HomeGuidesAPI ReferenceChangelog
Home
Guides

Verified Token Sharing (Non-Reliance)

Reuses an existing Sumsub verification by ingesting a share token and returning a signed identity payload after Reap completes its compliance review.

Purpose: Onboard an individual already verified in Sumsub by importing a share token, waiting for Reap's verification-completed webhook and retrieving a tamper-evident signed identity payload for downstream card issuance while Reap performs its own independent review.


When to Use This

This guide is intended for clients already using the Sumsub system who want to avoid repeating the KYC process for applicants. Verified token sharing lets Reap reuse an applicant's existing Sumsub verification through a share token, so the applicant does not need to complete the KYC process again.


Use this guide when you need to:

  • Reuse an applicant's completed Sumsub verification instead of collecting identity data again
  • Ingest a single Sumsub share token synchronously and receive an immediate processing result
  • Associate one or more card processor public tokens with the entity at ingestion time
  • Wait for Reap's asynchronous verification-completed webhook before continuing
  • Retrieve the cryptographically signed identity payload for an entity once verification is complete
  • Operate under Reap's non-reliance model where Reap performs its own review and issues the final decision

Overview

Verified Token Sharing allows integrators to share an already-verified applicant with Reap using a Sumsub share token, avoiding the need to resubmit identity details and documents.

Reap imports the shared applicant information, performs its own review under a non-reliance model, and communicates the final outcome asynchronously. The integrator can retrieve a signed identity payload containing the verified identity information once the review is complete,.

The flow is designed to support clear request tracking, consistent error handling, and secure sharing of verified identity data between systems.


Prerequisites

  1. Compliance approval from Reap to use Verified Token Sharing for the program
  2. An applicant already verified in Sumsub with a share token generated for that applicant
  3. Agreement that Reap retains the final approval authority under its non-reliance model
  4. A valid Reap API key to authenticate every request via the x-reap-api-key header
  5. Use the externalId value as the correlation reference for the entity.
ℹ️

Please contact the assigned account manager for questions about the Verified Token Sharing approval process.

⚠️

An ingestion returning status: "completed" confirms only that the share token was accepted and processed. The final verification decision is delivered separately via webhook, and the signed identity payload can be retrieved only after that decision is complete.


Key Concepts

Share Token

  • Short-lived token issued by Sumsub that represents an already-verified applicant
  • Supplied as shareToken in the ingestion request and consumed on first successful use
  • A consumed token cannot be reused and a fresh token is required for each new attempt

External ID

  • Unique identifier for the applicant within the originating system.
  • Supplied as externalId and echoed back in every ingestion response
  • Correlates the Reap entity with the internal record

Entity ID

  • Reap's UUID for the entity created or updated by the ingestion
  • Used as the entityId path parameter when retrieving the signed identity payload

Request ID

  • Returned in every response as requestId
  • Links a single request to Reap’s server-side logs for support investigation

Signed Identity Payload

  • Portable, tamper-evident representation of the verified identity for an entity
  • Retrieved via GET /entity/entityId/signed-payload once verification is complete
  • Carries the verified identity fields plus a cryptographic signature for integrity verification

Non-Reliance Model

  • Reap performs its own independent review of the imported applicant
  • Successful ingestion does not mean the applicant is verified as Reap provides the final outcome.
  • The signed identity payload becomes available only after Reap completes that review

Flow Overview

  1. Register a webhook endpoint via POST /notification to receive account_status_change events
  2. Ingest the Sumsub share token via POST /entity/kyc/import/sync, supplying externalId, shareToken, and optionally cardProcessorPublicToken
  3. Receive Reap’s verification-completed webhook after the independent review is complete
  4. Retrieve the signed identity payload via GET /entity/entityId/signed-payload using the entity's Reap entityId
  5. Create the card via POST /cards

API Summary

ActionEndpointMethodUse Case
Register webhook notifications/notificationPOSTSubscribe a webhook endpoint to receive account_status_change events
Ingest Sumsub share token/entity/kyc/import/syncPOSTSynchronously import a single verified Sumsub share token against an entity
Retrieve signed identity payload/entity/entityId/signed-payloadGETRetrieve the portable, signed identity payload for the entity after verification completes
Create card/cardsPOSTCreate a card by passing the signed identity payload to the card issuance API

Verified Token Sharing (Non-Reliance)

Step 1: Set Up Webhooks

Register a webhook endpoint with Reap's Compliance API to receive asynchronous KYC decision updates. Clients must register a webhook before receiving webhook responses.


Call the Notification Endpoint

Use POST /notification to subscribe a webhook endpoint to receive account_status_change events.


Sample Request (cURL)

curl --request POST \
  --url https://sandbox-compliance.api.reap.global/notification \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'x-reap-api-key: ********' \
  --data '{
    "webhookUrl": "https://api.example.com",
    "notificationChannel": "WEBHOOK",
    "notificationTypes": ["account_status_change"]
  }'

Key Input

Parameter NameTypeDescription
notificationTypesarray of stringList of notification event types to subscribe to, for example, account_status_change.

Sample Response

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "channel": "WEBHOOK",
  "types": [
    "account_status_change"
  ],
  "config": {
    "webhook": {
      "url": "https://api.example.com"
    }
  },
  "createdAt": "2024-03-20T10:00:00Z"
}

Key Output

Parameter NameTypeDescription
idstringUnique identifier for the notification subscription.
channelstringNotification delivery channel configured for the subscription, for example, WEBHOOK.
typesarray of stringList of notification event types subscribed to.
configobjectConfiguration details for the notification channel.
config.webhook.urlstringWebhook endpoint URL where notification events will be delivered.
createdAtstringTimestamp indicating when the notification subscription was created. Format: ISO 8601.

Step 2: Ingest the Sumsub Share Token

Synchronously ingest a single Sumsub share token for an applicant that has already been verified. The record is processed immediately, and the response returns a completed status alongside a requestId for support correlation. The supplied externalId becomes the correlation reference for the entity and is returned back on every response.


Call the Sync Ingestion Endpoint

Use POST /entity/kyc/import/sync to synchronously ingest a single Sumsub share token against the entity identified by the externalId.


Sample Request (cURL)

curl --request POST \
  --url https://sandbox-compliance.api.reap.global/entity/kyc/import/sync \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'x-reap-api-key: ********' \
  --data '{
    "externalId": "ef88fd57-26cf-415d-a112-941732c55350",
    "shareToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "cardProcessorPublicToken": "tok_abc123|tok_def456"
  }'

Key Input

Parameter NameTypeDescription
externalIdstringUnique identifier for the entity in the integrator’s system returned back in every response
shareTokenstringShare token generated by Sumsub for the verified applicant consumed on first successful use
cardProcessorPublicTokenstringOptional card processor public tokens to add to the entity using a |-delimited string

Sample Response

{
  "externalId": "ef88fd57-26cf-415d-a112-941732c55350",
  "status": "completed",
  "requestId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

Key Output

Parameter NameTypeDescription
statusstringProcessing status; completed when the record was ingested successfully
requestIdstringCorrelation identifier echoed for support and log tracing
⚠️

An ingestion returning status: "completed" confirms only that the share token was accepted and processed. The final verification decision is delivered separately via webhook, and the signed identity payload can be retrieved only after that decision is complete.

Step 3: Receive the Verification Webhook

Reap will perform an independent review under the non-reliance model after the share token is ingested and notify the registered webhook endpoint once verification is complete. Continue to Step 4 only after receiving this notification.


Sample Notification Webhook

The KYC decision is communicated via webhook notification.

{
  "eventName": "card_issuance_api_access_updated",
  "eventType": "account_status_change",
  "data": {
    "eventId": "938c65f7-2aad-494d-b488-5256c4cfc370",
    "message": "Card Issuance KYC API access updated",
    "entityId": "6ac28264-c21b-4757-b141-1efce00adce6",
    "timestamp": "2026-01-27T13:27:51.027Z",
    "status": "APPROVED"
  }
}
{
  "eventName": "card_issuance_api_access_updated",
  "eventType": "account_status_change",
  "data": {
    "eventId": "938c65f7-2aad-494d-b488-5256c4cfc370",
    "message": "Card Issuance KYC API access updated",
    "entityId": "6ac28264-c21b-4757-b141-1efce00adce6",
    "timestamp": "2026-01-27T13:27:51.027Z",
    "status": "REJECTED",
    "moderationComment": "Sumsub did not approve the applicant.",
    "rejectLabels": ["DOCUMENT_QUALITY"],
    "reviewRejectType": "FINAL"
  }
}

Webhook Outcomes

Webhook DecisionNotes
APPROVEDCardholder has passed KYC checks and can proceed to create a card
REJECTEDCardholder failed KYC checks and is not eligible to create a card

Rejection Reasons

The webhook payload includes the rejection reason through the moderationComment, rejectLabels, and reviewRejectType fields when the decision is REJECTED.

ReasonmoderationCommentrejectLabelsreviewRejectType
Applicant not approvedSumsub did not approve the applicant.Labels depend on Sumsub’s returned reason.FINAL
Applicant not approved and level mismatchSumsub did not approve the applicant and the applicant does not meet the Reap enforced level.Labels depend on Sumsub’s returned reason.FINAL
Level mismatchApplicant does not meet the Reap enforced level.['LEVEL_ENFORCED_MISMATCH']RETRY
Review incompleteSumsub applicant review is incomplete.['INCOMPLETE_SUBMISSION']RETRY
Review status unknownSumsub applicant review status is unknown.['INCOMPLETE_SUBMISSION']RETRY
Approved but validation failedApplicant is approved and meets the enforced level, but validation failed.['INCOMPLETE_SUBMISSION']RETRY
Sumsub copy applicant API errorFailed to copy the Sumsub applicant.['INCOMPLETE_SUBMISSION']RETRY
Database errorFailed to complete required database calls.['INCOMPLETE_SUBMISSION']RETRY

Step 4: Generate the Signed Identity Payload

The signed identity payload is a portable record of the entity’s verified identity that can be checked for tampering. Retrieve it after Reap sends the verification-completed webhook. It includes the verified identity fields and a cryptographic signature that allows its integrity to be verified.


Call the Signed Payload Endpoint

Use GET /entity/entityId/signed-payload to retrieve the signed identity payload for the entity.


Sample Request (cURL)

curl --request GET \
  --url https://sandbox-compliance.api.reap.global/entity/entityId/signed-payload \
  --header 'Accept: application/json' \
  --header 'x-reap-api-key: ********'

Key Input

Parameter NameTypeDescription
featureSlugstringOptional query parameter that lets Reap verify that the specified feature is enabled for the entity before returning the payload using the slug supplied for this flow.

Sample Response

{
  "firstName": "Jack",
  "lastName": "Sam Ong",
  "dob": "1994-06-18",
  "idDocumentType": "Passport",
  "idDocumentNumber": "K1234567",
  "residentialAddress": {
    "line1": "Flat 1208, 350, TIFF Bell Lightbox, King Street West",
    "line2": "Downtown",
    "city": "Toronto",
    "country": "CAN",
    "postalCode": "M5V 3L9"
  },
  "expiresAt": "2026-03-10T09:18:51.998Z",
  "signature": "bd6565bfb621f6321095e7dc574ea52b3829e29a732440170794fabfc8dec..."
}

Key Output

Parameter NameTypeDescription
firstNamestringVerified first name from the approved KYC record
lastNamestringVerified last name from the approved KYC record
dobstringDate of birth (Format: YYYY-MM-DD)
idDocumentTypestringType of government-issued ID used for verification
idDocumentNumberstringVerified ID document number
residentialAddressobjectVerified residential address (line1, line2, city, country, postalCode)
expiresAtstringExpiry timestamp of the signed payload (Format: ISO 8601)
signaturestringCryptographic signature ensuring payload integrity and authenticity

residentialAddress (object)

Parameter NameTypeDescription
line1stringPrimary address line
line2stringSecondary address line
citystringCity of residence
countrystringISO 3166-1 alpha-3 country code
postalCodestringPostal or ZIP code

Step 5: Create Card

The signed payload returned in Step 4 must be passed into the Create Card endpoint when creating a card.


Call the Create Card Endpoint

Use POST /cards to create the card and include the signed payload in the request body.


Sample Request (cURL)

curl --request POST \
  --url https://sandbox-compliance.api.reap.global/cards \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'Accept-Version: v2.0' \
  --header 'x-reap-api-key: ********' \
  --data '{
    "...": "...",
    "kyc": {
      "firstName": "Jack",
      "lastName": "Sam Ong",
      "dob": "1994-06-18",
      "idDocumentType": "Passport",
      "idDocumentNumber": "K1234567",
      "residentialAddress": {
        "line1": "Flat 1208, 350, TIFF Bell Lightbox, King Street West",
        "line2": "Downtown",
        "city": "Toronto",
        "country": "CAN",
        "postalCode": "M5V 3L9"
      },
      "expiresAt": "2026-03-10T09:18:51.998Z",
      "signature": "bd6565bfb621f6321095e7dc574ea52b3829e29a732440170794fabfc8dec..."
    },
    "...": "..."
  }'

Key Input

kyc (object)

Parameter NameTypeDescription
kyc.signaturestringSigned JWT returned from the signed-payload endpoint ensuring payload integrity and KYC approval

Sample Response

{
  "id": "fa1bcdae-c101-4986-b385-8083fb43a7ab"
}

Key Output

Parameter NameTypeDescription
idstringUnique identifier of the successfully created card

Scenarios

Scenario: Standard Verified Token Reuse

  • Generate a share token in Sumsub for the already-verified applicant
  • Ingest it via POST /entity/kyc/import/sync with the externalId and the shareToken, receiving status: "completed"
  • Wait for Reap's verification-completed webhook
  • Retrieve the signed identity payload via GET entity/entityId/signed-payload
  • Create the card via POST /cards

Scenario: BIN Sponsorship Client

  • Generate a share token in Sumsub for the already-verified applicant
  • Ingest it via POST /entity/kyc/import/sync with the externalId, the shareToken, and the cardProcessorPublicToken for the sponsored BIN
  • Wait for Reap's verification-completed webhook
  • Stop after receiving the verification webhook.
  • BIN sponsorship clients do not need to generate signed payloads, so Step 4 and Step 5 do not apply

Common Errors

ErrorCauseResolution
401 UnauthorizedMissing or invalid API keyCheck the x-reap-api-key header

TL;DR

  • Verified Token Sharing reuses an existing Sumsub verification through a single share token under Reap’s non-reliance model
  • Register a webhook endpoint with POST /notification to receive account_status_change events before ingesting any share tokens
  • Ingest synchronously with POST /entity/kyc/import/sync by supplying externalId and shareToken plus the optional cardProcessorPublicToken field where needed, noting that a completed status confirms ingestion rather than the final decision
  • Reap reviews the applicant independently and sends a completion update by webhook once the contract is pending as described in Step 3
  • Retrieve the signed identity payload with GET /entity/entityId/signed-payload which includes the verified identity fields and a cryptographic signature after receiving the webhook
  • Create the card via POST /cardsby following Step 5 of the card creation process once the signed identity payload is retrieved


Did this page help you?