Quality assurance testing

This page outlines the steps you need to complete before launching your integration in production.

End-to-end walkthrough

A smooth launch starts with validating your integration through an end-to-end walkthrough. This step is required before going live to ensure that your implementation meets ID.me’s best practices. Work with your ID.me solution consultant to schedule the session once your integration is complete and ready for review.

Need a dedicated solution consultant? Email us at partnersupport@id.me

What is an end-to-end walkthrough?

The end-to-end walkthrough is the final checkpoint before moving to production. During this session, your team will walk ID.me’s representatives through
the complete user experience in a non-production environment where they will confirm that the integration is both fully functional and adheres to
all ID.me standards.

Prerequisites

Before scheduling the end-to-end walkthrough, please ensure to test your integration thoroughly in a lower (non-production) environment. This not only
validates the authentication flow, but also confirms that your overall application is functioning as expected. Depending on your use case, you
should test to ensure:

The ID.me verification screen loads properly (via full-page redirect or popup)
All test credentials have been used and verified
Your logo and branding appear on the verification screens
Privacy policy and terms of service links are present on the consent screen
The redirect URI functions correctly after verification
The authorization code is successfully generated and captured
If applicable, the refresh token is successfully generated and captured
The payload is decrypted successfully
The user data object is stored correctly in your database
All data is used appropriately (for example, triggering a discount based on user affiliation)

Complete the end-to-end walkthrough

During the session, the ID.me team will review your full integration flow and confirm:

The user experience (UX) is accessible and functional on both desktop and mobile
Redirects route users to the appropriate pages
Application activity is visible to ID.me (user activity, authorization codes, returned user info)
The integration adheres to ID.me brand and UX best practices
No sensitive information is exposed or stored in the DOM
The ID.me button, copy, and optional “What is ID.me?” or FAQ links are visible
Success messaging is properly displayed post-verification
Returned attributes are correctly parsed and populate expected fields
Error handling is implemented (?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request is gracefully handled)
Test credentials produce expected results (both passing and failing cases)
Any subgroup or attribute-specific logic is working (military service end date, occupational criteria)

Use case-specific check (if required)

Promotion or offer is clearly displayed and discoverable (landing page, banner, footer link)
Promotion type is defined (promo code, cart rule)
“Return to partner” UX is functional and clear in failed verification scenarios

Final questions and context

To complete the QA process, your account team may ask for additional context to prepare for go-live:

Did you encounter any challenges during setup?
What could we have done better during the integration process?
Do you have any outstanding questions or support needs?
Are your servers located in the United States?
Are there special considerations related to data handling or infrastructure?

Best practices

The following are some additional best practices to follow before going live.

Validate with ID.me-provided test credentials

ID.me will provide pre-verified test credentials during the credential validation process. Use these credentials to simulate login, grant consent, and complete the full redirect flow back to your application.

Identity verification

Use the ID.me sandbox environment to test identity verification scenarios:

Create unlimited test accounts using the Create an ID.me account option
Use any valid or test email address for account creation
Submit fake but realistic test data to complete verification
After initial verification, reuse the sandbox account for ongoing testing

This allows you to test the entire flow from account creation through verification and consent.

Data expectations

ID.me provides verified user data based on the type of policy and verification method used. Work with your account team to understand:

Which attributes are always returned
Which attributes are conditional based on the verification source

Example

If a user verifies with a driver’s license, ID.me can return a verified address

If a user verifies with a passport, the address field may be null

Best practice

Design your integration to handle missing or null values gracefully to ensure stability across all scenarios

Data minimization

To reduce risk and improve privacy posture, ID.me follows a data minimization philosophy. Your application should only request and receive attributes relevant to your use case.

Work with your ID.me solution consultant to define which data points are necessary. Avoid storing unused or unnecessary information in your system to minimize exposure and liability.

This page outlines the steps you need to complete before launching your integration in production.

End-to-end walkthrough

Need a dedicated solution consultant? Email us at partnersupport@id.me

What is an end-to-end walkthrough?

Prerequisites

The ID.me verification screen loads properly (via full-page redirect or popup)
All test credentials have been used and verified
Your logo and branding appear on the verification screens
Privacy policy and terms of service links are present on the consent screen
The redirect URI functions correctly after verification
The authorization code is successfully generated and captured
If applicable, the refresh token is successfully generated and captured
The payload is decrypted successfully
The user data object is stored correctly in your database
All data is used appropriately (for example, triggering a discount based on user affiliation)

Complete the end-to-end walkthrough

During the session, the ID.me team will review your full integration flow and confirm:

The user experience (UX) is accessible and functional on both desktop and mobile
Redirects route users to the appropriate pages
Application activity is visible to ID.me (user activity, authorization codes, returned user info)
The integration adheres to ID.me brand and UX best practices
No sensitive information is exposed or stored in the DOM
The ID.me button, copy, and optional “What is ID.me?” or FAQ links are visible
Success messaging is properly displayed post-verification
Returned attributes are correctly parsed and populate expected fields
Error handling is implemented (?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request is gracefully handled)
Test credentials produce expected results (both passing and failing cases)
Any subgroup or attribute-specific logic is working (military service end date, occupational criteria)

Use case-specific check (if required)

Promotion or offer is clearly displayed and discoverable (landing page, banner, footer link)
Promotion type is defined (promo code, cart rule)
“Return to partner” UX is functional and clear in failed verification scenarios

Final questions and context

To complete the QA process, your account team may ask for additional context to prepare for go-live:

Did you encounter any challenges during setup?
What could we have done better during the integration process?
Do you have any outstanding questions or support needs?
Are your servers located in the United States?
Are there special considerations related to data handling or infrastructure?

Best practices

The following are some additional best practices to follow before going live.

Validate with ID.me-provided test credentials

Identity verification

Use the ID.me sandbox environment to test identity verification scenarios:

Create unlimited test accounts using the Create an ID.me account option
Use any valid or test email address for account creation
Submit fake but realistic test data to complete verification
After initial verification, reuse the sandbox account for ongoing testing

This allows you to test the entire flow from account creation through verification and consent.

Data expectations

ID.me provides verified user data based on the type of policy and verification method used. Work with your account team to understand:

Which attributes are always returned
Which attributes are conditional based on the verification source

Example

If a user verifies with a driver’s license, ID.me can return a verified address

If a user verifies with a passport, the address field may be null

Best practice

Design your integration to handle missing or null values gracefully to ensure stability across all scenarios

Data minimization

To reduce risk and improve privacy posture, ID.me follows a data minimization philosophy. Your application should only request and receive attributes relevant to your use case.

Work with your ID.me solution consultant to define which data points are necessary. Avoid storing unused or unnecessary information in your system to minimize exposure and liability.