Welcome to Certn's API Docs!

Version 1.1.2 Last update: Jan. 23, 2024

In this site you will find everything you need to interact with Certn's API. These docs are for Certn clients who need to use our services in ways other than the Certn App, for example, to integrate with Applicant Tracking Systems or other proprietary software. to try out the API. To learn more about Certn and the background checks we offer, head over to !

For help articles and general knowledge, head over to .

I'm new to APIs

Don't worry, we've got you covered! You can browse our to walk through most of our features, or better yet, start at the beginning!

I'm looking for endpoints

You can find all our endpoints, along with code samples, in the API Reference section. We divide them by industry:

I want to manage my account

We have guides to help you with account management:

I'm looking for something else

Did you ? Or perhaps you're looking for the ? No matter what your question is, these docs should have your answer.

Contact Us

Contact the Certn Partnerships Team

To request a demo account, email Certn's Partnership Team at . They will arrange a call to learn about your organization's specific requirements and to help you set up your demo account.

Once created, you will be invited into your demo account via email, and prompted to create a password.

Here are the articles in this section:

To follow this guide, you need a demo account. Make sure it's fully set up according to our instructions on how to request a demo account.

Send a request

‌To communicate with our API, you'll need to build HTTP requests. You can use the programming language of your choice to achieve this. We provide examples of scripts using Python, but most of the content you'll work with will be in JSON.‌

Get your API access token

‌To gain access to our API, you will need your Client ID and Client Secret. Instructions for getting these values can be found in . You should take special precautions to keep your client secret a secret. In the example below (using our demo environment https://demo-api.certn.co), we show you how you can use secrets stored in a .env file.

First, make a request to get your access token. This token will be required to make all other API requests. For this step, make a GET request to our /token/ endpoint. If you're new to HTTP requests, visit for useful guides.

With everything set properly and a good internet connection, you should receive a response.status_code of 200 OK. The response.data object should look something like:

You'll need this access_token as a bearer token in headers for all requests to our API. Let's see how to use this to .

Errors

Please see and for more details on types of errors, and how to resolve them.

You can run checks on applicants for rented dwellings in these regions:

Australia

Canada

US

Anatomy of a Key

Our API authenticates users using the OAuth Client Credentials standard. This means that a Client ID and Client Secret are exchanged for a token which can be used to make requests.

• Client ID - The unique identifier making up the first half of your key

• Client Secret - A secret key used to verify your application's identity

We recommend using the industry standard OAuth client library for your stack to handle key-token exchanges.

Create a Client ID, Client Secret pair

1. Go to the Partner Tab

2. Click refresh keys

3. Click Ok to accept that previously generated keys will be lost

View your Client ID

1. Go to the Partner tab

2. You will see your Client ID under API Keys

Where is my Application Secret?

Application secrets are only available once, at the time of creation. Certn hashes application secrets on the backend and so it is not possible to retrieve the secrets once they've been created.

API Requests

Are there limits on how many requests I can send in a certain period of time?

I want to ask about...

Certn's API

Invite an applicant

Our regular invite process (where applicants fill the information in themselves) gathers the required consent from your applicants for each of our checks. No action is required on your part.

To gain access to our API, you need a valid token in an Authorization header. The token is granted by our API in exchange for a Client ID / Client Secret pair. This can also be handled by third party OAuth client libraries.

Example Python request (replace CLIENT_ID and CLIENT_SECRET):

import requests

data = {
    'grant_type': 'client_credentials',
}

response = requests.post('https://api.certn.co/token/', data=data, auth=('CLIENTID', 'CLIENTSECRET'))

• Replace TOKEN with your API key in the following header:

Token lifespan

Token lifespan is indicated by the expires_in parameter returned when a new token is requested. The default value is 36000 seconds (10 hours).

You can run checks on candidates for employment in these regions:

Australia

Canada

UK

US

This check is available in Australia 🇦🇺

This check is not available for a ❌

What is a status?

Each background check order has an "application status" that represents the progress of the background check order (comprising of one or many individual checks, e.g. ). Each individual check (e.g. Canadian Criminal Record Check or Credit Check) also has a "check status" that represents the progress of the specific check. These two levels of statuses provide information about both the progress of the entire application order and of the specific check components the application comprises.

Read our article at for a thorough understanding of what each status means.

Global criminal screenings are available in most countries. Prices, turnaround time, information availability, required forms, etc. can vary by country.

Get the pricing for International Criminal Record Checks (CRC). This URL can be used in a GET call.

Availability

This check is available in Canada 🇨🇦 and the US 🇺🇸

This check is not available for a ❌

Parameters

Request flag

Include this flag in the body of your request:

Invite parameters

To invite an applicant to complete a screen, include this parameter in the body of your request:

• email

Additional request flag:

See all available

Example request

Report

Report field:

Test data

Send International CRC requests with the following sets of data on our to retrieve our pre-filled reports.

Clear results

Records found

We have two types of integration users: Admin and Support users.

• Admin users have access to all background checks in your Certn account and can manage your integration settings in the Partner dashboard, as well as settings for Teams.

• Support users have access to all background checks in your Certn account, they cannot access or change any settings.

Create integration users

View your dashboard

If you are already logged in go to

To log in, go to

1. Enter your email and password

2. Click Log in

View your partner tab

1. Click Partner tab

2. Click Add User

3. Provide the Email, First Name & Last Name

Enabling webhooks and getting Secret String

All webhook management can be done via the Partner page.

1. Navigate to the Partner tab

2. Enter your webhook URL

3. Click Enable Integration

Note: The webhook URL can be changed at anytime. The secret string cannot be changed, if it is compromised, contact Certn support.

Request attempts

Our API sends updates as POST requests to your user-defined endpoints as they become available.

When receiving a 408, 500, 502, 503, or 504 status code, it retries up three additional times, waiting longer between each call. For any other status code over 399, the API backs off on first try.

Webhook signatures

For added security, you can opt to have Certn send you signed payloads. When enabled, our API adds a Certn-Signature header along with each request to your endpoints. This header allows you to confirm that the request came from us.

After this setup, Certn starts to sign each webhook it sends to the endpoint.

Preventing replay attacks

A replay attack is when an attacker intercepts a valid payload and its signature, then re-transmits them. To mitigate such attacks, Certn includes a timestamp in the Certn-Signature header. Because this timestamp is part of the signed payload, it is also verified by the signature, so an attacker cannot change the timestamp without invalidating the signature. If the signature is valid but the timestamp is too old, you can have your application reject the payload.

Use Network Time Protocol (NTP) to ensure that your server’s clock is accurate and synchronizes with the time on Certn’s servers.

Certn generates the timestamp and signature each time an event is sent to your endpoint. If Certn retries an event (e.g., your endpoint previously replied with a non-2xx status code), then a new signature and timestamp is generated for the new delivery attempt.

Signature verification

The Certn-Signature header included in each signed event contains a timestamp and one or more signatures. The timestamp is prefixed by t=, and each signature is prefixed by a scheme. Schemes start with v, followed by an integer. Currently, the only valid live signature scheme is v1.

Certn generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To prevent downgrade attacks, you should ignore all schemes that are not v1.

It is possible to have multiple signatures with the same scheme-secret pair. This can happen when you roll (ie. expire) an endpoint’s secret from the Dashboard. The previous secret will remain active for 48 hours. During this time, your endpoint has multiple active secrets and Certn generates one signature for each secret.

You can verify a Certn signature using the following steps.

Step 1: Extract the timestamp and signatures from the header

Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair.

The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature (or signatures). You can discard all other elements.

Step 2: Prepare the signed_payload string

The signed_payload string is created by concatenating:

• The timestamp (as a string)

• The character .

• The actual JSON payload (i.e., the request body, as text)

Note: Using JS Express, this may cause a problem (no access to the original string without adding middleware)

Step 3: Determine the expected signature

Compute an HMAC with the SHA256 hash function. Use the endpoint’s signing secret as the key, and use the signed_payload string as the message.

Step 4: Compare the signatures

Compare the signature (or signatures) in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.

To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.

Sample code

To verify an individual signature (after preparing the signed_payload and splitting the v1 prefix from the signature):

You'll need to know how to create an application before you can follow the instructions in this section.

Request

The results you got from the Softcheck quickscreen creation call indicate that we received your request and are actively working on it. You can see this by checking the report_status field, which will likely be ANALYZING. These results will not be updated in real-time. To retrieve the updated versions, you can set up a webhook, or send requests to one of our endpoints.

Choose your endpoint

In this guide, we'll show you how to send requests to our API to retrieve the status of your application via our endpoints. When using this method, keep sending requests until the field report_status is marked as COMPLETE. Then, you can view your final report.

We'll use the /applicants endpoint, which allows you to retrieve the report as a JSON object.

Get your application ID

To tell the API which application to retrieve, you need to provide it with the right application ID. You'll find it in the response of the creation call, under id. We use , so it'll be formatted like this:123e4567-e89b-12d3-a456-426614174000

Set up your URL

Once you have your application ID, append it to /applicants URL.

1. Choose the URL that corresponds to your industry

2. In the URL, replace {application_id} with your application's ID

Send the request

Now we're ready to bring it all together. Our /applicants endpoint accepts GET requests, so make sure that is what you use.

Here is what your full script may look like when using Python:

In the previous example, we saved the results of the call to a new file named results_softcheck_demo.json.‌

With everything set properly and a good internet connection, you should receive a response status of 200 OK.

Errors

Please see for more details on types of errors, and how to resolve them.

A Basic Disclosure Scotland (DS) Check is a United Kingdom (UK) criminal record check and can be obtained for a person who is currently, or who has in the past been, living or working in Scotland. It is ordered for candidates applying for employment outside the UK. The Basic DS Check includes a digital identity verification service. Reported results will contain details of a person's unspent convictions, if any.

Availability

The check is available in the United Kingdom 🇬🇧

The check is not available for . ❌

Parameters

Include this flag in the body of your request:

Invite parameters

To invite an applicant to complete a screen, include this parameter in the body of your request:

• email

There are no parameters that are dependent on the purpose of the check. See all available .

Example request

Report

Report field:

Test data

Send Basic DS Check requests with the following sets of data on our to retrieve our pre-filled reports.

Clear results

Records found

View your dashboard

If you are already logged in go to https://app.certn.co

To log in, go to https://app.certn.co/login

1. Enter your email and password

2. Click Log in

View your team settings

1. Click the profile icon

2. Click Settings

3. Locate your team

Add a payment card

Adding a payment card to your account allows you to use our services in the demo environment. You can also use this option in production, if paying by card.

1. Click Billing

2. Click Connect Payment Card

3. Fill in your credit card number

Create an API key

1. Navigate back to the dashboard by clicking the Certn logo in the top left

2. Click on the Partner tab

3. Click Refresh Keys

You can now start testing the API with your demo account.

A UK Right To Work (RTW) Check verifies an individual's right to work in the United Kingdom (UK). This includes people with a UK or Irish passport, or Irish passport card. Results include a copy of the applicant’s identification document and their photograph. The employer can use the included photograph to ensure person presenting themselves for work is the same person from the UK RTW Check.

Availability

The check is available in the United Kingdom 🇬🇧

This check is not available for a ❌

Parameters

Request flag

Include this flag in the body of your request:

Invite parameters

To invite an applicant to complete a screen, include this parameter in the body of your request:

• email

There are no parameters dependent on the purpose of the check. See all available

Example request

Report

Report field:

Test data

Send UK RTW requests with the following sets of data on our to retrieve pre-filled reports.

Clear results

Records found

You'll need to know how to Get your access token before you can follow the instructions in this section.

Organizational structure

When you're set up within Certn, you belong to an organization. This organization has a few levels of hierarchy:

Superteams can have multiple Teams and Teams can have multiple Users. When you're added to Certn, you're linked to a Team, which is linked to a Superteam.

Authorization header

You'll need an with a valid Bearer token. This token is your access token you retrieved according to .

• Replace access_token with your API access token:

Retrieve your Users

In the beginning, you'll be the only User in your organizational account. Let's retrieve your users by making a GET request to our /users/ endpoint.

In this example, we saved the results of the call to a new file named user_list.json.‌

With everything set properly and a good internet connection, you should receive a response status of 200 OK.

In the user_list.json file, you should see one user listed in the results: it's you! Look for the id field for your User, and copy that value. We use for ids, so it'll be formatted like this:123e4567-e89b-12d3-a456-426614174000.You'll need this to .

For more details on the structure of the User list response, see .

Errors

‌Errors are a relatively common occurrence when working with APIs. It's always good to know how to prevent them and what to do when they arise.‌

See Error Codes for details on types of errors and how to resolve them.

A Basic Disclosure and Barring Service (DBS) Check is a United Kingdom (UK) criminal record check and can be obtained for a person living or working in England and Wales. The Basic DBS Check includes a digital identity verification service. Reported results will contain details of convictions and conditional cautions considered to be unspent under the terms of the .

Availability

The check is available in the United Kingdom 🇬🇧

Certn discovers and provides easy access to published civil, criminal and penal judicial records from the Quebec courthouses and municipal courts.

Société québécoise d'information juridique (SOQUIJ) records do not include the Montréal Municipal court. This has no impact on criminal conviction information and minor impacts on summary/civil infraction information.

SOQUIJ records are only available in French.

Availability

Phone reference check

A phone reference check includes manually calling your candidate's supplied reference to answer a list of questions and the summary of the reference call is included in your Certn report. Certn has a standard list of questions or the customer can provide their own.

Digital reference check

A digital reference check includes submitting employment reference questionnaires using our standard questions or allows you to supply a customized list of questions to verify the best applicant.

Availability

This check is available in Canada 🇨🇦 and the US 🇺🇸

This check is available for a ✅

Parameters

Request flag

Include one of these flags in the body of your request:

Email:

Phone:

Invite parameters

To invite an applicant to complete a screen, include this parameter in the body of your request:

• email

See all available

Quickscreen parameters

To complete a quickscreen, include these parameters in the body of your request:

• • first_name

  • last_name

Example request

Report

Report field:

An employment verification validates the details of disclosed employment history of an individual for a specified year period (3, 5, or 7). Current employers are contacted only if given permission to do so. The components verified could include position held and dates of employment and will depend on availability of data within an entity's records. Income verification is also obtained for non-employment purposes only.

Certn makes 3-5 sufficient attempts to obtain source data for verification and reports back accordingly. A sufficient attempt can be defined as an attempt which could reasonably lead to a result. Additional fees can apply when an employer utilizes an outsources entity to provide data.

Availability

This check is available in Canada 🇨🇦 and the US 🇺🇸

This check is not available for a ❌

Parameters

Request flag

Include this flag in the body of your request:

Invite parameters

To invite an applicant to complete a screen, include this parameter in the body of your request:

• email

See all available

Example request

Report

Report field:

Each employment verification object can be found under information.employers[index]. See for more.

A credential verification validates a candidate's professional credential/license as entered by the candidate.

Certn makes 3-5 sufficient attempts to obtain source data for verification and reports back accordingly. A sufficient attempt can be defined as an attempt which could reasonably lead to a result.

Availability

This check is available in Canada 🇨🇦

You'll need to know to follow the instructions in this page.

Get the URL

‌You can find the URLs for all our endpoints in the section of this documentation. Knowing how to use them can be helpful, so we'll show you how they're created.‌

In this example, you'll be making calls to our demo environment, https://demo-api.certn.co

An education verification validates the disclosed education of an individual. Typically, the standard is to verify the highest degree, unless otherwise requested. Certn verifies degree(s) received, course of study, and dates of attendance when available. This is verified directly with the institution(s) listed which includes through their electronic repository that holds the records if required.

Certn makes 3-5 sufficient attempts to obtain source data for verification and reports back accordingly. A sufficient attempt can be defined as an attempt which could reasonably lead to a result. Additional fees apply when a school utilizes an outsourced entity to provide data.

Availability

Softcheck is a search of thousands of international data sources for identification of potential illegal behavior, criminal activity, incidents of fraud, regulatory violations and negative media information. This service also includes searches of country sanction lists, exposed persons lists, sex offender registries, terrorist registries and most wanted lists from around the globe.

Availability

This check is available in Canada 🇨🇦

Phone reference check

A phone reference check includes manually calling your candidate's supplied reference to answer a list of questions and the summary of the reference call is included in your Certn report. Certn has a standard list of questions or the customer can provide their own.

Digital reference check

A digital reference check includes submitting employment reference questionnaires using our standard questions or allows you to supply a customized list of questions to verify the best applicant.

Availability

This check is available in Canada 🇨🇦 and the US 🇺🇸

This check is available for a ✅

Parameters

Request flag

Include one of these flags in the body of your request:

Email:

Phone:

Optional flags

Set these flags explicitly, or leave them out to use your team's default settings:

employer_references_years_or_individually

employer_references_years

employer_references_min

employer_references_max

See all

Invite parameters

To invite an applicant to complete a screen, include this parameter in the body of your request:

• email

• employer_questionaire_id

See all available

Quickscreen parameters

To complete a quickscreen, include these parameters in the body of your request:

• • first_name

  • last_name

Example request

Report

Report field:

400 Bad Request

You may receive a 400 Bad Request if:‌

There are issues in the body of your request

• A required field is missing.

• You used the wrong format or data type for a field.

There's an issue with your account

• Your account isn't configured to run this check or your account does not have payment configured.

Something is preventing your request from completing

• You tried to generate a report, but the application is still processing.

• You requested a check with a min and a max but set your min value to a number greater than your max value.

401 Unauthorized

You may receive a 401 Unauthorized if:‌

Your authorization header is missing or incorrect

• You sent your request without an authorization header.

• You sent your request with an authorization header, but without an API Key.

• You provided an incorrect API key in the header of your request.

403 Forbidden

You may receive a 403 Forbidden if:

You don't have permission to make this request

• You sent your request to an endpoint you don't have access to.

404 Not Found

You may receive a 404 Not Found if:‌

The resource you called doesn't exist

• You sent a request to retrieve all your applications, but the page number you provided doesn't exist.

• You sent a request to retrieve an application or a report, but the application ID you provided couldn't be found.

• You sent a request to retrieve an application or a report, but the application ID you provided is a string of letters.

• You sent a request to retrieve questionnaire reference templates for a team, but the team ID you provided couldn't be found.

• You sent a request to retrieve questionnaire reference templates for a team, but the team ID you provided is a string of letters.

500 Internal Server Error

You may receive a 500 Internal Server Error if:‌

You sent something we didn't expect

• Some fields in your request are using the wrong data type.