Overview

As a Maya Mini App partner, leverage the Maya Mini App’s Profile Sharing feature to access your customers' profiles securely and seamlessly. This functionality allows you to verify the customer's Maya accounts and keep the customer's record up-to-date in your Mini App.

This solution requires complete implementation of the Maya Mini App .

API Sequence

Build your Integration

This solution uses Bearer Authentication which relies on the Client Credentials Token (access_token) to authenticate incoming requests. access_token is generated during OAuth 2.0 Authentication using the client_credentials grant type.

Get Profile

Use Maya Mini App's Get Profile endpoint to retrieve the customer's profile information.

When implementing Maya Mini App, your Mini App shall be able to utilize the Customer Access Token or the accessToken obtained from Maya through your session URL or acquired by refreshing the tokens , whichever is the most recent or valid value.

Once your application has acquired the Customer Access Token (accessToken) from Maya, you may proceed with the following steps.

Any requests using an expired Customer Access Token (accessToken) will result in an error.

Be sure to use a valid accessToken and request a new accessToken as needed. Refer to the Manage Mini App Session: Expired Customer Session for the handling of expired accessToken.

Use the Get Profile via Maya Mini App endpoint to retrieve customer information from Maya. Information you are allowed to access will be defined within the scope of your client token, which is determined during onboarding.

📖

Get Customer Profile in Maya Mini App

Open Recipe

Decrypt Profile Data

Use the JWE and JWK keys to decrypt the profile data acquired during Get Profile via Maya Mini App.

A successful call to the Get Profile via Maya Mini App endpoint will return encrypted profile data. Subsequently, you shall decrypt the data using the JWE and JWK keys provided to you during onboarding.

JWE and JWKare provided by Maya once onboarded; JSON Web Key (JWK) is a JSON object that represents a cryptographic key

Illustrated below is the specification of JWE and JWK keys.

JWE Private JWK:

{
  "kty": "<value>",
  "n": "<value>",
  "e": "<value>",
  "d": "<value>",
  "p": "<value>",
  "q": "<value>",
  "dp": "<value>",
  "dq": "<value>",
  "qi": "<value>"
}

JWS Secret JWK:

{
  "kty": "<value>",
  "k": "<value>"
}

How to use JWE and JWK keys

Import privateJwk using the algorithm RS512.
Import secretJwk using the algorithm HS256.
Decrypt the JWE token (value of data from the response) using privateJwk to get the JWS token.
Verify JWS token from the decrypted JWE token (from #3) using secretJwk to get the raw profile.

Sample Codes:

/**
 * Use node version 14
 * Install npm package jose
 *
 */

const { compactDecrypt, jwtVerify, importJWK } = require("jose");

const JWS_ALG = "HS256";
const JWE_KEY = <jwe_key>;
const JWS_KEY = <jws_key>;

const opToken = "<token>";


async function verifyOpToken(token) {
  try {
    // Import the JWE key
    const privateJwk = await importJWK(JWE_KEY);

    // Decrypt the JWE to get the JWS
    const decryptedJwe = await compactDecrypt(token, privateJwk);
    const decodedJwePayload = new TextDecoder().decode(decryptedJwe.plaintext);

    // Import the JWS key, verify the JWS and get the data
    const jwsSecretKey = await importJWK(JWS_KEY, JWS_ALG);
    const decryptedJws = await jwtVerify(decodedJwePayload, jwsSecretKey);
    console.log(decryptedJws);
  } catch (err) {
    console.log(err);
  }
}

verifyOpToken(opToken);
...

# Install library jwcrypto

#!/usr/bin/env python

import json
import sys
from jose import jwe, jwk, jws

def decrypt_and_verify_response(encrypted, private_jwk_str, secret_jwk_str):
  private_jwk = jwk.construct(json.loads(private_jwk_str), algorithm="RS512")
  secret_jwk = jwk.construct(json.loads(secret_jwk_str), algorithm="HS256")

  # decrypt jwe
  decrypted = jwe.decrypt(encrypted, key=private_jwk.to_dict()).decode('ascii')

  # decode and verify jws
  profile = json.loads(jws.verify(decrypted, key=secret_jwk, algorithms="HS256", verify=True))
  return profile

if __name__ == '__main__':
  args = sys.argv[1:]
  print(decrypt_and_verify_response(args[0], args[1], args[2]))

<?php
/* Install web-token/jwt-framework.
* Samples on how to import keys and load nested tokens.
* See the JWT Framework's official docs for more info.
*/

use Jose\Component\Core\JWK;
use Jose\Component\Core\AlgorithmManager;

use Jose\Component\Encryption\Algorithm\KeyEncryption\RSAOAEP;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
use Jose\Component\Encryption\Compression\CompressionMethodManager;
use Jose\Component\Encryption\Compression\Deflate;
use Jose\Component\Encryption\JWEDecrypter;
use Jose\Component\Encryption\Serializer\JWESerializerManager;
use Jose\Component\Encryption\Serializer\CompactSerializer;

use Jose\Component\Signature\Algorithm\HS256;
use Jose\Component\Signature\JWSVerifier;
use Jose\Component\Signature\Serializer\JWSSerializerManager;
use Jose\Component\Signature\Serializer\CompactSerializer as SigCompactSerializer;


// OP Token
$token  = '<encrypted profile data>';

// Create keys
$jweKey = new JWK([<jwe_key>]);
$jwsKey = new JWK([<jws_key>]);

// Decrypt the JWE
$keyEncryptionAlgManager = new AlgorithmManager([ new RSAOAEP() ]);
$contentEncryptionAlgManager = new AlgorithmManager([ new A256GCM() ]);
$compressionMethodManager = new CompressionMethodManager([ new Deflate() ]);
$serializerManager = new JWESerializerManager([ new CompactSerializer() ]);

$jweDecrypter = new JWEDecrypter(
  $keyEncryptionAlgManager,
  $contentEncryptionAlgManager,
  $compressionMethodManager
);

$jwe = $serializerManager->unserialize($token);

// If error, will throw error
$isDecrypted = $jweDecrypter->decryptUsingKey($jwe, $jweKey, 0);
print_r($jwe->getPayload());


// Decrypt JWS
$jwsAlgManager = new AlgorithmManager([ new HS256() ]);
$jwsVerifier = new JWSVerifier( $jwsAlgManager );
$serializerManager = new JWSSerializerManager([ new SigCompactSerializer() ]);

$jws = $serializerManager->unserialize($jwe->getPayload());

// If error, will throw error
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwsKey, 0);
print_r( $jws->getPayload());  // This is the decrypted profile data

Process the raw Profile Data

Use the raw Profile Data in your own accord. Please note that Maya follows Data Privacy and Security protocols. Discuss the data handling integration requirements with your Maya Relationship Manager.

Sample Raw Profile Data (after decrypt):

{
    "id": "a11938a3bcb675d92d7c1d0e4b71fee3f029",
    "profileId": "778307049099",
    "kycStatus": "KYC1",
    "workDetails": {
      "sourceOfIncome": "EMPLOYMENT",
      "sourceOfIncomeDetails": null,
      "natureOfWork": "OTHERS",
      "natureOfWorkDetails": "Others_Product",
      "verificationStatus": "PASSED"
    },
    "address": [
      {
        "line1": "6F Launchpad Bldg",
        "locality": "Brgy. Highway Hills",
        "city": "Mandaluyong",
        "country": "PH",
        "type": "PRESENT",
        "zipCode": "1234",
        "region": "Metro Manila",
        "verificationStatus": "PASSED"
      },
      {
        "line1": "6F Launchpad Bldg",
        "locality": "Brgy. Highway Hills",
        "city": "Metro Manila",
        "country": "PH",
        "type": "PERMANENT",
        "zipCode": "1234",
        "region": "Metro Manila",
        "verificationStatus": "PASSED"
      }
    ],
    "contact": [
      {
        "type": "MSISDN",
        "subtype": "PRIMARY",
        "value": "+639176712017",
        "verificationStatus": "PASSED"
      },
      {
        "type": "EMAIL",
        "subtype": "RECOVERY",
        "value": "mailto:[email protected]",
        "verificationStatus": null
      }
    ],
    "name": {
      "firstName": "Mose",
      "lastName": "Batz",
      "middleName": null,
      "verificationStatus": "PASSED"
    },
    "birthDetails": {
      "birthDate": "05-01-1980",
      "city": "Mandaluyong",
      "nationality": "PH",
      "country": "PH",
      "verificationStatus": "PASSED"
    }
  }

Refer to the following Maya Mini App features to implement financial transactions:

You can leverage these features depending on your scope and configuration in Maya. To verify and enable any of these features, contact your designated Maya Relationship Manager.

Endpoints

Name	HTTP Method	Key Type	Endpoint	Description
Get Profile via Maya Mini App	GET	Bearer Auth	/profile	Retrieve the customer profile information by providing the valid Customer Access Token (`accessToken`), either obtained through your session URL or acquired by refreshing the tokens , whichever is the most recent or valid value

Business Rules to Code

To supplement your knowledge of the integration, it is essential to know the Business Rules to Code for Maya Mini Apps . This ensures that technology requirements and other development considerations are met.

Supported Scopes

Maya Mini App’s Profile Sharing feature offers essential customer information that can be utilized to automatically fill in customer registration or customer verification details within your system.

Access to the customer profile information is restricted within your scope. The following are the supported scopes in Maya Mini Apps:

openid scope DEFAULT

This includes the unique customer ID of the customer and their KYC status.

Attribute	Type	Description
`id`	string	This ID is unique to the customer
`profileId`	string	An additional identifier of a customer
`kycStatus`	string	KYC status of the customer; KYC0 (unverified account) or KYC1 (verified account)

profile scope BY REQUEST

The customer’s personal information in Maya, such as their name and birth details.

Attribute	Type	Description
`name`	object	An object containing the customer's registered name in Maya
`name.firstName`	string	The customer's registered first name in Maya
`name.middleName` NULLABLE	string	The customer's registered middle name in Maya
`name.lastName`	string	The customer's registered last name in Maya
`name.verificationStatus` NULLABLE	string	Reflects the verification status of the name registered; Expected values: `PASS`, `FAILED`, null
`birthDetails`	object	An object containing the customer's registered birth details in Maya
`birthDetails.birthDate`	string	`MM-dd-YYYY`
`birthDetails.city`	string	The customer's city of birth registered in Maya
`birthDetails.nationality`	string	The customer's nationality registered in Maya
`birthDetails.country`	string	The customer's country of birth registered in Maya
`birthDetails.verificationStatus` NULLABLE	string	Reflects the verification status of the provided birth details; Expected values: `PASS`, `FAILED`, null

contact scope BY REQUEST

The customer’s contact information in Maya; can be an email address or a mobile number.

Type	Attribute	Description
array	`contact`	An array containing the customer’s contact details
string	`contact[].type`	The customer’s type of contact; Expected values: `EMAIL` or `MSISDN`
string	`contact[].subType`	The subtype of the customer’s contact; Expected values: `PRIMARY` or `RECOVERY` Maya recommends using the `PRIMARY` contact details only.
string	`contact[].value`	If the type is `EMAIL`, then the value is an email address; If the type is `MSISDN`, then the value is the mobile number
string	`contact[].verificationStatus` NULLABLE	Reflects the verification status of the name registered; Expected values: `PASS`, `FAILED`, null

address scope BY REQUEST

This includes the customer's address information in Maya.

Attribute	Type	Description
`address`	array	An array containing the customer's address details
`address[].type`	string	The type of address; Expected values: `PRESENT` or `PERMANENT`
`address[].line1`	string	The Address Line 1 of the customer
`address[].line2`	string	The Address Line 2 of the customer
`address[].locality`	string
`address[].city`	string	The city of the customer's address
`address[].province`	string	The province of the customer's address
`address[].region`	string	The region of the customer's address
`address[].country`	string	The country of the customer's address; See list of valid country code
`address[].zipCode`	string	The ZIP Code of the customer's address
`address[].verificationStatus` NULLABLE	string	Reflects the verification status of the customer's address details; Expected values: `PASS`, `FAILED`, null

workDetails scope BY REQUEST

The source of income and nature of work of the customer recorded in Maya.

Attribute	Type	Description
`workDetails`	object	An object containing the customer's work details
`workDetails.natureOfWork`	string	See the list of possible values
`workDetails.natureOfWorkDetails` NULLABLE	string	Additional details on the customer's nature of work
`workDetails.sourceOfIncome`	string	See the list of possible values
`workDetails.sourceOfIncomeDetails` NULLABLE	string	Additional details on the customer's nature of work
`workDetails.verificationStatus` NULLABLE	string	Reflects the verification status of the customer's work details; Expected values: `PASS`, `FAILED`, null

identity_document scope BY REQUEST

This provides access to the image and liveness video of the customer.

Attribute	Type	Description
`identityDocument`	array	An array containing the customer's identity documents
`identityDocument[].type`	enum	Type of identity document; See the list of possible values
`identityDocument[].value` NULLABLE	string	Nullable when: `frontUrl` is present `frontUrl` is not available due to an unsupported format
`identityDocument[].frontUrl` NULLABLE	string	Nullable when: `value` is present `frontUrl` is not available due to an unsupported format `frontUrl` is Maya's S3 pre-signed URL with the expiry of 15 minutes When the URL expires, you may send another API request to the Get Profile endpoint to obtain a new image URL.
`identityDocument[].backUrl` NULLABLE	string	Nullable when `backUrl` is not available due to an unsupported format; `backUrl` is Maya's S3 pre-signed URL with the expiry of 15 minutes When the URL expires, you may send another API request to the Get Profile endpoint to obtain a new image URL.
`identityDocument[].expiryDate`	string	`MM-dd-YYYY`
`identityDocument[].verificationStatus` NULLABLE	string	Reflects the verification status of the customer's identity documents; Expected values: `PASS`, `FAILED`, null

Should specific information be unavailable within the provided scopes, you can incorporate additional steps in your registration process, allowing users to input the required information.

At this point, you have understood the following:

The necessary APIs and their endpoints
The sequence and purpose of each API
The prerequisites for building your integration

Frequently Asked

What to do when customer's accessToken expires?

Answer: Your platform must request to generate a new Customer Access Token (accessToken) from the Maya endpoints. See the Manage Mini App Session: Expired Customer Session for more details.

What if certain customer information not supported or unavailable in the scope?

Answer: Should specific information be unavailable within the provided scopes, you can incorporate additional steps in your registration process, allowing users to input the required information.

How can I keep customer profile up-to-date?

Answer: Maya recommends retrieving the customer profile each time the customer accesses or logs into your Mini App, and updating the customer record in your Mini App accordingly.

Profile Sharing