Fraud event notifications
Registration overview
ID.me requires two bits of information to create a stream:
- Receiver URL: The public URL to which ID.me should stream events.
Example:https://example.com/api/v1/events - Audience String: What to use as the value of the aud claim for events.
Example:http://example.com
ID.me uses a manual onboarding process for stream registration rather than the SSF Stream Management API (POST /ssf/stream) defined in the SSF specification. To register, email your Customer Success Manager (CSM) with your Receiver URL and Audience String. Your CSM will confirm registration and provide the iss value (https://events.id.me) and any additional configuration details needed to begin receiving events.
Transmission overview
The following steps represent the transmission flow.
Transmit supported events
ID.me will begin transmitting supported events to the receiver url. Events will be signed by the private key corresponding to the public key published at the ID.me SSF JWKS URL. Events will not be encrypted. Exactly one event will be included in each request.
Receive events
The receiver will receive the events from ID.me as an HTTP request and respond with a 2xx HTTP code to confirm the request was successfully received. If ID.me receives an error code, event transmission will be automatically retried in accordance with preset retry logic (default: 3 retries, then abort).
Verify signature
Parse the iss claim from the unverified token header or payload, then use it to locate and fetch the corresponding public key from the ID.me SSF JWKS URL. Verify the event signature using that public key, then confirm that the iss value matches https://events.id.me exactly. This confirms that the event was transmitted by ID.me.
Key information
A private key will be used to sign all event tokens. A corresponding public key will be published at the following locations.
These JWKS URLs use a custom path structure and do not follow the standard .well-known URI convention (RFC 8615).
Keys will use the RS256 algorithm (RSASSA-PKCS1-v1_5 using SHA-256).
Supported events
ID.me supports six events that are part of the RISC specification.
Expected volume
The volume of the events varies from customer to customer. Please work with your CSM to develop an estimate of the frequency and volume of events.
The table below shows a brief description of the supported events. The next section describes details of ID.me’s implementation of these events.
Event specifications
Default event specifications
All events will have the following:
HTTP request
Standard SET claims
The following will adhere to SET specifications.
Additional information
- Subject will be provided in both the header and the body, for convenience and compatibility
- Subject will always be in the
iss_subformat:{"format": "iss_sub", "iss": "https://events.id.me", "sub": "<uuid>"}- format will always be
"iss_sub" - iss will always be
"https://events.id.me" - sub will always be the UUID for the subject ID.me account
- format will always be
The following is a complete example of the full JWT structure, including the top-level sub_id claim:
Individual event specifications
Account disabled
This event is fired when an ID.me account is suspended for any reason.
Properties
Account enabled
This event is fired when an ID.me account is reinstated, for example, as a result of a recovery process or negative fraud investigation.
Properties
Account credential change required
This event is fired when an ID.me authority determines that the account owner must reset their password.
Properties
Account purged
This event is fired when a Member’s ID.me account is permanently deleted.
RISC Spec
Signals that the account identified by the subject has been permanently deleted.
URI: https://schemas.openid.net/secevent/risc/event-type/account-purged
When it’s fired
- User-Requested Erasure via GDPR/CCPA right-to-erasure flows
- PII Retention Expiry (e.g., 3 years after account closure)
- Biometric Retention Expiry (e.g., 35 months post-inactivity)
Properties
The RISC spec defines no normative properties for this event. The following fields are ID.me extensions.
Recovery activated
This event is fired when a user initiates the process to recover their account (examples: password reset, MFA recovery).
RISC Spec
Signals that the account identified by the subject activated a recovery flow.
URI: https://schemas.openid.net/secevent/risc/event-type/recovery-activated
When it fires
- Forgot Password flow initiation (user clicks “Forgot password”)
- Forgot MFA flow (lost device / de-registered authenticator)
- Support-Initiated Reset or account unlock by an agent
- Fraud Rule automatically resets an authenticator
Properties
Recovery information changed
This event is fired when a user updates the authenticator(s) on their ID.me account.
RISC Spec:
Recovery Information Changed signals that the account identified by the subject has changed some of its recovery information. For example a recovery email address was added or removed.
URI: https://schemas.openid.net/secevent/risc/event-type/recovery-information-changed
Properties