Skip to main content

eIDs (v2)

Preview

EIDS:v2 is in preview. The Verification data block implementation is not yet finalized and may change before general availability. Use EIDS:v1 for production flows.

Authenticates users using a national electronic identity document

Used when businesses need to authenticate users through government-issued eID schemes. Supports multiple eID providers (e.g. France Identité, German eID) through a unified step, with routing to the appropriate provider managed by IDnow. Results are returned as a unified Verification data block.


Key features

  • Multi-provider support — Routes to the appropriate eID provider backend based on the user's selected method and your organisation's routing configuration.
  • OIDC-based authentication — Authenticates users via OpenID Connect with the eID provider.
  • Flexible method selection — Works with an upstream Verification method selector (v2) step, or can be pre-configured to a fixed method.
  • Unified Verification data block — Produces a structured record describing the eID method used, the authority, cryptographic evidence, and the assurance level achieved.

Method selection modes

The step supports two modes for determining which eID method to use:

ModeWhen to useHow to configure
End-user selectionThe end-user chooses their preferred eID method at runtime (e.g. from a list presented by an upstream selector step).Place a Verification method selector (v2) step before this step. Leave preconfigure unset.
Customer-provided selectionThe customer's backend system determines the eID method and passes it at session creation time, without any end-user selector step in the flow.Inject an eIDMethodSelection datablock via the input field when creating the session. Leave preconfigure unset.
Pre-configured methodThe method is fixed by the flow definition — the end-user has no choice and no runtime input is needed.Set preconfigure.method in this step's configuration. No upstream selector or session input is needed.

These modes are mutually exclusive. preconfigure takes precedence over any eIDMethodSelection input. If neither is configured, flow validation will reject the flow definition — the step requires either preconfigure or an upstream eIDMethodSelection input to be wired.


Configuration

AttributeTypeRequiredDescription
preconfigureobjectNoPre-selects a fixed eID method, bypassing the need for an upstream Verification method selector step. When present, the step uses this method directly instead of reading the user's selection from the flow context.
preconfigure.methodstringYes (if preconfigure set)The eID method to use. Accepted values: franceIdentite, personalausweis, lIdentiteNumeriqueLaPoste, spid, itsme, lithuanianMobileId, mojeIdPl, idin, smartId, mitId, norwegianBankId, estonianIdCard, latvianIdCard, lithuanianIdCard, finnishTrustNetwork, frejaEid, belgiumIdCard, edoApp, eParakstsMobile, portugueseIdCard, finnishHenkilokortti, serbianIdCard, swedishBankId.
preconfigure.assuranceLevelstringNoRequired assurance level for the authentication. Accepted values: low, substantial, high.
preconfigure.trustFrameworkstringNoTrust framework governing the assurance level. Accepted values: eidas.
enableRetrybooleanNoWhen true, adds a retry output route that can be used to handle user cancellations. Defaults to false.

Without preconfigure, the step reads the user's eID method selection produced by an upstream VERIFICATION_METHOD_SELECTOR:v2 step. If neither preconfigure nor an upstream selector is wired, flow validation will reject the flow definition.


Example

With an upstream Verification method selector (recommended for multi-method flows):

{}

With preconfigure (single-method flows, no selector needed):

{
"preconfigure": {
"method": "franceIdentite",
"assuranceLevel": "substantial",
"trustFramework": "eidas"
}
}

Input data blocks

Data blockRequiredDescription
eIDMethodSelectionConditionalProduced by an upstream VERIFICATION_METHOD_SELECTOR:v2 step when the user selects an eID method. Required when preconfigure is not set.

Routes

RouteDescription
verifiedThe user's identity has been successfully authenticated by the eID provider. The OIDC flow completed and the provider returned a valid identity assertion.
not_verifiedThe authentication attempt failed. The identity could not be verified — for example, the user entered an incorrect PIN or the eID provider rejected the authentication request.

Output data blocks

RouteData blocks produced
verifiedBasicIdentity, ExtendedIdentity, Verification
not_verifiedVerification

Verification data block

The Verification data block produced by EIDS:v2 describes the outcome of the eID authentication.

FieldTypeDescription
statusstringVerification status. One of: verified, rejected, aborted, error. The values fraudDetected and canceled exist in the schema but are not emitted by eID flows.
providerstringThe eID provider used. One of: "france-identite", "german-eid", "eideasy".
trustFrameworkstring | nullTrust framework of the assurance level achieved (e.g. "eidas"). Taken from preconfigure or method selection.
assuranceLevelstring | nullAssurance level achieved (e.g. "substantial"). Taken from preconfigure or method selection. null on failure paths.
verifiedAtstringISO 8601 timestamp of the authentication.
verificationProcessIdstring | nullProvider transaction or session reference.
terminationReasonobject | nullPresent when the process was aborted by the user. Contains code (string) and message (string | null).
methodsarrayAlways contains one entry of type eid describing the eID method used.

methods[].eid

FieldTypeDescription
typestringAlways "eid".
sourcestring"governmentRegister" for government-backed providers (France Identité, German eID) or "financialInstitution" for financial institution-backed providers (eIDEasy methods: SPID, Lithuanian Mobile ID, iDIN, etc.).
authoritystringThe issuing authority. "Agence Nationale des Titres Sécurisés" (France Identité) or "Bundesdruckerei" (German eID).
countryCodestringISO 3166-1 alpha-2 country code. "FR" or "DE".
evidencearrayCryptographic evidence. For France Identité on verified: contains the OIDC ID token vault reference. Empty on failure paths or German eID.
sessionBindingobject | nullOIDC session details (France Identité only). Contains protocol, subjectId, sessionId, transactionId. null on failure paths or German eID.