The PiM ID API allows you to create tamper-proof QR-code images from validated and verified customer data, that you can integrate into your services (for example on login pages). Your customers can scan the company-specific QR-code with the PiM application on their phone.

API specification

Test the API on SwaggerHub


Base URL

Conceptual model

Conceptual model


  • Registered Redirect URL: After the purchase of the API, KPN will contact you to request a Redirect URL and lets you know how to reference this in the API (see redirect parameter). In the future, an additional API endpoint will be introduced that allows you to manage these Redirect URLs.



The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.


A QR-code (abbreviated from Quick Response code) is a type of matrix barcode (or two-dimensional barcode).


Base64 is an encoding algorithm that allows you to transform any characters into an alphabet that consists of Latin letters, digits, plus and slash.

API workflow

Workflow diagram


  • Secure QR-codes.
  • Company-specific QR-codes.
  • Fully encrypted.
  • GDPR compliant.

Getting started

Make sure you've read What's in it for you for more info on how to register and start testing APIs.


The API follows the KPN Store API Authentication Standard to secure the API. It includes the use of OAuth 2.0 client_id and client_secret to receive an access token.

Go to the Authentication tab on top of this page to find out how to:

  • Authenticate to an API using cURL.
  • Authenticate to an API on Swaggerhub.
  • Import Open API Specifications (OAS), also called Swagger files into Postman.

How to...

Create a QR-code

This endpoint generates a QR-code as a Base64 byte array. Attributes provide the customer name, e-mail address, telephone number, address details and bank account number, or any other customer attributes.



^^Request body example^^
  "redirect": "1",
  "title": "Enter the title here",
  "description": "Enter more information here",
  "attributes": "Email,Mobile,Bankaccountnumber,NickName,Initials,FirstName,FamilyNamePrefix,FamilyName,BirthName,DateOfBirth,PlaceOfBirth,Gender,HeadShot,BankIdentificationNumber,BankAccountHolderName",
  "width": "400",
  "height": "400"
Parameter Type Description
redirect integer A reference to the Redirect URL registered with PiM. For example: 1. See Requirements
title string The title of the QR-code image.
description string Here you can describe what information you need from your customers to create the QR-code.
attributes string Allowed attributes: Email, Mobile, Bankaccountnumber, NickName, Initials, FirstName, FamilyNamePrefix, FamilyName, BirthName, DateOfBirth, PlaceOfBirth, Gender, HeadShot, BankIdentificationNumber, BankAccountHolderName.
width number The width of the QR-code image in pixels.
height number The height of the QR-code image in pixels.


The response is a Base64 encoded byte array formatted SVG file. This byte array can also be downloaded.

On the client-side, you need to use a Base64 decode algorithm to convert the response into a usable format. In this case, that is an SVG image of the QR-code.

Return codes

Code Description
200 Success.
201 Created.
202 Accepted.
302 Found. Link in location header.
400 Bad request.
401 Unauthorized.
403 Forbidden.
404 Not found.
405 Method not allowed.
412 Precondition failed.
429 Too many requests.
500 Internal server error.
502 Bad gateway.
503 Service unavailable.

HTTP response headers

The following tables display the standard response headers that are returned with each API response:

Standard response field name Description
sunset This field will be populated with the deprecation details. By default the value is n/a.
api-version Indicates the API version you have used.
quota-interval Used to specify an integer (for example, 1, 2, 5, 60, and so on) that will be paired with the quota-time-unit you specify (minute, hour, day, week, or month) to determine a time period during which the quota use is calculated.
For example, an interval of 24 with a quota-time-unit of hour means that the quota will be calculated over the course of 24 hours.
quota-limit Number of API calls an user can make within a given time period.
If this limit is exceeded, the user will be throttled and API requests will fail.
quota-reset-UTC All quota times are set to the Coordinated Universal Time (UTC) time zone.
quota-time-unit Used to specify the unit of time applicable to the quota.
For example, an interval of 24 with a quota-time-unit of hour means that the quota will be calculated over the course of 24 hours.
quota-used Number of API calls made within the quota.
strict-transport-security The HTTP Strict-Transport-Security (HSTS) response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. All present and future subdomains will be HTTPS for a maximum of 1 year and access is blocked to pages or sub domains that can only be served over HTTP including HSTS preload lists of web browsers.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
Access control field name Description
access-control-allow-credentials Tells browsers whether to expose the response to frontend JavaScript when the request's credentials mode (Request.credentials) is include.
When a request's credentials mode (Request.credentials) is include, browsers will only expose the response to frontend JavaScript if the Access-Control-Allow-Credentials value is true. Boolean.
access-control-allow-origin Indicates whether the response can be shared with requesting code from the given origin.
access-control-allow-headers Used in response to a pre-flight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
access-control-max-age Indicates how long the results of a pre-flight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.
access-control-allow-methods Indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests.
For example: GET, PUT, POST, DELETE.
content-length The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
content-type The Content-Type entity header the client what the content type of the returned content actually is.

Mopinion feedback