KwikID DocumentationImplementation and APIs
Secure APIs for vault integration, data lifecycle, and integration with other systems
Implementation and APIs
Here we cover secure APIs for the vault, data confidentiality, and data lifecycle (retention and disposal) in line with UIDAI.
Overview
You reach the Aadhaar Data Vault only through a dedicated API or microservice. That API:
- Decides who can store, resolve, update, or delete Aadhaar data.
- Enforces authentication and authorization.
- Logs all access for audit and monitoring.
- Keeps Aadhaar confidential; only authorized callers get decrypted data when resolution is allowed.
Your systems and DBs use Reference Keys. They call the vault API only when they need to store a new Aadhaar or resolve a key to Aadhaar for a valid, authorized use.
Secure API Design
- Authentication: Every API call is authenticated (e.g. tokens, IAM, or client credentials per your AWS setup). Unauthenticated requests are rejected and logged.
- Authorization: App-level checks ensure only authorized services and roles can do specific things (e.g. resolve Aadhaar only for certain use cases).
- Confidentiality: Data in transit uses TLS. Data at rest is encrypted (AES 256); keys in HSM. Responses that contain Aadhaar go only to authorized callers and aren’t logged in full.
- Logging: We log access (success and failure) without putting full Aadhaar in logs; Reference Keys and metadata can be logged for audit.
Typical API Operations
| Operation | Purpose | Who can call |
|---|---|---|
| Store | Submit Aadhaar (or eKYC/cKYC data); receive Reference Key | Authorized ingestion systems only |
| Resolve | Get Aadhaar for a Reference Key (for authorized use only) | Authorized services that have a legitimate need |
| Update | Update Aadhaar or connected data for a Reference Key | As per policy; restricted and logged |
| Delete | Secure deletion as per retention policy | Authorized admin or retention process only |
Exact endpoints, request/response shapes, and error codes are in the technical documentation that comes with the vault.
Integration with Other Systems
- Internal only: The vault API is internal to your AWS. It isn’t on the public internet. Only trusted internal systems talk to it.
- Reference Keys everywhere: Your other systems (CRM, core banking, KYC, etc.) store and use Reference Keys. They call the vault only to store a new Aadhaar or resolve a key.
- Data masking: In UIs and reports, show the Reference Key or masked Aadhaar (e.g. last 4 digits where policy allows). Don’t show or log full Aadhaar outside the vault.
Data Retention and Disposal
- Policies: Retention and disposal follow UIDAI and your data retention policy. The vault can securely delete and update Aadhaar and linked data when your policy requires it.
- Lifecycle: Retention periods, when to delete, and how are documented. The vault can do secure deletion and updates as per policy.
Implementation on Your AWS Cloud
- The whole build and deployment happens in your AWS (your account).
- Think360 builds it, has access for maintenance, and provides ongoing support. The vault stays in your control and environment.
Benefits
- One integration point: All access through a single secure API keeps integration and security simple.
- Confidentiality: Encryption, access control, and logging keep Aadhaar data confidential.
- Compliance: Retention and disposal support a UIDAI-aligned data lifecycle.
Next Steps
- Backup and Disaster Recovery: backup and DR
- Maintenance and Support: ongoing maintenance and support
- Security and Compliance: security and UIDAI