Skip to main content

Authentication

Nafsi uses a multi-layer authentication model to secure dashboard access, API usage, SDK integrations, and webhooks.

At a high level:

  • Dashboard users authenticate with email/password (JWT sessions)
  • Server integrations use OAuth 2.0 client credentials
  • SDK flows rely on workflow-scoped refresh tokens (no secret exposure)
  • Webhooks are protected using mTLS

Authentication Layers

LayerUsed ByMethodPurpose
User AuthenticationConsole usersJWT sessionDashboard access
API Client AuthenticationBackend serversOAuth 2.0 Client CredentialsDirect API access
Workflow AuthenticationSDKs / low-trust clientsRefresh token (JWT)Secretless SDK auth
Webhook AuthenticationNafsi → customermTLS (+ optional HMAC)Secure event delivery

Console Access

Sign Up

  1. Go to https://console.nafsi.ai/signup
  2. Enter your work email and verify OTP
  3. Complete organization details
  4. Complete personal verification

Organization Details

  • Organization legal or trading name
  • Business registration number / PIN (if applicable)
  • Industry / use case
  • Expected monthly verification volume

Personal Verification

  • Upload government ID
  • Capture live selfie
  • Nafsi performs basic founder/admin verification (usually instant)

Sign In

  • Email + password
  • Optional 2FA (strongly recommended for production)

Successful login returns a JWT session token used by the Console.

Token lifetime: 24 hours.

API Client Authentication (Server-to-Server)

Use this for backend integrations.

Step 1 — Create API Client

In the Nafsi Console:

  1. Navigate to API Keys
  2. Click Create Client
  3. Store securely: ⚠️ The client secret is shown once only.

Step 2 — Obtain Access Token

Nafsi uses OAuth 2.0 Client Credentials.

Request

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET

Response

{
"access_token": "...",
"token_type": "Bearer",
"expires_in": 3600
}

Step 3 — Call Nafsi APIs

Authorization: Bearer ACCESS_TOKEN Content-Type: application/json

Use this pattern for:

  • Direct verification API calls
  • Backend batch processing
  • Server-to-server integrations
  • SDK & Workflow Authentication (Secretless)
warning

SDK environments (web/mobile) are low trust and must never expose your client secret.

Nafsi solves this using workflow-scoped refresh tokens.

How It Works

During workflow creation:

  • You select an API client
  • Nafsi validates the client credentials
  • Nafsi generates a refresh token (JWT)
  • Token is securely attached to the workflow
  • SDK calls reference only the workflow_id

Result: SDKs authenticate safely without exposing secrets.