Overview
This guide shows you how to integrate Hopae Connect with the standard OpenID Connect (OIDC) Authorization Code flow. You will redirect users to the Hopae OpenID Provider (issuer:https://connect.hopae.com), receive an authorization code on your redirect URI, and exchange it for tokens using the OIDC token endpoint. For a shorter walkthrough, start with the Quickstart Guide.
How It Works
Console Configuration
Redirect URI Management
Configure your redirect URIs in the Hopae Console:- Open your application in the Console.
- Navigate to Developer settings and add each redirect URI you expect to use (production, staging, mobile deep links, etc.).
Authorization Request Construction
Use the/auth endpoint on the issuer domain (https://sandbox.connect.hopae.com/auth for sandbox, https://connect.hopae.com/auth for production):
Authorization Request Parameters
acr_values Format
Theacr_values parameter accepts space-separated URN values to control verification:
Examples:
Callback Handling
After the user completes verification, Hopae redirects to yourredirect_uri with either an authorization code or an error.
Success Response:
state value before proceeding.
Token Exchange
Exchange the authorization code for tokens using the OIDC/token endpoint.
ID Token Claims
Wondering what data you’ll get back? See the Return Data Model for normalized claims, assurance, issuers, presentation, and evidence. Explore the Return Data Model →Mobile Integration
You can initiate the OIDC flow from native apps using platform browser sessions (ASWebAuthenticationSession, Custom Tabs, etc.). The Expo example below demonstrates the pattern:On iOS,
AuthSession uses ASWebAuthenticationSession; on Android it launches a Custom Tab. This keeps user credentials within trusted system components while preserving the OIDC redirect semantics.Common Issues and Solutions
invalid_redirect_uri
invalid_redirect_uri
- Ensure the URI is listed in your Console allow list (exact match).
- URL-encode the value when placing it on the query string.
- Confirm you’re using the correct environment (
sandboxvs production).
invalid_grant
invalid_grant
- Authorization codes expire in 5 minutes and are single-use.
- Confirm you are targeting the correct issuer when exchanging the code.
State or nonce validation failures
State or nonce validation failures
- Persist the generated values securely between request and callback.
- Reject callbacks where
stateornonceis missing or mismatched. - Log mismatches (without sensitive data) for investigation.
Next Steps
API Integration
Build custom verification experiences with direct API calls
Verification Flow
Understand every step in the verification lifecycle

