Skip to main content
Partners can embed the PayGlocal Verification Suite directly into their existing dashboard so merchants can complete identity verification without leaving the partner platform. The verification suite covers:
  • VKYC — Video-based KYC using the merchant’s live camera
  • DigiLocker — Government document verification via DigiLocker
  • T&C Acknowledgement — Merchant accepts PayGlocal terms and conditions

Step 1: Domain Whitelisting (Action Required)

Your iFrame will not render until your domain is whitelisted by PayGlocal. This step must be completed before testing the iFrame in any environment.
PayGlocal uses a strict Content Security Policy (CSP) with frame-ancestors directives to prevent Clickjacking attacks. Browsers will display a frame-ancestors violation console error and block the iFrame until your domain is authorized. To request whitelisting, contact your assigned PayGlocal Account Manager with: Allow 1–2 business days for the PayGlocal team to activate the CSP allowance.

Step 2: Integration Workflow

1

Initialize — Generate the verification session URL

Before rendering the iFrame, call the Get Verification Redirect API from your backend to generate a session URL for the merchant.
Response:
Save the data.redirectLink value — this is the src for your iFrame. The URL includes a single-use session token valid for 24 hours.
The callBackUrl is stored on the merchant record and used as the redirect target after verification completes. It must be a full HTTPS URL on your whitelisted domain.
2

Embed — Load the redirectLink in an iFrame

Inject the redirectLink as the src of an iFrame on your page. The allow attributes below are mandatory — without them, the browser will block camera and microphone access during VKYC.
3

Handle Callback — Listen for completion

PayGlocal signals completion in two ways:Option A — postMessage (recommended for real-time UX)Listen for message events from the iFrame. When verification completes, PayGlocal posts PARTNER_MERCHANT_VERIFICATION_COMPLETE.
During intermediate steps (e.g. DigiLocker redirect), the iFrame may also post structured events such as PARTNER_MERCHANT_VERIFICATION_REDIRECT. See Partner Onboarding Events for the full event reference.Option B — callBackUrl redirectAfter the merchant finishes, PayGlocal redirects the iFrame to the callBackUrl you provided. Your page at that URL can render a completion screen.
After the iFrame callback, always perform a server-to-server status check by calling GET /gcc/v2/partner/merchant/onboard/{onboardingId}/status to confirm that vkyc and digiLocker statuses are COMPLETE. Do not rely on the callback redirect alone to confirm completion.

Technical Requirements and Best Practices

The parent page hosting the iFrame must be served over HTTPS. Modern browsers block camera and microphone access on insecure (HTTP) origins, which will break VKYC.

Complete Frontend Example