Skip to main content

Overview

This guide shows you how to integrate Hopae Connect with the standard OpenID Connect (OIDC) Authorization Code flow. You will redirect users to the Hopae OpenID Provider (issuer: https://connect.hopae.com), receive an authorization code on your redirect URI, and exchange it for tokens using the OIDC token endpoint. For a shorter walkthrough, start with the Quickstart Guide.

How It Works

Console Configuration

Redirect URI Management

Configure your redirect URIs in the Hopae Console:
  1. Open your application in the Console.
  2. Navigate to Developer settings and add each redirect URI you expect to use (production, staging, mobile deep links, etc.).

Authorization Request Construction

Use the /auth endpoint on the issuer domain (https://sandbox.connect.hopae.com/auth for sandbox, https://connect.hopae.com/auth for production):

Authorization Request Parameters

acr_values Format

The acr_values parameter accepts space-separated URN values to control verification: Examples:

Callback Handling

After the user completes verification, Hopae redirects to your redirect_uri with either an authorization code or an error. Success Response:
Error Response:
Validate the state value before proceeding.

Token Exchange

Exchange the authorization code for tokens using the OIDC /token endpoint.

ID Token Claims

Wondering what data you’ll get back? See the Return Data Model for normalized claims, assurance, issuers, presentation, and evidence. Explore the Return Data Model →

Mobile Integration

You can initiate the OIDC flow from native apps using platform browser sessions (ASWebAuthenticationSession, Custom Tabs, etc.). The Expo example below demonstrates the pattern:
On iOS, AuthSession uses ASWebAuthenticationSession; on Android it launches a Custom Tab. This keeps user credentials within trusted system components while preserving the OIDC redirect semantics.

Common Issues and Solutions

  • Ensure the URI is listed in your Console allow list (exact match).
  • URL-encode the value when placing it on the query string.
  • Confirm you’re using the correct environment (sandbox vs production).
  • Authorization codes expire in 5 minutes and are single-use.
  • Confirm you are targeting the correct issuer when exchanging the code.
  • Persist the generated values securely between request and callback.
  • Reject callbacks where state or nonce is missing or mismatched.
  • Log mismatches (without sensitive data) for investigation.

Next Steps

API Integration

Build custom verification experiences with direct API calls

Verification Flow

Understand every step in the verification lifecycle