The Customers project focuses on solving authentic identification of humans who are legally able to hold and transfer currency within the US. Primarily this project solves Know Your Customer (KYC), Customer Identification Program (CIP), Office of Foreign Asset Control (OFAC) checks and verification workflows to comply with US federal law and ensure authentic transfers. Also, Customers has an objective to be a service for detailed due diligence on individuals and companies for Financial Institutions and services in a modernized and extensible way.
Docs: docs.moov.io | api docs
Moov Customers is under active development, so please star the project if you are interested in its progress. We are developing an extensible HTTP API for interactions along with an OpenAPI specification file for generating clients for integration projects.
You can download our docker image moov/customers from Docker Hub or use this repository. No configuration is required to serve on :8087 and metrics at :9097/metrics in Prometheus format.
The following environmental variables can be set to configure behavior in Accounts.
| Environmental Variable | Description | Default |
|---|---|---|
HTTPS_CERT_FILE |
Filepath containing a certificate (or intermediate chain) to be served by the HTTP server. Requires all traffic be over secure HTTP. | Empty |
HTTPS_KEY_FILE |
Filepath of a private key matching the leaf certificate from HTTPS_CERT_FILE. |
Empty |
OFAC_ENDPOINT |
HTTP address for OFAC interaction, defaults to Kubernetes inside clusters and local dev otherwise. | Kubernetes DNS |
OFAC_MATCH_THRESHOLD |
Percent match against OFAC data that's required for paygate to block a transaction. | 0.90 |
DATABASE_TYPE |
Which database option to use (Options: sqlite, mysql) |
Default: sqlite |
Based on DATABASE_TYPE the following environment variables will be read to configure connections for a specific database.
MYSQL_ADDRESS: TCP address for connecting to the mysql server. (example:tcp(hostname:3306))MYSQL_DATABASE: Name of database to connect into.MYSQL_PASSWORD: Password of user account for authentication.MYSQL_USER: Username used for authentication,
Refer to the mysql driver documentation for connection parameters.
MYSQL_TIMEOUT: Timeout parameter specified on (DSN) data source name. (Default:30s)
SQLITE_DB_PATH: Local filepath location for the customers SQLite database. (Default:customers.db)
Refer to the sqlite driver documentation for connection parameters.
The following environment variables control which backend service is initialized for Document persistence. These all follow a similar "blob storage" API provided by a library that Google build and maintains.
BUCKET_NAME: The name of the bucket to use. Must be created outside of Customers if using a cloud provider. Make sure proper access and encryption controls are setup on this bucket to prevent exposure or unauthorized access. Example:./storage/(Forfiletype backends)CLOUD_PROVIDER: Provider name which determines which of the following environmental variables are used to initialize Customer's persistence.
For more information see the Go Cloud Development Kit docs for s3blob. Use CLOUD_PROVIDER=aws to read the following environmental variables:
AWS_REGION: Amazon region name of where the bucket exists.AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY: Standard AWS access credentials used by applications.
For more information see the Go Cloud Development Kit docs for gcsblob. Google's auth uses the standard service account authorization when deploying services. Use CLOUD_PROVIDER=gcp to read the following environmental variables:
GOOGLE_APPLICATION_CREDENTIALS: A filepath to the GCP service account json file.
For more information see the Go Cloud Development Kit docs for fileblob. This is the default if no other provider is specified. Use CLOUD_PROVIDER=file to read the following environmental variables:
FILEBLOB_BASE_URL: A filepath for storage on local disk. (Default:./storage/)FILEBLOB_HMAC_SECRET: HMAC secret value used to sign URLs. You MUST change this for production usage! (Default:secret)
CLOUD_PROVIDER: Provider name which determines which of the following environmental variables are used to initialize Customer's persistence.
SECRETS_LOCAL_BASE64_KEY: A base64 encoded key used to encrypt and decrypt secrets in memory. This value needs to look likebase64key://valuewherevalueis a 32 byte random key.
SECRETS_GCP_KEY_RESOURCE_ID: A Google Cloud resource ID used to interact with their Key Management Service (KMS). This value has the formprojects/MYPROJECT/locations/MYLOCATION/keyRings/MYKEYRING/cryptoKeys/MYKEYand their documentation has more details.
VAULT_SERVER_TOKEN: A Vault generated value used to authenticate. See the Hashicorp Vault documentation for more details.VAULT_SERVER_URL: A URL for accessing the vault instance. In production environments this should be an HTTPS (TLS) secured connection.
Currently approval of Customers is represented by the status field of a Customer and can have the following values: Deceased, Rejected, None (Default), ReviewRequired, KYC, OFAC, and CIP. These values can only be changed via the "admin" endpoints exposed in Customers. Admin endpoints are served from Customer's admin port (9097). Approvals (updates to a Customer status) can only be done manually, but we are aiming for automated approval. In order for a Customer to be approved into OFAC or higher there must be an OFAC search performed without positive matches and CIP requires a valid Social Security Number (SSN).
| channel | info |
|---|---|
| Project Documentation | Our project documentation available online. |
| Google Group moov-users | The Moov users Google group is for contributors other people contributing to the Moov project. You can join them without a google account by sending an email to moov-users+subscribe@googlegroups.com. After receiving the join-request message, you can simply reply to that to confirm the subscription. |
| Twitter @moov_io | You can follow Moov.IO's Twitter feed to get updates on our project(s). You can also tweet us questions or just share blogs or stories. |
| GitHub Issue | If you are able to reproduce an problem please open a GitHub Issue under the specific project that caused the error. |
| moov-io slack | Join our slack channel (#customers) to have an interactive discussion about the development of the project. Request an invite to the slack channel |
Yes please! Please review our Contributing guide and Code of Conduct to get started!
Note: This project uses Go Modules, which requires Go 1.11 or higher, but we ship the vendor directory in our repository.
Apache License 2.0 See LICENSE for details.