Token Web API

GET /token?id={app-id}&bcid={BCID}

Requests a BWS token to be used for authorization with most of the other BWS Web APIs. The issued token will be assigned to the specified user and has a very short lifetime, i.e. it expires after about ten minutes as it is typically only used for one biometric task like verification or enrollment (including retries).

Request Information


idRequired. The App-ID of the registered BWS Client App calling the API.

Required. The Biometric Class ID (BCID) of the person for whom the token shall be issued, i.e. the user that is going to perform a biometric task using this token.

Not required for livenessdetection!

taskOptional, defaults to verify. A string that specifies the task the issued token shall be used for: Currently the tasks verify (default), identify, enroll and livenessdetection are defined. Tokens created for the task verify are intended to be used together with the Verify Web API, identify-tokens are used with the Identify Web API, enroll-tokens with the Enroll Web API and livenessdetection-tokens with the LivenessDetection Web API. With all kind of tokens access to the Upload Web API is allowed of course.
maxtriesOptional, defaults to 3. An non-zero integer value up to 15 that specifies the maximum number of tries an application or a user is allowed to perform with the issued token. The default is 3 attempts.
livedetectionOptional, defaults to true. A boolean parameter to switch off live data detection. When set to true (the default), liveness detection is required and the intended task shall fail, as soon as it cannot undoubtedly determine that the given data is live data. When set to false, live data detection is not required (except for the livenessdetection task that always performs a liveness detection of course).

Optional, defaults to false. A boolean parameter only interpreted if liveness detection is switched on: if set to true, the challenge-response mechanism is activated, i.e. additionally to the standard liveness detection the user has to respond according to the challenges provided by the system.


You don't need to enable this option if you are only interested in using liveness detection.

challengesOptional, defaults to 3. An integer value between 2 and 7 that specifies the number of challenges that shall be embedded in the token in case that liveness detection with challenge response is enabled.
autoenrollOptional, defaults to false. A boolean parameter used in conjunction with the verify task that if set to true and the verification succeeded it allows to automatically enroll the uploaded samples. This ensures, that the biometric template of the person is automatically adapted and always assembled from current samples. When set to false (the default), no automatic enrollment will be performed.
traitsOptional, defaults to Face,Periocular. The traits that shall be used for the biometric operation.


This API call requires Basic Authentication, i.e. you have to provide an HTTP authorization header using the authorization method Basic and the base64 encoded string App-ID:App-Secret (therefore the transport is secured using TLS/SSL). To receive the necessary BWS Web API access data (App-ID and App-Secret) you have to register your application on the BWS Portal first. This requires a valid BWS subscription.

Response Information

The Token Web API returns a string containing the issued BWS token.The BWS uses a JSON Web Token (JWT) to represent the issued claims as a JSON object. The object is encoded as JSON Web Signature (JWS) which means that the claims are digitally signed (HMACed), base64url encoded and finally joined with a period.

Response Body Format

Sample Token:


Decoded sample token:


{"tokenid":"3c6f82c7-712b-4ed9-9736-6fd61e222552", "clnt":"BWS-Test on Multitenant", "app":"", "bcid":"bws/112/12345", "traits":3, "task":259, "iss":"BWS", "aud":"", "exp":1515062356, "nbf":1515061756}


Claims encoded in a BWS token:

tokenidA unique identifier for the issued token.
issThe issuer of the token (typically BWS).
audThe audience for this token, i.e. the URL of the BWS instance that accepts this token.
nbfThe token is not accepted before this timestamp.
expThe expiration time on after which the token is not accepted any more.
bcidThe Biomatric Class ID of the user the token belongs to.
clntThe BWS client that requested the token.
appThe application that requested the token.
taskThe task this token is issued for. This is the logical combination of various flags that describe the task this token is intended to be used for.
challengeAn optional array (max tries) of string arrays that shall be used to challenge the user during the recording of face images.
traitsThe traits that shall be used with the specified task.

Possible values encoded into the 'task'-claim:

Verify (0)The token is intended to be used for verification.
Identify (0x10)The token is intended to be used for identification.
Enroll (0x20)The token is intended to be used for enrollment.
LiveOnly (0x80)The token is intended to be used for liveness detection only.
MaxTriesMask (0x0F)These four bits are used to encode the number of maximum tries a user is allowed to perform.
LiveDetection (0x100)Liveness detection is required.
ChallengeResponse (0x200)Challenge-response is required (the 'challenge'-claim is available).
AutoEnroll (0x1000)Automatic enrollment is switched on.

Response HTTP Status Codes

Return values of API calls are standard HTTP status codes. With the success code (200) you receive the issued BWS token in the body text. With error codes a Message field within the body text describing the error is returned. The most commonly return codes are:

200 OKThe response body contains the issued BWS token string.
400 Bad RequestAn invalid BCID has been specified.
401 UnauthorizedNo or an invalid authentication header has been specified, Basic Authentication is required.
403 ForbiddenAccess has been denied (typically due to a wrong or invalid app-id or BCID).
500 Internal Server ErrorA server side exception occurred.

Sample Code

const string APP_IDENTIFIER = "";
const string APP_SECRET = "";
const string ENDPOINT = "";

const string STORAGE = "";
const int PARTITION = 0;
const int CLASSID = 0;

static string bcid = STORAGE + "." + PARTITION + "." + CLASSID;

public enum TokenFor { verify, identify, enroll, livenessdetection }
private static async Task<string> TokenAsync(string bcid, TokenFor forTask = TokenFor.verify)
    using (var client = new HttpClient())
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic",
		Console.Write("Get BWS token: ");
 		using (var response = await client.GetAsync(ENDPOINT + $"token?id={APP_IDENTIFIER}&bcid={bcid}&task={forTask}"))
            if (response.StatusCode == HttpStatusCode.OK)
                return await response.Content.ReadAsStringAsync();
            	return "";
// using OkHttpClient from the OkHttp library
HttpUrl url = HttpUrl.parse("").newBuilder()
        .addQueryParameter("id", APP_IDENTIFIER)
        .addQueryParameter("bcid", STORAGE + "." + PARTITION + "." + CLASS_ID)
Request request = new Request.Builder()
        .addHeader("Authorization", Credentials.basic(APP_IDENTIFIER, APP_SECRET))
OkHttpClient client = new OkHttpClient();
Response response = client.newCall(request).execute();
String token = response.body().string();
if (response.code() == 200) {
    System.out.println("token=" + token);
return token;