Checkr Trust is a modern, RESTful API-driven service designed to enhance trust and safety for your platform. The Checkr Trust API uses resource-oriented URLs, supports HTTPS for authentication and requests, and returns JSON responses.
The Checkr Trust API provides access to a rich set of data, including criminal records, traffic infractions, and registry checks. Once credentialed, you can start testing locally in minutes. For additional resources, please refer to our resource center. This documentation aims to help you quickly utilize Checkr Trust’s services, offering context and technical guidance for working with the API.
The following sections will guide you through the steps necessary to start running checks with the Checkr Trust API:
- Get credentialed
- Authenticate with Checkr Trust
- Create a New Profile
- Create a New Check
- Parse Check Results
- Create a New Driver Check
- Parse Driver Check Results
- Create a New Identity Verification
- Parse Identity Verification Results
- Regulated Criminal Reports
- Create a New Regulated Criminal Report
- Parse Regulated Criminal Report Results
Before you can request data from this API, you must first work with a Checkr Trust Account Executive or Customer Success representative to set up and credential your account.
Best practices for securing your API credentials:
- Do not store your credentials in your codebase or commit them to version control. Instead, securely store the key only in your production environment, such as in environment variables.
- Do not store your API key on the client side. All requests should be made from the server side, and only necessary data should be passed to the client.
- If an API key is compromised, contact Checkr Trust immediately to revoke it. Checkr Trust will expire the current key and your Account Executive or Customer Success Representative will issue you a new one.
Your API key can be used to make any API call on behalf of your account, such as creating profiles and checks. Currently, your API key has unlimited access and must be secured accordingly. Checkr Trust will provide you with your Client Key and Secret Key, which can be exchanged for an access token via OAuth. The generated access tokens expire in 24 hours if not refreshed. Below is a step-by-step guide.
OAuth 2.0 is an authorization framework that allows applications to obtain access to a HTTP service. User authentication is delegated to the service that hosts the user account, while third-party applications are authorized to access the user account.
- Resource Owner: The user authorizing an application to access their account.
- Client: The application requesting access to the user's account.
- Authorization Server: The server authenticating the Resource Owner and issuing access tokens to the Client.
- Resource Server: The server hosting protected resources, capable of responding to requests using access tokens.
Make a POST request to the token endpoint with your client_id and client_secret in the body.
$ curl --location 'https://api.checkrtrust.com/v1/accounts/token' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}'If the request is successful, the Authorization Server responds with an access token, scopes, expiration time, and token type.
{
"access_token": "eyJhb...(something long)...qJFlg",
"scope": "read:account create:account delete:account",
"expires_in": 86400,
"token_type": "Bearer"
}Include the access token in the Authorization header when making requests to the Resource Server.
curl --location 'https://api.checkrtrust.com/v1/checks' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ACCESS_TOKEN' \
--data '{
"first_name": "John",
"last_name": "Smith",
"dob": "19880218"
}'If any step in the OAuth 2.0 flow encounters an error, the Authorization Server returns an error response. These errors can include invalid requests, invalid clients, and invalid grants.
{
"error": "access_denied",
"error_description": "Unauthorized"
}Our API uses webhooks to notify your application about asynchronous events, primarily when certain checks or verifications are completed. This allows you to receive results without needing to poll our API continuously.
Currently, webhook endpoints must be configured by your Checkr Trust Account Executive. Please contact them to set up or update the URL where you wish to receive webhook events and to provide your shared secret key for signature verification (if desired).
Receiving results for driver_checks (both driver_license_status and motor_vehicle_report) requires a configured webhook endpoint.
The results are delivered asynchronously via a webhook payload once the check/verification is complete. See the specific event schemas defined under the callbacks for the respective POST operations:
POST /driver_checks:driver-license-status-completed-event-body,motor-vehicle-report-completed-event-body
To ensure the integrity and authenticity of webhook payloads, we offer optional payload signing using HMAC-SHA256. This is highly recommended for securing your webhook endpoint.
How it Works:
- When configured with a shared secret key (provided to your Account Executive), we will generate a signature for each webhook event payload.
- This signature is calculated using the HMAC-SHA256 algorithm on the raw JSON payload of the webhook request body.
- The resulting signature (as a hexadecimal string) is included in the webhook request's HTTP headers, under the
X-Checkr-Signatureheader with the valuesha256={signature}
Verifying the Signature (Recommended): You should verify this signature on your end to confirm that the payload was sent by Checkr Trust and hasn't been tampered with.
Verification Steps:
- Extract the signature from the
X-Checkr-Signature(or the specific header name provided to you) header of the incoming request. - Read the raw request body. It is crucial not to parse and re-serialize the JSON before verification, as minor changes (like whitespace or key order) can invalidate the signature.
- Compute the HMAC-SHA256 hash of the raw payload string using your shared secret key.
- Convert the computed hash to its hexadecimal representation.
- Compare the signature extracted from the header with your computed signature. Use a timing-safe comparison function provided by your language/framework to prevent timing attacks.
Code Examples for Verification:
Ruby:
require 'openssl'
# For secure_compare, typically available in Rails/ActiveSupport
require 'active_support/security_utils'
# Assuming 'request' is your HTTP request object
# and 'SIGNATURE_KEY' is your shared secret
provided_signature = request.headers['X-Checkr-Signature']&.split('=')&.last
raise 'signature missing' unless provided_signature
# Ensure you get the raw body, not parsed JSON
payload_body = request.raw_post
expected_signature = OpenSSL::HMAC.hexdigest('SHA256', SIGNATURE_KEY, payload_body)
# Use secure_compare for timing-attack resistance
is_valid = ActiveSupport::SecurityUtils.secure_compare(provided_signature, expected_signature)
if is_valid
# Signature is valid, process the webhook payload
puts "Webhook signature verified."
else
# Signature is invalid, reject the request
puts "Webhook signature verification failed."
# Return an appropriate error response (e.g., 401 Unauthorized)
endOur system will attempt to deliver webhook events to your configured endpoint. If your endpoint returns a non-2xx status code (e.g., 4xx, 5xx) or fails to respond within a reasonable timeout, we will retry sending that event. We retry up to 25 times with exponential time backoff (e.g. after 15 seconds, 16 seconds, 30 seconds, 90 seconds, etc) for a total period of around 20 days.
It is crucial that your endpoint:
- Responds quickly with a
200 OKstatus upon successful receipt of the request (ideally before performing complex processing). - Is designed to handle potential duplicate events (e.g., due to network issues or retries).
- Handles the signature verification process robustly.
Profiles represent a set of Personally Identifiable Information (PII) for a person who will be checked. Profiles can be updated with the latest information for a person and be referenced to generate checks.
Checks provide the resulting information relevant to the requested check for a set of PII. The response will include the check type and results.
Creates a new check, immediately returning the results.
Required Fields
The required attributes for a check resource vary depending on its intended use. Each check requires a minimum set of attributes. You can pass through the minimum set of PII or a profile_id to reference the profile’s PII. If both parameters are passed, the PII from the profile will take precedence. If the PII is insufficient for a check, a validation error will return a 401 Bad Request.
Fields required to generate an Instant Criminal Check include:
first_namelast_name
Although dob (date of birth) is encouraged, it is not required. Searches without dob will give back results that are matched by name only, which may be false positives.
Synchronous responses for a check and GET requests for a check both contain the same information about the results of the check. A completed check with empty results indicates that there are no items on the person’s record for review. Results that are populated indicate items on the check that may require review. Results may not be used to determine eligibility for credit, insurance, employment, or any other purpose regulated under the FCRA. Additionally, Checkr Trust does not make any policy decisions on behalf of its customers.
Driver checks provide the resulting information relevant to the requested driver license. The response will include the driver check type and results.
Creates a new Driver Check, returning the results asynchronously, using a pre-defined webhook.
Required Fields
The required attributes for a driver check vary depending on its intended use. You can pass through the minimum set of PII or a profile_id to reference the profile’s PII. If both parameters are passed, the PII from the profile will take precedence. If the PII is insufficient for a driver check, a validation error will return a 401 Bad Request.
Fields required to generate a Driver Check include:
first_namelast_namedobdriver_license_numberdriver_license_state
Asynchronous responses for a Driver Check and GET requests for a Driver Check both contain the same information about the results. You must expose a Webhook endpoint on your end to receive Driver Check completion events. Please work with a Checkr Trust Account Executive or Customer Success representative to set up this Webhook endpoint on your account. Additionally, Checkr Trust does not make any policy decisions on behalf of its customers.
Identity Verifications provide the resulting information relevant to the requested verification for a set of PII. The response will include the IDV type and results.
Creates a new Identity Verification check.
Required Fields
The required attributes for an Identity Verification resource vary depending on its intended use. You can pass through the minimum set of PII or a profile_id to reference the profile’s PII. If both parameters are passed, the PII from the profile will take precedence. If the PII is insufficient for a verification, a validation error will return a 401 Bad Request.
Fields required to generate an Identity Verification include:
first_namelast_nameidv_type- any of
email, phone, doboraddress
Identity Verifications of idv_type pii_validation and personal_identity_records use synchronous responses. Responses for POST and GET requests for an Identity Verification both contain the same information about the results. A completed Identity Verification will provide match scores for each attribute provided (first name, last name, email, phone, etc); and an overall match score.
Identity Verifications of idv_type document_verification use asynchronous responses. The POST request contains an initial payload with the collection_link to provide to your end user; they use the web application at that link on a mobile device to provide the documents we will verify. You must expose a Webhook endpoint to receive the completed document verification, which contains the same information and results as a GET request once the request is completed. Please work with a Checkr Trust Account Executive or Customer Success representative to set up this Webhook endpoint on your account.
Additionally, Checkr Trust does not make any policy decisions on behalf of its customers.
Regulated Criminal Reports provide asynchronous criminal record check results with legal annotation. Unlike instant checks, results are not returned in the HTTP response. Instead, the API accepts your request, returns a report ID and status, and delivers the full results via webhook once processing is complete.
This product is designed for Fair Credit Reporting Act (FCRA) regulated use cases where legal annotation of criminal records is required. Results include checks at the record, case, and charge levels indicating whether items should be included, investigated, or removed based on applicable legal rules for the specified jurisdictions.
- Create a report — Submit a
POST /regulated/criminal_reportsrequest with the subject's PII (or aprofile_id) along withfilter_contextandpermissible_purpose. The API responds with202 Acceptedand a JSON body containing the reportidandstatus(initiallypending). - Receive results via webhook — Once processing is complete, the full report (including criminal records, cases, charges, and legal annotation checks) is delivered to your configured webhook endpoint. You must have a webhook endpoint configured to receive these results.
- Retrieve results on demand — You can also retrieve a report at any time using
GET /regulated/criminal_reports/{id}. Once the report is complete, the response includes the full results. You can list all reports for your account usingGET /regulated/criminal_reports.
Required Fields
A regulated criminal report requires the following fields when submitting PII directly:
first_namelast_namedob(date of birth in YYYYMMDD format)filter_contextwith both afilter_domainand acandidate_jurisdictioncontaining astatepermissible_purpose(e.g.,Employment)
Alternatively, you can pass a profile_id to reference an existing profile's PII, along with filter_context and permissible_purpose.
curl --location 'https://api.checkrtrust.com/v1/regulated/criminal_reports' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ACCESS_TOKEN' \
--data '{
"first_name": "John",
"last_name": "Smith",
"dob": "19900101",
"filter_context": {
"filter_domain": "employment",
"candidate_jurisdiction": {
"state": "CA"
},
"decider_jurisdiction": {
"state": "NY"
}
},
"permissible_purpose": "Employment"
}'{
"id": "2b8313e8-4efd-45a1-b578-952b8313e890",
"status": "pending"
}Once the report is complete, the full results are available via the webhook payload and through GET /regulated/criminal_reports/{id}. The response includes:
status— The report status (pending,complete, orfailed).results— An array of criminal records found. Each record contains:person— Identifying information for the matched individual (name, DOB, addresses, etc.).cases— Court cases associated with the record, each containingchargeswith offense details, sentences, and dispositions.source— The data source where the record was found.checks— Legal annotation check results at the record, case, and charge levels. Each check includes anaction_type(note,investigate,remove, ormodified), arule_id, and a human-readabledescriptionof the legal rule applied.
check_type— Alwaysregulated_criminal_report.run_notes— Any informational notes about how input was parsed or about the results.
A completed report with empty results indicates that no criminal records were found for the subject.
Results may only be used for purposes permitted under the Fair Credit Reporting Act (FCRA), consistent with the permissible_purpose provided at the time of the request.