StayBindDevelopers
Booking API

Guest KYC

The token-gated procedures behind a guest ID-verification link. The link token is the credential, no API key or account required.

Some stays require the guest to verify their identity (and, for foreign nationals, complete an FRRO Form C). An operator issues a KYC request, which produces an opaque link the guest opens, typically https://<storefront>/kyc/<token>. These procedures power that page.

You usually don't need to build this

StayBind ships a hosted, brandable KYC page. The simplest integration is to send the guest to that link and you're done. Rebuild the flow with the procedures below only if you want KYC inside your own storefront UI.

Authentication is the token

Unlike the rest of the Booking API, these procedures use no API key. The opaque token from the link is the credential, validated inside each call, and every response is a minimal, guest-safe projection: never a storage key, an org id, or another guest's data.

The flow

Load the request

getKycRequest (query) returns what to show the guest and which methods are on offer.

curl -G https://api.staybind.com/public/trpc/getKycRequest \
  --data-urlencode 'input={"token":"kyc_abc123"}'
Response (trimmed)
{ "result": { "data": {
  "status": "pending",
  "requiresForeigner": false,
  "guestName": "Aarav Sharma",
  "propertyName": "Jaipur Haveli",
  "organizationName": "Haveli Stays",
  "checkIn": "2026-02-20",
  "checkOut": "2026-02-22",
  "documents": [],
  "methods": ["digilocker"]
} } }

Handle the non-pending states (submitted, verified, rejected, expired) by showing the guest the outcome rather than the form.

Verify automatically (optional)

If an automated method is offered, startKycVerification (mutation) kicks it off. consentToNetwork is the guest's DPDP opt-in to let this verification be recognised at other StayBind hosts.

Input
{ "token": "kyc_abc123", "method": "digilocker", "consentToNetwork": true }

For a redirect-based provider you get back a redirectUrl to send the guest to; for an inline one the request is verified immediately. Methods: digilocker, aadhaar_otp, ocr_face.

Or upload a document

When the guest uploads an ID, do it in two calls. First ask for a one-time upload URL:

requestKycUploadUrl input
{ "token": "kyc_abc123", "docType": "passport", "fileName": "passport.jpg", "mimeType": "image/jpeg" }
Response
{ "result": { "data": { "configured": true, "uploadUrl": "https://…", "objectKey": "kyc/…" } } }

PUT the file bytes straight to uploadUrl (a presigned URL, the file never passes through StayBind's API), then register it:

attachKycDocument input
{ "token": "kyc_abc123", "docType": "passport", "objectKey": "kyc/…", "fileName": "passport.jpg", "mimeType": "image/jpeg" }

If the response to step one is { "configured": false }, document storage isn't set up for this org, fall back to an automated method.

Foreign nationals: Form C

If requiresForeigner is true, collect the FRRO Form C fields with setKycForeignerDetail (mutation) before submitting:

Input
{ "token": "kyc_abc123", "detail": { "passportNumber": "…", "nationality": "…", "...": "…" } }

Submit

submitKyc (mutation) finalises the request for operator review.

Input
{ "token": "kyc_abc123" }
Response
{ "result": { "data": { "status": "submitted" } } }

Every document access and state change is written to StayBind's immutable audit log. Documents are stored privately and are never served from a public URL.

On this page