Get XML (PAN/Aadhaar/etc)

API reference

curl -X POST "https://__mock__/verification/v2/digilocker/get_document_xml" \  -H "AccessToken: string" \  -H "DocumentURI: string" \  -H "Content-Type: application/json" \  -d '{}'

{
  "document_xml": "string"
}

{
  "detail": {},
  "message": "string"
}

{
  "detail": {},
  "message": "string"
}

{
  "error": "string"
}

Overview

Call POST /verification/v2/digilocker/get_document_xml from your backend after DigiLocker OAuth has completed and you know which document you need. You send:

1. Authorization: Bearer <token> - your KwikID Verification API credential (same model as Init).
2. AccessToken header - the DigiLocker session token for this user after the hosted flow completes (same value as Get issued files).
3. DocumentURI header - the uri from the row you chose in issued_files.items from Get issued files.

On success, the JSON body includes document_xml: an XML string for many issuers (PAN, Aadhaar, and others). Parse it with your XML stack; certificate-level field notes are in DigiLocker API. Treat the body as sensitive.

Key features

• Three headers: API Bearer, DigiLocker AccessToken, and DocumentURI (the issued-file uri). All are required for this route as documented in OpenAPI.
• Server-side only: Do not put your API Bearer token in a browser or mobile client.
• Per-document fetch: Unlike Get Aadhaar XML, this call targets one URI you select from the issued list.

Implementation

Prerequisites

1. Completed DigiLocker flow for this user (after Init and user consent).
2. Valid AccessToken for that DigiLocker session.
3. A uri from issued_files.items for the document you want.

Step 1: Call from your backend

POST /verification/v2/digilocker/get_document_xml HTTP/1.1
Host: <verification-api-base-url>
Authorization: Bearer <token>
AccessToken: <digilocker-access-token>
DocumentURI: <uri-from-issued-files-item>
Content-Type: application/json

{}

Use your real base URL (production or sandbox from KwikID). Send {} in the body when you have no extra fields.

Step 2: Use the response

On 200 OK, read document_xml (string). Map certificate paths for PAN or other types using DigiLocker API.

Do: Log correlation IDs only; do not log full XML or tokens in plain text.

Do not: Expose AccessToken, DocumentURI, or document_xml to untrusted clients or analytics.

End-to-end placement

Error handling

Security notes

Warning: document_xml can contain strong identifiers and personal data. Store and transmit it only under your compliance and vault policies. Use HTTPS for all calls.

• Keep Bearer, AccessToken, and DocumentURI on servers you control.

Benefits

• Fetches one issued document by URI without embedding DigiLocker protocol details in your client app.
• Reuses the same Init then issued files then XML pattern as the rest of the DigiLocker suite.

Next steps

• DigiLocker Init
• Get issued files
• Get Aadhaar XML Data
• DigiLocker response field reference
• Verification API index