FAQ

HTTP standards & headers

Is there any HTTP header standard recommended by Unico?

Unico recommends adherence to current HTTP specifications (originally defined in RFCs 7230 and 7231, now superseded by RFC 9110 and related standards). Non-compliant headers can trigger integration failures like "415 (Unsupported Media Type)" or "502 (Bad Gateway)" errors through proxy rejection.

Common violations include invalid Content-Encoding values, header names with spaces, accents, or non-ASCII characters, control characters in values, and prohibited header duplication. Always validate header compliance before sending requests.

Certificate & security

Does Unico recommend certificate pinning?

No. Certificate pinning can cause service unavailability during routine certificate replacement cycles. It provides minimal security benefits and blocks modern protections (CDN, WAF, attack mitigation). Unico ensures connection security through globally recognized certificate authorities, public auditing via Certificate Transparency, and robust authentication standards such as OAuth + JWT.

Why can't I use the by Unico link in a common iframe without a token?

Direct embedding without authentication tokens is prohibited for security, traceability, and access control. A secure session token, generated per request and tied to the transaction, the user, and the context, is required.

Risks of direct links include social engineering and phishing vulnerabilities, integrity loss, audit trail gaps, and security policy exposure that increases enumeration risks or exceeds header size limits.

Database & processing

Can I import my database to be processed by Unico?

Yes. The process requires notifying your account manager, requesting a service account, obtaining an APIKey configured for base64 images (not encrypted), and executing API calls while storing response data and process IDs — essential for features like 1:1 Validation.

Performance & rate limiting

Does Unico have a TPS/RPM limit?

Yes. The default limit is 10 TPS (transactions per second) per customer to maintain platform stability and security. Limits are contractually adjustable and can be increased temporarily or permanently through your account manager. Requests exceeding limits receive 429 (Too Many Requests) errors.

Integration types

What are the differences between API and Web & Native integrations?

Web & Native: Unico manages the complete user experience with UX and security best practices, automatic SDK updates, and conversion optimization. Deployable via webview, iframe, or asynchronous messaging (WhatsApp, SMS, Email).

API: Companies control the user experience with their own frontend, leveraging Unico's backend capabilities alongside other authentication technologies.

Orchestration

What is orchestration?

During biometric enrollment, when Identity Verification returns "Inconclusive," orchestration automatically executes probabilistic validation using the Risk Score capability to determine facial match with the identity document holder.

Web & Native — deployment & customization

How can I use Web & Native in my operation?

Three deployment methods are available: mobile application webviews, web application iframes, or message flows (WhatsApp, SMS, Email).

What customizations are possible in Web & Native?

Customizable elements include logo, CTA background color, CTA text, and CTA corner rounding (in pixels).

Document technologies

How do document technologies work?

Typification: Validates document layout matches the specified type (no forensics performed).
FaceMatch: Compares user selfie against document face photo (true/false return).
CPF Match: Compares provided CPF with document CPF (true/false return).
OCR Extraction: Converts document data into text format from images.

Does Unico perform document forensics?

No. Unico provides typification, OCR data extraction, FaceMatch, and CPF Match — but does not currently perform document forensics.

API characteristics

Can I use IDCloud manually?

Yes, manual usage is supported.

Is the IDUnico API synchronous or asynchronous?

Both options are available. Choose your preferred integration method during APIKey configuration.

What is the average response time for identity verification?

Expected latency averages 3 seconds, but this may vary depending on how the product is used (e.g. whether Liveness is used, whether the APIKey is synchronous or asynchronous, among other factors).

API responses & decisions

What are the returns in the IDUnico API for approval decisions?

The most common scenario (Identity Verification + Risk Score) returns:

{
  "id": "abc-123",
  "status": 3,
  "unicoId": {
    "result": "yes"
  },
  "liveness": 1,
  "score": 87.5
}

Additional features & error handling

Do Unico products have Serpro similarity?

Yes. IDCloud offers Serpro similarity functionality via both API and Web & Native, returning the Serpro similarity percentage — commonly used for payroll loan flows. Serpro (Serviço Federal de Processamento de Dados) is Brazil's federal government data processing service, which maintains the national identity registry used for the comparison.

What are the most common error returns?

Code	Description
`400`	Request errors
`401`	Authentication missing or invalid
`403`	Permission errors
`404`	Data not found
`429`	Rate limit exceeded
`500`	Server errors and unexpected failures

What happens if biometric capture fails?

Web & Native: The managed experience allows user retries with high conversion rates.

API: Errors must be handled as exceptions in your API. Review the documentation for error codes and scenario mapping.

HTTP standards & headers​

Certificate & security​

Database & processing​

Performance & rate limiting​

Integration types​

Orchestration​

Web & Native — deployment & customization​

Document technologies​

API characteristics​

API responses & decisions​

Additional features & error handling​