- VKYC — Video-based KYC using the merchant’s live camera
- DigiLocker — Government document verification via DigiLocker
- T&C Acknowledgement — Merchant accepts PayGlocal terms and conditions
Step 1: Domain Whitelisting (Action Required)
PayGlocal uses a strict Content Security Policy (CSP) withframe-ancestors directives to prevent Clickjacking attacks. Browsers will display a frame-ancestors violation console error and block the iFrame until your domain is authorized.
To request whitelisting, contact your assigned PayGlocal Account Manager with:
Allow 1–2 business days for the PayGlocal team to activate the CSP allowance.
Step 2: Integration Workflow
1
Initialize — Generate the verification session URL
Before rendering the iFrame, call the Get Verification Redirect API from your backend to generate a session URL for the merchant.Response:Save the
data.redirectLink value — this is the src for your iFrame. The URL includes a single-use session token valid for 24 hours.The
callBackUrl is stored on the merchant record and used as the redirect target after verification completes. It must be a full HTTPS URL on your whitelisted domain.2
Embed — Load the redirectLink in an iFrame
Inject the
redirectLink as the src of an iFrame on your page. The allow attributes below are mandatory — without them, the browser will block camera and microphone access during VKYC.3
Handle Callback — Listen for completion
PayGlocal signals completion in two ways:Option A — postMessage (recommended for real-time UX)Listen for During intermediate steps (e.g. DigiLocker redirect), the iFrame may also post structured events such as
message events from the iFrame. When verification completes, PayGlocal posts PARTNER_MERCHANT_VERIFICATION_COMPLETE.PARTNER_MERCHANT_VERIFICATION_REDIRECT. See Partner Onboarding Events for the full event reference.Option B — callBackUrl redirectAfter the merchant finishes, PayGlocal redirects the iFrame to the callBackUrl you provided. Your page at that URL can render a completion screen.
