Sign in with KRDPASS
Sign in with KRDPASS lets your app authenticate Kurdish citizens through the KRDPASS identity app. Users tap "Sign in with KRDPASS", approve in the KRDPASS app, and your app receives verified identity tokens — no passwords, no forms.
How It Works
Your app never touches secrets directly. Everything sensitive stays on your backend:
mermaid
sequenceDiagram
participant App
participant SDK
participant Backend
participant CAS
participant KRDPASS as KRDPASS App
App->>SDK: Generate PKCE + state
SDK-->>App: verifier, challenge, state
App->>Backend: getRequestUri(challenge, state, redirectUri)
Backend->>CAS: POST /oauth/par
CAS-->>Backend: request_uri
Backend-->>App: request_uri
App->>SDK: authenticate(request_uri, state)
SDK->>KRDPASS: Launch KRDPASS app
KRDPASS-->>SDK: auth code + state
SDK-->>App: code + state
App->>Backend: exchangeToken(code, verifier)
Backend->>CAS: POST /oauth/token
CAS-->>Backend: tokens
Backend-->>App: session / tokensIn short:
| Who | Does what |
|---|---|
| Your app | Generates PKCE values, calls your backend, drives UI |
| SDK | Handles PKCE helpers, launches KRDPASS, receives callback |
| Your backend | Holds client_secret, calls CAS endpoints, returns tokens |
What Data You Can Request
| Scope | What you get |
|---|---|
openid | Subject identity (sub), standard token claims (iss, aud, exp) |
profile | Basic profile claims (not citizen-specific personal details) |
citizen_identity | Full citizen data: name parts, birthdate, sex at birth, DID, profile picture |
offline_access | Refresh token for longer sessions (requires explicit approval) |
What tokens look like
| Token | Purpose |
|---|---|
access_token | Call protected APIs and user info endpoints |
id_token | Verified identity claims your app/backend can read |
refresh_token | Get new access tokens without re-authentication (only with offline_access) |
Security Model
KRDPASS credentials are approval-based — there is no self-service signup. This protects citizen identity data.
Never put these in your mobile app
client_secret- Private signing keys
- Production credentials in checked-in config files
Available SDKs
| Platform | Package path | Example app |
|---|---|---|
| Flutter | packages/krdpass_auth_flutter | packages/krdpass_auth_flutter/example |
| Android | packages/krdpass_auth_android | packages/krdpass_auth_android/example |
| iOS | packages/krdpass_auth_ios | packages/krdpass_auth_ios/example |
| React Native | packages/krdpass_auth_react_native | packages/krdpass_auth_react_native/example |
| Server reference | examples/server | — |
Get Started
Follow these pages in order:
- Getting Started — Request access, install SDK, set up your backend
- SDK Integration Guide — Write the auth flow in your app
- Testing & Go-Live — Test locally, troubleshoot issues, ship to production
- Reference — Endpoint contracts, env vars, platform setup details
Contact
| Integration support | integration@pass.krd |
| Security reports | security@pass.krd |