Verified Token Sharing (Non-Reliance)
Reuses an existing Sumsub verification by ingesting a share token and returning a signed identity payload after Reap completes its compliance review.
Purpose: Onboard an individual already verified in Sumsub by importing a share token, waiting for Reap's verification-completed webhook and retrieving a tamper-evident signed identity payload for downstream card issuance while Reap performs its own independent review.
When to Use This
This guide is intended for clients already using the Sumsub system who want to avoid repeating the KYC process for applicants. Verified token sharing lets Reap reuse an applicant's existing Sumsub verification through a share token, so the applicant does not need to complete the KYC process again.
Use this guide when you need to:
- Reuse an applicant's completed Sumsub verification instead of collecting identity data again
- Ingest a single Sumsub share token synchronously and receive an immediate processing result
- Associate one or more card processor public tokens with the entity at ingestion time
- Wait for Reap's asynchronous verification-completed webhook before continuing
- Retrieve the cryptographically signed identity payload for an entity once verification is complete
- Operate under Reap's non-reliance model where Reap performs its own review and issues the final decision
Overview
Verified Token Sharing allows integrators to share an already-verified applicant with Reap using a Sumsub share token, avoiding the need to resubmit identity details and documents.
Reap imports the shared applicant information, performs its own review under a non-reliance model, and communicates the final outcome asynchronously. The integrator can retrieve a signed identity payload containing the verified identity information once the review is complete,.
The flow is designed to support clear request tracking, consistent error handling, and secure sharing of verified identity data between systems.
Prerequisites
- Compliance approval from Reap to use Verified Token Sharing for the program
- An applicant already verified in Sumsub with a share token generated for that applicant
- Agreement that Reap retains the final approval authority under its non-reliance model
- A valid Reap API key to authenticate every request via the
x-reap-api-keyheader - Use the
externalIdvalue as the correlation reference for the entity.
Please contact the assigned account manager for questions about the Verified Token Sharing approval process.
An ingestion returning
status: "completed"confirms only that the share token was accepted and processed. The final verification decision is delivered separately via webhook, and the signed identity payload can be retrieved only after that decision is complete.
Key Concepts
Share Token
- Short-lived token issued by Sumsub that represents an already-verified applicant
- Supplied as
shareTokenin the ingestion request and consumed on first successful use - A consumed token cannot be reused and a fresh token is required for each new attempt
External ID
- Unique identifier for the applicant within the originating system.
- Supplied as
externalIdand echoed back in every ingestion response - Correlates the Reap entity with the internal record
Entity ID
- Reap's UUID for the entity created or updated by the ingestion
- Used as the
entityIdpath parameter when retrieving the signed identity payload
Request ID
- Returned in every response as
requestId - Links a single request to Reap’s server-side logs for support investigation
Signed Identity Payload
- Portable, tamper-evident representation of the verified identity for an entity
- Retrieved via
GET /entity/entityId/signed-payloadonce verification is complete - Carries the verified identity fields plus a cryptographic
signaturefor integrity verification
Non-Reliance Model
- Reap performs its own independent review of the imported applicant
- Successful ingestion does not mean the applicant is verified as Reap provides the final outcome.
- The signed identity payload becomes available only after Reap completes that review
Flow Overview
- Register a webhook endpoint via
POST /notificationto receiveaccount_status_changeevents - Ingest the Sumsub share token via
POST /entity/kyc/import/sync, supplyingexternalId,shareToken, and optionallycardProcessorPublicToken - Receive Reap’s verification-completed webhook after the independent review is complete
- Retrieve the signed identity payload via
GET /entity/entityId/signed-payloadusing the entity's ReapentityId - Create the card via
POST /cards
API Summary
| Action | Endpoint | Method | Use Case |
|---|---|---|---|
| Register webhook notifications | /notification | POST | Subscribe a webhook endpoint to receive account_status_change events |
| Ingest Sumsub share token | /entity/kyc/import/sync | POST | Synchronously import a single verified Sumsub share token against an entity |
| Retrieve signed identity payload | /entity/entityId/signed-payload | GET | Retrieve the portable, signed identity payload for the entity after verification completes |
| Create card | /cards | POST | Create a card by passing the signed identity payload to the card issuance API |
Verified Token Sharing (Non-Reliance)
Step 1: Set Up Webhooks
Register a webhook endpoint with Reap's Compliance API to receive asynchronous KYC decision updates. Clients must register a webhook before receiving webhook responses.
Call the Notification Endpoint
Use POST /notification to subscribe a webhook endpoint to receive account_status_change events.
Sample Request (cURL)
curl --request POST \
--url https://sandbox-compliance.api.reap.global/notification \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'x-reap-api-key: ********' \
--data '{
"webhookUrl": "https://api.example.com",
"notificationChannel": "WEBHOOK",
"notificationTypes": ["account_status_change"]
}'Key Input
| Parameter Name | Type | Description |
|---|---|---|
notificationTypes | array of string | List of notification event types to subscribe to, for example, account_status_change. |
Sample Response
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"channel": "WEBHOOK",
"types": [
"account_status_change"
],
"config": {
"webhook": {
"url": "https://api.example.com"
}
},
"createdAt": "2024-03-20T10:00:00Z"
}Key Output
| Parameter Name | Type | Description |
|---|---|---|
id | string | Unique identifier for the notification subscription. |
channel | string | Notification delivery channel configured for the subscription, for example, WEBHOOK. |
types | array of string | List of notification event types subscribed to. |
config | object | Configuration details for the notification channel. |
config.webhook.url | string | Webhook endpoint URL where notification events will be delivered. |
createdAt | string | Timestamp indicating when the notification subscription was created. Format: ISO 8601. |
Step 2: Ingest the Sumsub Share Token
Synchronously ingest a single Sumsub share token for an applicant that has already been verified. The record is processed immediately, and the response returns a completed status alongside a requestId for support correlation. The supplied externalId becomes the correlation reference for the entity and is returned back on every response.
Call the Sync Ingestion Endpoint
Use POST /entity/kyc/import/sync to synchronously ingest a single Sumsub share token against the entity identified by the externalId.
Sample Request (cURL)
curl --request POST \
--url https://sandbox-compliance.api.reap.global/entity/kyc/import/sync \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'x-reap-api-key: ********' \
--data '{
"externalId": "ef88fd57-26cf-415d-a112-941732c55350",
"shareToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"cardProcessorPublicToken": "tok_abc123|tok_def456"
}'Key Input
| Parameter Name | Type | Description |
|---|---|---|
externalId | string | Unique identifier for the entity in the integrator’s system returned back in every response |
shareToken | string | Share token generated by Sumsub for the verified applicant consumed on first successful use |
cardProcessorPublicToken | string | Optional card processor public tokens to add to the entity using a |-delimited string |
Sample Response
{
"externalId": "ef88fd57-26cf-415d-a112-941732c55350",
"status": "completed",
"requestId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}Key Output
| Parameter Name | Type | Description |
|---|---|---|
status | string | Processing status; completed when the record was ingested successfully |
requestId | string | Correlation identifier echoed for support and log tracing |
An ingestion returning status: "completed" confirms only that the share token was accepted and processed. The final verification decision is delivered separately via webhook, and the signed identity payload can be retrieved only after that decision is complete.
Step 3: Receive the Verification Webhook
Reap will perform an independent review under the non-reliance model after the share token is ingested and notify the registered webhook endpoint once verification is complete. Continue to Step 4 only after receiving this notification.
Sample Notification Webhook
The KYC decision is communicated via webhook notification.
{
"eventName": "card_issuance_api_access_updated",
"eventType": "account_status_change",
"data": {
"eventId": "938c65f7-2aad-494d-b488-5256c4cfc370",
"message": "Card Issuance KYC API access updated",
"entityId": "6ac28264-c21b-4757-b141-1efce00adce6",
"timestamp": "2026-01-27T13:27:51.027Z",
"status": "APPROVED"
}
}{
"eventName": "card_issuance_api_access_updated",
"eventType": "account_status_change",
"data": {
"eventId": "938c65f7-2aad-494d-b488-5256c4cfc370",
"message": "Card Issuance KYC API access updated",
"entityId": "6ac28264-c21b-4757-b141-1efce00adce6",
"timestamp": "2026-01-27T13:27:51.027Z",
"status": "REJECTED",
"moderationComment": "Sumsub did not approve the applicant.",
"rejectLabels": ["DOCUMENT_QUALITY"],
"reviewRejectType": "FINAL"
}
}Webhook Outcomes
| Webhook Decision | Notes |
|---|---|
APPROVED | Cardholder has passed KYC checks and can proceed to create a card |
REJECTED | Cardholder failed KYC checks and is not eligible to create a card |
Rejection Reasons
The webhook payload includes the rejection reason through the moderationComment, rejectLabels, and reviewRejectType fields when the decision is REJECTED.
| Reason | moderationComment | rejectLabels | reviewRejectType |
|---|---|---|---|
| Applicant not approved | Sumsub did not approve the applicant. | Labels depend on Sumsub’s returned reason. | FINAL |
| Applicant not approved and level mismatch | Sumsub did not approve the applicant and the applicant does not meet the Reap enforced level. | Labels depend on Sumsub’s returned reason. | FINAL |
| Level mismatch | Applicant does not meet the Reap enforced level. | ['LEVEL_ENFORCED_MISMATCH'] | RETRY |
| Review incomplete | Sumsub applicant review is incomplete. | ['INCOMPLETE_SUBMISSION'] | RETRY |
| Review status unknown | Sumsub applicant review status is unknown. | ['INCOMPLETE_SUBMISSION'] | RETRY |
| Approved but validation failed | Applicant is approved and meets the enforced level, but validation failed. | ['INCOMPLETE_SUBMISSION'] | RETRY |
| Sumsub copy applicant API error | Failed to copy the Sumsub applicant. | ['INCOMPLETE_SUBMISSION'] | RETRY |
| Database error | Failed to complete required database calls. | ['INCOMPLETE_SUBMISSION'] | RETRY |
Step 4: Generate the Signed Identity Payload
The signed identity payload is a portable record of the entity’s verified identity that can be checked for tampering. Retrieve it after Reap sends the verification-completed webhook. It includes the verified identity fields and a cryptographic signature that allows its integrity to be verified.
Call the Signed Payload Endpoint
Use GET /entity/entityId/signed-payload to retrieve the signed identity payload for the entity.
Sample Request (cURL)
curl --request GET \
--url https://sandbox-compliance.api.reap.global/entity/entityId/signed-payload \
--header 'Accept: application/json' \
--header 'x-reap-api-key: ********'Key Input
| Parameter Name | Type | Description |
|---|---|---|
featureSlug | string | Optional query parameter that lets Reap verify that the specified feature is enabled for the entity before returning the payload using the slug supplied for this flow. |
Sample Response
{
"firstName": "Jack",
"lastName": "Sam Ong",
"dob": "1994-06-18",
"idDocumentType": "Passport",
"idDocumentNumber": "K1234567",
"residentialAddress": {
"line1": "Flat 1208, 350, TIFF Bell Lightbox, King Street West",
"line2": "Downtown",
"city": "Toronto",
"country": "CAN",
"postalCode": "M5V 3L9"
},
"expiresAt": "2026-03-10T09:18:51.998Z",
"signature": "bd6565bfb621f6321095e7dc574ea52b3829e29a732440170794fabfc8dec..."
}Key Output
| Parameter Name | Type | Description |
|---|---|---|
firstName | string | Verified first name from the approved KYC record |
lastName | string | Verified last name from the approved KYC record |
dob | string | Date of birth (Format: YYYY-MM-DD) |
idDocumentType | string | Type of government-issued ID used for verification |
idDocumentNumber | string | Verified ID document number |
residentialAddress | object | Verified residential address (line1, line2, city, country, postalCode) |
expiresAt | string | Expiry timestamp of the signed payload (Format: ISO 8601) |
signature | string | Cryptographic signature ensuring payload integrity and authenticity |
residentialAddress (object)
residentialAddress (object)| Parameter Name | Type | Description |
|---|---|---|
line1 | string | Primary address line |
line2 | string | Secondary address line |
city | string | City of residence |
country | string | ISO 3166-1 alpha-3 country code |
postalCode | string | Postal or ZIP code |
Step 5: Create Card
The signed payload returned in Step 4 must be passed into the Create Card endpoint when creating a card.
Call the Create Card Endpoint
Use POST /cards to create the card and include the signed payload in the request body.
Sample Request (cURL)
curl --request POST \
--url https://sandbox-compliance.api.reap.global/cards \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Accept-Version: v2.0' \
--header 'x-reap-api-key: ********' \
--data '{
"...": "...",
"kyc": {
"firstName": "Jack",
"lastName": "Sam Ong",
"dob": "1994-06-18",
"idDocumentType": "Passport",
"idDocumentNumber": "K1234567",
"residentialAddress": {
"line1": "Flat 1208, 350, TIFF Bell Lightbox, King Street West",
"line2": "Downtown",
"city": "Toronto",
"country": "CAN",
"postalCode": "M5V 3L9"
},
"expiresAt": "2026-03-10T09:18:51.998Z",
"signature": "bd6565bfb621f6321095e7dc574ea52b3829e29a732440170794fabfc8dec..."
},
"...": "..."
}'Key Input
kyc (object)
kyc (object)| Parameter Name | Type | Description |
|---|---|---|
kyc.signature | string | Signed JWT returned from the signed-payload endpoint ensuring payload integrity and KYC approval |
Sample Response
{
"id": "fa1bcdae-c101-4986-b385-8083fb43a7ab"
}Key Output
| Parameter Name | Type | Description |
|---|---|---|
id | string | Unique identifier of the successfully created card |
Scenarios
Scenario: Standard Verified Token Reuse
- Generate a share token in Sumsub for the already-verified applicant
- Ingest it via
POST /entity/kyc/import/syncwith theexternalIdand theshareToken, receivingstatus: "completed" - Wait for Reap's verification-completed webhook
- Retrieve the signed identity payload via
GET entity/entityId/signed-payload - Create the card via
POST /cards
Scenario: BIN Sponsorship Client
- Generate a share token in Sumsub for the already-verified applicant
- Ingest it via
POST /entity/kyc/import/syncwith theexternalId, theshareToken, and thecardProcessorPublicTokenfor the sponsored BIN - Wait for Reap's verification-completed webhook
- Stop after receiving the verification webhook.
- BIN sponsorship clients do not need to generate signed payloads, so Step 4 and Step 5 do not apply
Common Errors
| Error | Cause | Resolution |
|---|---|---|
| 401 Unauthorized | Missing or invalid API key | Check the x-reap-api-key header |
TL;DR
- Verified Token Sharing reuses an existing Sumsub verification through a single share token under Reap’s non-reliance model
- Register a webhook endpoint with
POST /notificationto receiveaccount_status_changeevents before ingesting any share tokens - Ingest synchronously with
POST /entity/kyc/import/syncby supplyingexternalIdandshareTokenplus the optionalcardProcessorPublicTokenfield where needed, noting that acompletedstatus confirms ingestion rather than the final decision - Reap reviews the applicant independently and sends a completion update by webhook once the contract is pending as described in Step 3
- Retrieve the signed identity payload with
GET /entity/entityId/signed-payloadwhich includes the verified identity fields and a cryptographicsignatureafter receiving the webhook - Create the card via
POST /cardsby following Step 5 of the card creation process once the signed identity payload is retrieved
Updated about 1 hour ago
