Aadhaar Integration Patterns for Government Services
Aadhaar integration is woven into nearly every government digital service. The patterns are clear once you know them; the pitfalls live in implementation details.
Key takeaways
- Four main patterns: Authentication, eKYC, OKYC, Offline Aadhaar.
- Each has specific use cases, regulatory requirements, and user consent flows.
- All integrations route through UIDAI via licensed entities (KSAs/ASAs).
- Privacy by design is mandated; over-collection is illegal.
The four patterns
Authentication (Yes/No)
User provides Aadhaar number + biometric/OTP. UIDAI returns yes/no for the assertion "this Aadhaar holder matches the provided biometric/OTP."
Use: confirming identity without sharing personal info. Example: subsidy distribution biometric check.
eKYC
User provides Aadhaar + consent. UIDAI returns demographic data (name, address, DOB, photo) to your application.
Use: full KYC where you need name and address proof. Example: bank account opening (subject to current RBI norms).
OKYC (Offline KYC)
User downloads their own KYC XML/PDF from UIDAI directly, gives it to you. You verify the digital signature.
Use: simpler integration, doesn't require KSA/ASA license. Most common for fintech onboarding now.
Offline Aadhaar
Similar to OKYC but emphasizes the offline nature, user controls what's shared.
Who can do what
Direct API access (Authentication, eKYC) requires being a KUA (KYC User Agency) and going through a KSA (KYC Service Agency) or ASA (Authentication Service Agency). Licensed; regulated.
OKYC doesn't require KSA/ASA. Most fintech and startup integrations use this.
Consent flow
UIDAI requires explicit, informed consent before any Aadhaar lookup. The consent must specify:
- Purpose of the lookup
- Data being requested
- Recipient of the data
- Retention policy
Log the consent. Show it to the user in their preferred language. Be auditable.
Security requirements
- Aadhaar numbers must be encrypted at rest
- Display only last 4 digits in UI; mask the rest
- Transit only over TLS
- Limit retention to the minimum necessary
- Restrict access via IAM
Common pitfalls
Storing Aadhaar in plaintext. UIDAI rules prohibit. Encrypt or tokenize.
Logging Aadhaar in app logs. Same prohibition.
Over-collecting. Asking for Aadhaar when you don't need it. Justify every lookup.
Forgetting opt-out. Provide alternatives for users who don't want to use Aadhaar.
What we recommend
For most fintech and startup use cases, OKYC is the right pattern, lower regulatory burden, sufficient for KYC. eKYC/Authentication only if your use case truly needs it.
FAQs
Can private companies use Aadhaar Authentication? Yes, but require specific permission (e.g. banks, telcos).
OKYC vs Video KYC? Different layers. OKYC verifies demographic; Video KYC adds liveness. Often used together.
Is m-Aadhaar a separate integration? It's a UIDAI app; you don't integrate with it directly.
