Get Aadhaar XML Data

API reference

curl -X POST "https://__mock__/verification/v2/digilocker/get_aadhaar_xml" \  -H "AccessToken: string" \  -H "Content-Type: application/json" \  -d '{}'

{
  "aadhaar_xml": "string"
}

{
  "detail": {},
  "message": "string"
}

{
  "detail": {},
  "message": "string"
}

{
  "error": "string"
}

Overview

Call POST /verification/v2/digilocker/get_aadhaar_xml from your backend after the user has finished the DigiLocker Init journey and KwikID has completed the OAuth exchange. You send:

1. Authorization: Bearer <token> - your KwikID Verification API credential (same model as Init).
2. AccessToken header - the DigiLocker session token produced for this user after the hosted flow completes (see Init follow-up in the OpenAPI description for that operation).

On success, the JSON body includes aadhaar_xml (XML string). If the resident data is not available in the expected form (for example expired or renewal required), the API may still respond with 200 and a body that tells you what to do next rather than full XML. Treat every response as sensitive and store or transmit it only under your Aadhaar data handling and vault policies.

Key features

• Two headers: API Bearer plus DigiLocker AccessToken (not interchangeable; both required for this call as documented in OpenAPI).
• Server-side only: Do not put your API Bearer token in a browser or mobile client.
• Structured XML: Parse aadhaar_xml with your XML stack; field-level notes for the Aadhaar certificate shape live in DigiLocker API.

Implementation

Prerequisites

1. Completed DigiLocker flow for this user (after Init and user consent).
2. Valid AccessToken for that DigiLocker session (from the flow your integration obtains server-side; do not guess or fabricate).

Step 1: Call from your backend

POST /verification/v2/digilocker/get_aadhaar_xml HTTP/1.1
Host: <verification-api-base-url>
Authorization: Bearer <token>
AccessToken: <digilocker-access-token>
Content-Type: application/json

{}

Use your real base URL (production or sandbox from KwikID). Send an empty JSON object {} if you have no extra fields (matches typical POST usage for this route).

Step 2: Use the response

On 200 OK, read aadhaar_xml (string). If the payload instead describes renewal or next steps, follow that guidance in your product and do not treat it as valid KYC XML until your compliance team agrees.

Do: Log correlation IDs only; do not log full XML or tokens in plain text.

Do not: Expose AccessToken or aadhaar_xml to the public internet or third-party analytics.

End-to-end placement

Error handling

Security notes

Warning: aadhaar_xml is Aadhaar-related data. Store it only in systems approved under UIDAI rules (for example your Aadhaar Data Vault). Never send it to untrusted clients or logs.

• Keep Bearer and AccessToken on servers you control.
• Use HTTPS for all calls.

Benefits

• Pulls Aadhaar XML in one step after OAuth without embedding internal DigiLocker protocol details in your app.
• Aligns with the same Init then follow-up pattern as Get Issued Files and Get XML (PAN, Aadhaar, etc.).

Next steps

• DigiLocker Init
• Get issued files
• Get XML (PAN, Aadhaar, etc.)
• DigiLocker response field reference
• Verification API index