A large share of software companies that adopt biometric authentication run into the same issue: multiple Software Development Kits (SDKs) running directly on the customer’s device. This scenario consumes device memory, battery, and processing power. As a result, it creates friction in the user experience and increases the risk of churn.
To address these challenges, the Biometrics as a Service (BaaS) model uses cloud biometrics. This allows companies to add facial recognition and fingerprint authentication in a simpler, faster way with less technical effort.
BioPass ID offers state-of-the-art API technology for software companies. In this guide, we’ll walk through how to implement the Multibiometrics API step by step, including data flow, credential configuration, and production readiness.
Read on!
BioPass ID Multibiometrics API consumption flow
Before planning the integration, the development team needs to understand how biometric data leaves the software company’s system and reaches BioPass ID’s servers. This process happens in stages, and each stage delivers information that will be used in the next one. When the flow is clearly defined, it becomes easier to test, troubleshoot, and improve the integration.
BioPass ID is compatible with multiple programming languages, cameras, sensors, and platforms. Regardless of the technology stack used by the business, the API consumption pattern remains the same. See:
- Biometric capture on the device: the BioPass ID capture component collects biometric data through the camera and/or sensor, already complying with international quality requirements.
- Media preparation in the frontend: the software company’s application frontend prepares the image for submission. At this stage, the image is converted to Base64 format, as required by the Multibiometrics API.
- Submission to the backend: here, the data leaves the frontend and is sent to the software company’s backend. At this point, no request is made directly to BioPass ID.
- Call to the Multibiometrics API: after receiving the data from the software company, the BioPass ID backend builds the JSON payload and sends the request to the Multibiometrics API endpoint with the authentication header. This entire step happens in the backend, preventing credential exposure in the frontend.
- API response: after processing the request, BioPass ID returns a JSON response with the result. In enrollment scenarios, the response includes a biometric identifier. In verification scenarios, it returns the authentication status.
- Response handling: the software company’s backend analyzes the response from BioPass ID and applies business rules. In other words, the company defines how each result should be handled. For example, it’s possible to decide whether an image should be accepted or rejected based on criteria such as glasses, smile, hat, and more.
- User feedback: after completing the analysis, the software company’s backend sends a simpler response to the frontend, ready to be displayed to the user. The response may indicate “enrollment completed,” “invalid attempt,” “new capture required,” among other options, since BioPass ID SDKs are customizable.
The simplified request structure makes it easier for different technologies to consume the service without requiring complex libraries. Now that the flow architecture is clear, let’s move on to implementation.
7 Steps to Integrate the Multibiometrics API into Software Applications
Integrating an API for software companies doesn’t have to be complex. Below, see how to integrate the Multibiometrics API into your application. It’s worth noting that BioPass ID also provides complete documentation, code samples, and technical support.
Step 1: authenticate and configure credentials
Access the BioPass ID dashboard and generate your authentication key. Then include it in every request, always in the request header:
Ocp-Apim-Subscription-Key: {{chave_de_acesso}}
Content-Type: application/json
Without the access key, the API will not process the request. For security reasons, centralize calls in the backend and keep this information restricted to that system layer.
Step 2: plan the integrations
Identify the points in the user journey that require identity verification. For example, app login and/or financial transaction confirmation.
The Multibiometrics API provides four access points to manage the user’s biometric lifecycle:
- /enroll: performs the user’s biometric enrollment and returns the identifiers (CustomID and BioPassID) to the software company’s system.
- /verify: compares the submitted biometric data with the enrolled record and returns the authentication result to the software company’s system, indicating whether there was a match.
- /update: updates the biometric record when the user needs to recapture their biometric data. For example, after changing devices.
- /delete: removes the biometric record from the BioPass ID platform, helping meet the requirements of Brazil’s General Data Protection Law (GDPL).
The advantage of having these standardized access points is that the software company does not need to build enrollment, verification, update, and biometric record deletion logic from scratch. The full lifecycle is already available through the API.
The next step is to detail the integration. For each stage of the journey, define which endpoint will be called, what data will be sent in the request, and how the application should behave when it receives the API response.
Step 3: develop the frontend
Capture the user’s facial image or fingerprint in the frontend. Then convert the file to Base64 and send the data to the backend, which is responsible for calling the API.
Capture can be performed with a standard camera or fingerprint sensor. The API does not require dedicated hardware and only accepts files in BMP, PNG, and JPG formats.
Image quality is extremely important here. Make sure there is proper framing, good lighting, and sufficient sharpness. A low-quality capture compromises both biometric matching and fraud detection.
Another option is to include BioPass ID Liveness Detection to identify more sophisticated fraud attempts.
It is also important to prepare the frontend to handle common API errors, such as:
- Invalid JSON format: the request structure is incorrect. Review the required fields, JSON organization, and biometric submission.
- Failed to extract template: the image did not have sufficient quality for biometric reading. Retake the capture with better framing, lighting, and sharpness.
- Invalid base64 string: the file was converted to Base64 incorrectly or is in an unsupported format. Check the conversion and submit only BMP, PNG, or JPG files.
If the project requires ready-made capture validations, consider using BioPass ID SDKs for web, mobile, and desktop.
Step 4: orchestrate multibiometric calls
Organize the data sent to the API within the Person field. There, you can include face, fingerprints, or both biometric types in the same request, depending on the stage of the process.
The structure below can be used as a reference for the /enroll endpoint, which handles biometric enrollment.
POST https://api.biopassid.com/multibiometrics/enroll
Ocp-Apim-Subscription-Key: {{chave_de_acesso}}
Content-Type: application/json
json
{
"Person": {
"CustomID": "id_do_usuario",
"Face": [
{ "Face-1": "{{base64}}" }
],
"Fingers": [
{
"Finger-1": "{{base64}}",
"Finger-2": "{{base64}}"
}
]
}
}
Next, define the CustomID field as the user identifier in the application. Use this value to link biometric records to the software company’s database.
Apply the same payload structure to the /enroll and /update endpoints. Send only the fields required for each operation, but ensure that at least one valid biometric is included, whether facial or fingerprint.
Step 5: handle responses and apply business logic
When the application sends a request to the /verify endpoint, the API returns a response with information in the Person field. Here’s how to interpret those fields:
{
"Person": {
"CustomID": "user_id",
"Match": true,
"MatchDetails": {
"FaceMatched": true,
"NonMatchedFingers": []
}
}
}
Build your business logic based on these fields:
- Use Match to get the overall verification result. Treat true as approved and false as rejected.
- Use FaceMatched to confirm a facial match.
- Use NonMatchedFingers to identify which fingerprints did not match. Consider the validation complete when the list is empty.
Also implement handling for the main API errors:
- CustomID is mandatory: the request was sent without the user identifier. Fill in the CustomID field before calling the API.
- Person not found: there is no biometric enrollment for the provided identifier. Check whether the user has already been enrolled and whether the CustomID is correct.
- CustomID already exists: the provided identifier is already in use. Avoid duplication and assess whether the case requires an update rather than a new enrollment.
- Failed to extract template: the submitted image did not allow biometric template extraction, usually due to low quality. Request a new capture.
For 1:1 comparison scenarios, use the /match endpoint. The response includes fields such as IsGenuine, which indicates whether the comparison was considered valid, and Score, which shows the degree of similarity between the biometrics. Based on this, define the minimum approval score together with BioPass ID’s technical team, according to the application’s risk level.
Step 6: validate the integration
Before moving the integration into production, run a full testing cycle. Start with functional tests that validate enrollment and verification flows with real users, considering different devices, lighting conditions, and camera positions.
Then use Postman to validate the endpoints: export the collection available in the BioPass ID documentation and repeat the tests until the consistency of the results is confirmed. During validation, also monitor platform availability through the services status page, which allows you to track the environment in real time.
Step 7: roll out gradually
Deploy the solution in stages to reduce risk and improve predictability. First, start with a group of early adopters and monitor the initial results. Then expand usage as the metrics confirm operational stability.
Next, move toward full rollout while keeping a legacy fallback in place as a safety measure. Throughout the process, monitor the solution’s behavior, performance, and stability at each stage. Before releasing it to the entire user base, make any necessary operational adjustments.
At the same time, manage the deployment through the customer portal and monitor the environment via the services status page. Once these steps are completed, the software company will have the technical foundation required to integrate biometrics into the application with security and predictability. In the next section, you’ll see how the BioPass ID platform protects data traffic and handles biometric records.
Security and compliance in BioPass ID API data traffic
At BioPass ID, API communication takes place through Transport Layer Security (TLS). This protocol protects data during transmission between the application and the servers, reducing the risk of third-party interception. In addition, the access key is sent only in the Hypertext Transfer Protocol (HTTP) request header. In practice, this prevents credential exposure in the frontend and strengthens API access control.
Another important point is the handling of biometric data. BioPass ID does not keep raw images stored after processing. When a capture is received, the platform extracts a biometric template that does not allow reconstruction of the original image. The captured image is then discarded. When deletion is required, the /delete endpoint makes it possible to remove biometric records on demand, including to fulfill requests from data subjects.
API for software companies with simple, secure, and scalable integration
In this article, we explored how the BioPass ID Multibiometrics API simplifies biometric integration for software companies. By replacing the execution of multiple SDKs with a cloud-based, scalable, and secure model, the platform reduces the technical complexity of implementation and improves the user experience in applications. We also showed how the API consumption flow works, as well as the main points of attention when configuring credentials, organizing requests, and preparing the environment for production.
Security and compliance are part of the BioPass ID foundation. That’s why choosing the platform goes far beyond a technical benefit, directly impacting data protection and the ability to scale responsibly. With more than 99% accuracy in biometric identification, the solution delivers agility, trust, and scalability for software companies. Start your free trial and get your first endpoint up and running this week.
