Pid Encryption Application should do extensive testing using UIDAI Test Auth Service to ensure compliance with auth API. "Tkn" validation failed Application should derive the value of tkn (currently only mobile number) from network.in/site/book/export/html/18 request should not contain more than 10 FMR/FIR records.uidai. Technical Exception <No> Ensure that correct AES encryption has been used. provision for allowing user to provide OTP value again and after some retries (configurable) option to generate OTP again. Ensure that AES key used for encryption of 16 of 26 6/12/2012 10:24 AM .gov. Auth Request has more than 2 iris records 400 Provided "Tkn” details are not matching with registered values in CIDR. Technical Exception <No> Note: Application can throw Auth API error code number on screen. Technical Exception <> Ensure that expiry date of UIDAI certificate used for encryption of Skey is specified as “ci” value. So that contact centre or application support helpline can understand the reason. 17 of 26 6/12/2012 10:24 AM . Refer UIDAI website for the latest version of API.in/site/book/export/html/18 “Pid” XML was encrypted and specified as value for Skey. 503 Invalid HMac encryption Application should do extensive testing using UIDAI Test Auth Service to ensure compliance with auth API. When Synchronized Session Key scheme is used. 505 Synchronized Skey usage is not allowed Application should use full skey Technical Exception <No> Switch to full skey scheme 510 Invalid Auth XML format Application Authentication request should comply to Authentication API latest version and application should validate its structure before sending it to CIDR for authentication. Ensure that same AES key is used for encryption of Pid and Hmac. Technical Exception <No> Ensure that correct AES encryption has been used. 504 Session key re-initiation required due to expiry or key out of sync Application should have Technical a provision to send full Exception <No> session key and initiate a new session in case of such failure. Ensure that AES key used for encryption of “Hmac” was encrypted and specified as value for Skey. Refer UIDAI website for the latest version of API.Aadhaar Authentication Basics https://developer. this can happen if either session is expired (currently configured to max 4 hrs) or if the key goes out of sync. If this does not resolve the issue than please contact technical helpdesk. Technical Exception <No> Please ensure that the latest recommended API is used for application development. This happens when AUA does not have privilage to use SSK scheme Non compliance with supported Authentication API version structure in CIDR.gov. 511 Invalid PID XML format Application Authentication request should comply to PID XML format defined in Authentication API latest version and structural validation should be done before encryption of PID XML. Please try again. Technical Exception <No> Please ensure that the latest recommended API is used for application development. If this does not resolve the issue Non compliance with supported Authentication API version structure in CIDR.uidai. in/site/book/export/html/18 than please contact technical helpdesk. 540 Invalid Auth XML version Application should pass Technical supported valid API Exception <No> version in authentication request. Value of this code should be configurable. no spaces or special char) will result in this error. Value of this should be configurable. 542 AUA not authorized for ASA.Aadhaar Authentication Basics https://developer. Version of the “Pid” element used In the PID XML (Authentication request) is either not supported or invalid. or AUA code used in the Auth URL is not same as the AUA code used in the Auth XML. Value of this should be configurable.gov. 521 Invalid Finger device Application should (fdc in Meta element) obtain proper code from Technical Exception <No> fingerprint sensor vendor and use it FDC codes are assigned as part of certification and application developer should use proper fdc code given by the fingerprint sensor/extractor vendor IDC codes are assigned as part of certification and application developer should use proper idc code given by the iris sensor/extractor vendor AUA code used in Authentication request is not valid. 520 Invalid device Application should ensure that “tid” attribute in Auth XML has value “public” Technical Exception <No> Using any other value other than “public” (all lower case. API version used in Auth XML (Authentication request) is either not supported or invalid.uidai. 522 Invalid Iris device (idc in Meta element) Application should obtain proper code from Technical Exception <No> iris sensor vendor and use it 530 Invalid authenticator code Application should pass Technical Exception <No> valid AUA code in authentication request which is registered with UIDAI. Application should ensure link is in place between AUA-ASA Ensure the authentication request is being sent This error will be returned if AUA and ASA do not have 18 of 26 6/12/2012 10:24 AM . 541 Invalid PID XML version Application should pass Technical supported valid API Exception <No> PID XML version in authentication request. Technical Exception <No> Invalid attributes used in Uses tag. 1. through the authorized ASA as per the records of UIDAI. In case of Device/Client based Application Please verify that the device/client date/time is synchronised with a. linking in the portal 543 Sub-AUA not associated with “AUA” Application should ensure Sub-AUA is added and associated with correct AUA before sending request to CIDR. or Please contact UIDAI helpdesk to report the issue and to understand further steps for the updation of ASA-AUA linkage. “bt” attribute is required only if bio=”y” in Uses element.uidai. Either Indian Standard device date/time is Time (IST) and behind current resend the date/time or authentication request is old. 561 Request expired (“Pid->ts” value is older than N hours where N is a configured threshold in authentication server) AUA application should not store Pid block and in case of application which are using thick client there should be a provision to sync up date with server at start. Ensure the authentication request is being sent through the associated AUA as per the records of UIDAI. This error is typically reported if “bt” attribute has been specified but bio=”n” in Uses element. This error will be returned if Sub-AUA specified in “sa” attribute is not added as “Sub-AUA” in portal 550 Invalid “Uses” element attributes Application should use valid attributes defined in API for <Uses> tag and validation on Auth request should be done before sending request to CIDR.gov.Aadhaar Authentication Basics https://developer.in/site/book/export/html/18 before sending request to CIDR. or Please contact UIDAI helpdesk to report the issue and to understand further steps for the updation of ASA-AUA linkage. 19 of 26 6/12/2012 10:24 AM . request. Please try again. 2. In case of Either Device/Client /Server date/time is behind current one or old stored pid is getting sent. Technical Exception <No> 562 Timestamp value is future time (value specified “Pid->ts” is ahead of authentication server time beyond acceptable threshold) AUA application should not store Pid block and in case of application which are using thick client there should be a provision to sync up date with server at start. In case of Device/Client based Application 2. request.gov. 1. Please try again. Please verify that the Device/Client/server device/client date/time is ahead than current date/time.Aadhaar Authentication Basics https://developer. 2nd and subsequent requests will fail with this error. Current License has expired. Technical Exception <No> 563 Application should ask Duplicate request user to try again. 567 Invalid input (this error occurs when Application should have Technical client/server level Exception <No> some unsupported characters were found 20 of 26 6/12/2012 10:24 AM . send the authentication request once again.in/site/book/export/html/18 web based Application a. (this error occurs when exactly same authentication request was re-sent by AUA) Please submit your User is required to request again.uidai. 564 HMAC Validation failed Application should create HMAC using SHA-256 Technical Exception <No> HMAC is not calculated using API defined algorithm 565 License key has expired Application should have Technical a configurable License Exception <No> key management feature through which one can manage Key without changing application. then. In case of web based Application a. date/time is synchronised with a. If same “Auth XML” is sent more than once to server. Either Indian Standard device date/time is Time (IST) and ahead current resend the date/time or authentication request is old. 566 Invalid license key Application should have Technical Exception <No> a License key management feature through which one can manage Key without changing application. License key used in application is invalid. This error will be returned if resident is using the default PIN which needs to be reset before usage. This error is returned if biometric position value .) Application should have Technical client level validation to Exception <no> check “type” and corresponding valid “pos” values before creating PID block. 572 Invalid biometric position (This error is returned if biometric position value .“pos” attribute in “Bio” element . Please change your default PIN through UIDAI updation client and resend your authentication request. 570 Invalid key info in digital signature (this means that certificate used for signing the authentication request is not valid – it is either expired. “lname” or “lav”) in Indian language values. Value of “lang” attribute is not from the list supported by authapi.gov.uidai. or does not belong to the AUA or is not created by a well-known Certification Authority) Application should have Technical an independent module Exception <No> for signing Auth XML and certificate should be stored and manage outside of the application.in/site/book/export/html/18 some unsupported checks to stop users to characters were found input unsupported in Indian language characters. Certificate used for signing the authentication request is not valid – it is either expired. 569 Digital signature verification failed (this means that authentication request XML was modified after it was signed) Application should ensure security of data end to end ie. Technical Exception <No> Authentication request XML was modified after it was signed.Aadhaar Authentication Basics https://developer. “lname” or “lav” in Auth request XML 568 Unsupported Language Application should have Technical client/server level Exception <No> checks to restrict users to only select language from API supported local Language.“pos” attribute in “Bio” element . values. From client/device to CIDR server by using appropriate communication protocol.is not applicable for a given biometric type .“type” attribute in “Bio” element 21 of 26 6/12/2012 10:24 AM .is not applicable for a given biometric type “type” attribute in “Bio” element. or does not belong to the AUA or is not created by a well-known Certification Authority 571 PIN Requires reset (this error will be returned if resident is using the default PIN which needs to be reset before usage) Please reset your PIN in UIDAI updation application and use new PIN in this application. Technical Exception <No> FMR usage not allowed as per license 577 FIR usage not allowed Application can have a as per license client level check to restrict/allow entry of “FIR” attribute as per license of AUA. Technical Exception <No> Pa usage not allowed as per license 575 Pfa usage not allowed Application can have a as per license client level check to restrict/allow entry of “pfa” attribute as per license of AUA. Technical Exception <No> PIN usage not allowed as per license 22 of 26 6/12/2012 10:24 AM .gov. Technical Exception <No> IIR usage not allowed as per license 579 OTP usage not Application can have a allowed as per license client level check to restrict/allow entry of “OTP” attribute as per license of AUA. Pi usage not allowed as per license 574 Pa usage not allowed as per license Application can have a client level check to restrict/allow entry of “pa” attribute as per license of AUA. Technical Exception <No> OTP usage not allowed as per license 580 PIN usage not Application can have a allowed as per license client level check to restrict/allow entry of “PIN” attribute as per license of AUA.Aadhaar Authentication Basics https://developer. Technical Exception <No> FIR usage not allowed as per license 578 IIR usage not allowed Application can have a as per license client level check to restrict/allow entry of “IIR” attribute as per license of AUA.uidai. Technical Exception <No> Pfa usage not allowed as per license 576 FMR usage not Application can have a allowed as per license client level check to restrict/allow entry of “FMR” attribute as per license of AUA.in/site/book/export/html/18 573 Pi usage not allowed as per license Application should have Technical a configurable business Exception <No> rule which can restrict the usage of Pi attribute based on AUA license authorization. gov.Aadhaar Authentication Basics https://developer. Technical Exception <No> 720 Missing “Pa” data as specified in “Uses” Same as 710 Technical Exception <No> Missing “Pa” data as specified in “Uses” 721 Missing “Pfa” data as Same as 710 specified in “Uses” Technical Exception <No> Missing “Pfa” data as specified in “Uses” 23 of 26 6/12/2012 10:24 AM . this error occurs Missing “Pi” data as specified in “Uses” 585 Invalid Geo code in Meta element Geo code value must be a valid lat. pa and pfa element as per license of AUA.uidai. pa and pfa element as per license of AUA. Technical Exception <No> Local language usage not allowed as per license 584 Invalid Pin code in Meta element Pincode should have a valid value (in lov attribute) Technical Exception <No> If pincode value is not one of the valid values in UIDAI system. Technical Exception <No> Fuzzy matching usage not allowed as per license 582 Local language usage not allowed as per license Application can have a client level check to restrict/allow entry of local language attribute in pi.long value in Technical Exception <No> decimal format as per spec (in lov attribute) 710 Missing “Pi” data as specified in “Uses” Application should validate pid block before encrypting data with API specified PID block structure and “Uses” element attributes values to ensure PID block have all the elements and attributes.in/site/book/export/html/18 581 Fuzzy matching usage Application can have a not allowed as per client level check to license restrict/allow entry of “ms” attribute in pi. this error occurs If geo code does not have proper format as per spec (decimal representation with porecision upto 4 decimal values for lat and long). Client level validation should also be put to check all mandatory and conditional fields of API XML. Please contact UIDAI helpdesk to inform about the issue and to understand the steps for the updation of biometric information in CIDR. entered and try authenticating again. exception handling provision would need to be followed to provide service. if the resident is genuine.in/site/book/export/html/18 730 Missing PIN data as specified in “Uses” Same as 710 Technical Exception <No> Missing PIN data as specified in “Uses” 740 Missing OTP data as specified in “Uses” Same as 710 Technical Exception <No> Missing OTP data as specified in “Uses” 800 Invalid biometric data AUA to review biometric device being used and whether templates are ISO compliant. Technical Exception <No> FMR value is not ISO compliant – bad header or other issue with templates. or templates could not be extracted for the given FIR/IIR for matching purposes. initiate BFD application detection so kindly specifications for Resident has not done “Best Finger Detection”. FIR/IIR value is not compliant. 812 Resident has not done Application should You have not done Refer Aadhaar Best “Best Finger make provison to best finger Detection API Detection”.uidai. 810 Missing biometric data as specified in “Uses” Same as 710 Technical Exception <No> Missing biometric data as specified in “Uses” 811 Missing biometric data in CIDR for the given Aadhaar number Your Biometric Ensure correct data is not Aadhaar number is available in CIDR. 24 of 26 6/12/2012 10:24 AM .gov. After repeated failure.Aadhaar Authentication Basics https://developer. Pa. Pfa.in/site/book/export/html/18 Application should initiate BFD application to help resident identify their best fingers. then. 910 Invalid “mv” value in the “Pi” element Same as 710 Technical Exception <No> 911 Invalid “mv” value in the “Pfa” element Same as 710 Technical Exception <No> 912 Invalid “ms” value Same as 710 Technical Exception <No> 25 of 26 6/12/2012 10:24 AM . Hence. or the age of resident is not in valid range) Application should have a client level check to check dob date format and age business rules specified (Current Rule is that age should not be less than 0 and greater than 150 years) Please enter dob in specified date format or enter age in specified range.uidai. proceed with the BFD process for successful authentication. “dob” attribute is not of the format “YYYY” or “YYYY-MM-DD”. 902 Invalid “dob” value in the “Pi” element (this corresponds to a scenarios wherein “dob” attribute is not of the format “YYYY” or “YYYYMM-DD”. or Bios – is present) Technical Application should Exception <No> validate that User giveatleast one auth factor before encryption of PID block. 820 Missing or empty value for “bt” attribute in “Uses” element Same as 710 Technical Exception <No> Missing or empty value for “bt” attribute in “Uses” element 821 Invalid value in the “bt” attribute of “Uses” element Same as 710 Technical Exception <No> Invalid value in the “bt” attribute of “Uses” element 901 No authentication data found in the request (this corresponds to a scenario wherein none of the auth data – Demo. Re-enter the date of birth or age and resend a new authentication request. See Aadhaar Best Finger Detection API specification. details on the BFD process. All factors of Auth are optional. or the age of resident is not in valid range. based on the error code to help resident identify their best fingers.gov. Pv. it is possible to attempt an auth without specify any values for any of the factors – Pi. If none of these elements have any value that can be used for authentication purposes.Aadhaar Authentication Basics https://developer. Bio or Pv. this error will be reported. uidai.gov. Can be used in future.in/site/book/export/html/18 913 Both “Pa” and “Pfa” Same as 710 are present in the authentication request (Pa and Pfa are mutually exclusive) Attempt to use Pa and Pfa both in the same request can result in this error. 26 of 26 6/12/2012 10:24 AM . 930-939 Technical error that are internal to authentication server AUA/ASA should call UIDAI tech support. OTP did not match. Exception <No> UID number is wrong or if OTP was used. Technical Exception <No> 980 Unsupported option AUA to review the auth Technical client to check whether Exception <No> any dev feature is being used in prod Currently this error is not reported. 999 Unknown error User to ensure that UID Technical number is correct. Technical Exception <No> UIDAI server side issues. 940 Unauthorized ASA channel AUA should consult ASA. Technical Exception <No> 941 Unspecified ASA channel AUA should consult ASA. UIDAI tech support to review the scenario and take appropriate action.Aadhaar Authentication Basics https://developer.