Legal · auth.ng

Acceptable Use Policy

The rules for using auth.ng responsibly, whether you're verifying your own identity or building on our sign-in and verification tools.

Last updated: July 3, 2026 · A brand of Bolrach Technologies Limited

1. Purpose

This Acceptable Use Policy explains what you can and can't do when you use auth.ng, whether you're an individual verifying your identity, a developer integrating our sign-in and verification tools, or anyone accessing our systems in any other way. It sits alongside our Terms of Service and our Privacy Policy, and it applies to everyone who touches the platform, no exceptions.

auth.ng is a brand of Bolrach Technologies Limited. We built this policy in plain language on purpose. If something here is unclear, email [email protected] before you do the thing you're unsure about.

2. Prohibited uses

You may not use auth.ng, or help anyone else use auth.ng, to do any of the following:

  • Fraud or impersonation. Creating or verifying an identity that isn't your own, submitting someone else's photo or documents as your own, or helping another person misrepresent who they are.
  • Defeating verification or liveness checks. Using photos of photos, masks, deepfakes, screen replays, injected video, emulators, or any other method meant to trick our capture or liveness checks instead of presenting a real, live person.
  • Scraping or harvesting identities. Automated collection, bulk export, or systematic scraping of verification results, profile data, or any personal information tied to an auth.ng account.
  • Reselling access. Reselling, sublicensing, renting, or otherwise passing on your access to auth.ng's verification or sign-in services to a third party without our written agreement.
  • Using claims beyond what was consented to. Requesting, storing, or acting on a verified claim (identity, age, or otherwise) for a purpose the user didn't agree to at the time they consented.
  • Automated abuse of login or OTP endpoints. Scripting, brute-forcing, credential stuffing, or otherwise hammering our sign-in, password, or one-time-code endpoints outside normal human use.
  • Reverse-engineering the verification engine. Attempting to extract, decompile, probe, or otherwise reverse-engineer the models, logic, or thresholds behind our document, face-match, or liveness checks.

3. Developer and app rules

If you're building on auth.ng through developers.auth.ng, a few extra rules apply on top of the ones above:

  • Your app must not mislead users about who is asking for their information, why it's needed, or what auth.ng actually verified.
  • Only request the scopes your app genuinely needs. If you don't use a piece of data, don't ask for it.
  • Don't store raw identifiers (document numbers, raw biometric templates, or similar) on your own systems. Store the verified claim or token we give you, not the underlying identity document.
  • Keep your client secrets and API keys out of source control, mobile binaries, and anywhere else a user or attacker could pull them out.

We can suspend an app's access, with or without notice, if it puts users or the platform at risk.

4. Security research

We'd rather hear about a problem from a researcher than read about it somewhere else. If you find a security issue, tell us directly at [email protected] before you tell anyone else, and give us a reasonable window to fix it before any public disclosure.

  • Test against accounts and data you created for that purpose. Never test against a real user's live identity data, account, or session without their explicit permission.
  • Don't run automated scanners against production that could degrade service for other users.
  • Don't access, modify, or delete data that isn't yours while researching an issue.

Good-faith research that stays inside these lines won't result in legal action from us.

5. Enforcement

How we respond depends on what happened and how serious it is. We generally follow this order, but we can skip straight to suspension or termination for anything involving fraud, safety, or repeat abuse:

  • Warning. A notice explaining what rule was broken and what needs to change.
  • Suspension. Temporary loss of access to your account, API keys, or app while we investigate.
  • Termination. Permanent closure of the account or revocation of developer access.
  • Referral to authorities. Where the conduct looks like fraud, identity theft, or another crime, we can and will refer it to law enforcement.

6. Reporting abuse

If you spot behavior on auth.ng that looks like it breaks this policy, whether it's a suspicious app, a fake identity, or anything else, report it through your account's support ticket or email [email protected]. Include as much detail as you can (account, app name, dates, what you saw) so we can look into it quickly. We don't offer phone support; tickets and our knowledge base are the fastest way to reach us.

7. Changes to this policy

We may update this policy as auth.ng grows and as new risks show up. If we make a material change, we'll update the date at the top of this page and, where required, notify account holders directly. Continuing to use auth.ng after a change takes effect means you accept the updated policy.

8. Contact

Questions about this policy, or anything else legal, go to [email protected]. Security issues go to [email protected]. You can also read our Terms of Service, Privacy Policy, Data Processing Agreement, and Cookie Policy for the rest of the picture.

auth.ng is a brand of Bolrach Technologies Limited.

Questions about this document?

auth.ng is a brand of Bolrach Technologies Limited. Contact [email protected]. Support is by ticket and knowledge base.