About Reusable KYC

Reusable KYC allows verified users to share their identity verification results with third parties via secure, time-limited tokens.

What is Reusable KYC?

When a user completes identity verification through TrustGate, you can generate a share token that allows a third party to view the verification results. This enables:

Sharing verification results with partners or other services
Controlling what data is shared through granular permissions
Time-limited access with configurable expiration and usage limits
Full audit trail of who accessed shared data and when

How It Works

┌─────────────────────────────────────────────────────────┐
│                     YOUR APP                             │
│           (User already verified via TrustGate)          │
└─────────────────────────┬───────────────────────────────┘
                          │
                          │ 1. Generate share token
                          │    POST /api/v1/kyc-share/token
                          v
┌─────────────────────────────────────────────────────────┐
│                   TRUSTGATE API                          │
│        Returns token + token_id + expiry info            │
└─────────────────────────┬───────────────────────────────┘
                          │
                          │ 2. Send token to third party
                          v
┌─────────────────────────────────────────────────────────┐
│                   THIRD PARTY                            │
│           Receives token from user or your app           │
└─────────────────────────┬───────────────────────────────┘
                          │
                          │ 3. Verify token (public endpoint)
                          │    POST /api/v1/kyc-share/verify
                          v
┌─────────────────────────────────────────────────────────┐
│                   TRUSTGATE API                          │
│     Returns verification data based on token permissions │
└─────────────────────────────────────────────────────────┘

Benefits

For Your Users

Benefit	Description
Share on demand	Users control when and with whom to share
Privacy control	Choose what data categories to include
Revocable	Tokens can be revoked at any time
Time-limited	All tokens expire automatically

For Your Business

Benefit	Description
Lower friction	Partners can verify users without re-onboarding
Audit trail	Every access is logged with IP, domain, and timestamp
Compliance	Consent recorded at token creation
Granular control	6 permission levels from basic info to full data

Quick Start

curl -X POST https://api.bytrustgate.com/api/v1/kyc-share/token \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "applicant_id": "550e8400-e29b-41d4-a716-446655440000",
    "shared_with": "Partner Company Inc",
    "permissions": {
      "basic_info": true,
      "id_verification": true,
      "screening": false,
      "address": false,
      "documents": false,
      "full": false
    },
    "expires_days": 7,
    "max_uses": 1
  }'

The applicant must have status: "approved" to generate a share token.

Send the token to the third party through your application. The token is shown only once in the generation response — it is not stored (only its SHA-256 hash is kept).

3. Third Party Verifies

The third party calls the public verify endpoint (no authentication required):

curl -X POST https://api.bytrustgate.com/api/v1/kyc-share/verify \
  -H "Content-Type: application/json" \
  -d '{
    "token": "THE_SHARE_TOKEN"
  }'

They receive only the data categories allowed by the token's permissions.

What Can Be Shared

Data sharing is controlled by 6 permission keys set at token creation:

Permission	Data Included
`basic_info`	First name, last name, date of birth
`id_verification`	ID type, ID number, issuing country, verification status
`address`	Verified address
`screening`	AML/sanctions result, PEP status, sanctions matches
`documents`	Document metadata (type, issuing country, verified date)
`full`	All of the above

Always Included

Regardless of permissions, every verification response includes:

applicant_id
verification_status
verified_at
token_permissions (what the token allows)
uses_remaining

Never Shared

These data types are never included in share responses:

Document images / files
Biometric data (selfies, face embeddings)
Device fingerprints
Internal case notes

Token Security

Feature	Details
SHA-256 hashed	Only the hash is stored; token shown once at creation
Time-bound	Max 90 days, default 30 days
Usage limits	Max 10 uses, default 1 (single-use)
Revocable	Can be revoked at any time via API
Audit logged	Every access attempt logged with IP, domain, user agent
Tenant-scoped	Tokens are scoped to the generating tenant

Compliance

Every token records:

consent_given_at — timestamp of token creation (implicit consent)
consent_ip_address — IP address at time of consent

Audit Trail

Every token access (successful or failed) is logged with:

Requester IP address
Requester domain
User agent
Timestamp
Success/failure status
Which permissions were accessed

Next Steps

Generating Tokens - Full API reference for token CRUD
Permissions - Permission details and data scoping
Access Tracking - Monitor who accessed shared data

What is Reusable KYC?​

How It Works​

Benefits​

For Your Users​

For Your Business​

Quick Start​

1. Generate a Share Token​

2. Share the Token​

3. Third Party Verifies​

Data Sharing​

What Can Be Shared​

Always Included​

Never Shared​

Token Security​

Compliance​

Consent Tracking​

Audit Trail​

Next Steps​