scope, then have the user’s browser hand it to /auth/launch with the flow’s target.
The launch mechanism is identical for every flow and is documented once in JWT User Authentication. Only the scope and target change between flows; the full list is below.
Scopes
Thescope claim is required on every partner JWT and names what the user may do. It is strictly enforced: the claim cannot be omitted, and any value other than a scope listed below is rejected with invalid_scope. Ask only for the scope a user needs.
Targets
Thetarget is the app path the launch lands the user on. It must be one of the paths listed below, optionally with a query string (for example ?org=<org_id>, used by Business KYB). Any other path, or an absolute URL, is rejected with invalid_target, so a launch can’t be redirected off-site.
Flows
| Flow | scope | target | What the user does |
|---|---|---|---|
| Sign agreements | agreements | /agreements | Reviews and signs the three required agreements (electronic signature, terms and conditions, customer agreement). |
| Identity verification | verification | /idv?bank_account_id=<uuid> | Per-bank verification for a non-compliant bank — a liveness face scan matched against the ID already on file. Append &lang=es for Spanish. |
| Business KYB | kyb | /kyb | Completes Know Your Business verification for a business. |
scope, and the target must be the matching path.
Sign agreements
scope: agreements · target: /agreements
Signing the required agreements (electronic signature, terms and conditions, and customer agreement) is a mandatory step in customer onboarding. Etherfuse’s fully hosted KYC onboarding handles it for you; if you run KYC programmatically, this launch is how you complete the agreements step: send the customer into /agreements to review and sign them in a real session.
Submit the customer’s KYC identity first. The customer agreement is generated from their identity (name, address, email), so submit it, for example via POST /ramp/customer/{id}/kyc, or let them fill any missing fields on the signing page. See Customer Onboarding (KYC). In sandbox, the customer is auto-approved once all three agreements are signed.
Identity verification
scope: verification · target: /idv?bank_account_id=<uuid>
This is a per-bank verification step — not part of org approval (KYC/KYB). Some bank accounts require additional compliance when they’re registered; today that’s Mexican (SPEI) bank accounts. The contract is simple: after you register a bank, check its compliant flag — if it comes back compliant: false, launch the customer here to verify that bank; if it’s compliant: true, this step is unnecessary. Don’t assume which banks need it — just react to compliant.
Pass the bank in the launch target: /idv?bank_account_id=<uuid> (required). The launched user must administer the org that owns the bank. The customer completes a liveness face scan, which nero matches against the ID they already submitted during KYC.
Append &lang=es to render the entire flow in Spanish (all UI text, face scan prompts, error messages, and status screens). Omit the parameter or pass lang=en for English. Example: /idv?bank_account_id=<uuid>&lang=es.
The customer must have completed KYC first.
/idv reuses the ID document already on file and captures a live selfie to match against it; it does not collect the ID again. If no ID is on file, the page tells the customer to finish identity verification before continuing. This gates only the bank, not the organization: a compliant: true bank needs nothing, and the page reports “nothing to verify” if you launch it for one.Business KYB
scope: kyb · target: /kyb
Use to send a user into Know Your Business verification. Append ?org=<org_id> to the target to choose which organization to verify; without it, the app uses their current org or prompts them to create a business. See the KYB guide for the full walkthrough.