FSSAI FORM C

Endpoint Overview

POST /api/v1/corporate/fssai-form-c

Description

The FSSAI Form C Verification API enables businesses and developers to verify FSSAI (Food Safety and Standards Authority of India) license details and retrieve the associated Form C / Non-Form C Annexure certificate document. By submitting an FSSAI license number, the API returns a secure, time-limited link to the official FSSAI certificate PDF stored on AWS S3.

This API is part of the Surepass KYC and compliance suite and is designed to help organizations automate food business license verification, reduce manual effort, and ensure regulatory compliance with minimal integration overhead.

Key Benefits

Instant Certificate Retrieval: Fetch the official FSSAI Form C certificate PDF in real time via a secure, pre-signed S3 link.

Compliance Automation: Eliminate manual lookups and streamline food-business onboarding and vendor verification workflows.

Simple Integration: A single POST request with just the FSSAI license number is all that is needed — no complex payloads or multi-step flows.

Secure & Time-Bound Access: Certificate links are pre-signed with AWS Signature V4 and expire after 600 seconds, ensuring data security.

Use Cases

Food & Beverage

Fintech & Lending

HR & Staffing

Verify supplier and vendor FSSAI licenses before onboarding them into a supply chain.

Automate periodic license renewal checks for existing food business partners.

Validate restaurant or cloud kitchen compliance before listing them on a food delivery platform.

Technical Implementation

Authentication

All API requests require authentication using a JWT Bearer token. Authentication follows these steps:

Obtain API Credentials: Register with Surepass to receive your API key.

Generate JWT Token: Use your API key to generate a JWT token.

Include in Requests: Add the token to the Authorization header as Bearer TOKEN.

Different authentication tokens are used for sandbox and production environments:

Sandbox: https://sandbox.surepass.app

Production: https://kyc-api.surepass.app

Request Parameters

Request Headers

Header	Required	Description
`Authorization`	Yes	Bearer token for authentication. Format: `Bearer <JWT_TOKEN>`
`Content-Type`	Yes	Must be set to `application/json`

Request Body

Parameter	Type	Required	Description
`id_number`	string	Yes	The FSSAI license number to verify. Example: `22819012011312`

Example Request

{
    "id_number": "22819012011312"
}

Process Response

Response Parameters

Parameter	Type	Description
`data`	object	Contains the verification result payload
`data.client_id`	string	Unique identifier assigned to this verification request by Surepass
`data.id_number`	string	The FSSAI license number that was submitted in the request
`data.certificate_link`	string	A pre-signed, time-limited AWS S3 URL pointing to the FSSAI Form C / Non-Form C Annexure PDF. Valid for 600 seconds from the time of generation
`status_code`	integer	HTTP-equivalent status code for the API response (e.g., `200` for success)
`success`	boolean	Indicates whether the request was processed successfully (`true` / `false`)
`message`	string	Human-readable status message (e.g., `"Success"`)
`message_code`	string	Machine-readable status code for the response (e.g., `"success"`)

Example Successful Response

{
    "data": {
        "client_id": "fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD",
        "id_number": "22819012011312",
        "certificate_link": "https://aadhaar-kyc-docs.s3.amazonaws.com/fssai_form_3/105813727/fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD-2026-03-26-110019253624.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY5K3QRM5KVPBYKKE%2F20260326%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20260326T110019Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=767656da9fe885841b806e1db3f50e1e2b983ad73e0d3114fe84a4e8b2d8ce9a"
    },
    "status_code": 200,
    "success": true,
    "message": "Success",
    "message_code": "success"
}

Possible Error Responses

Unauthorized (401)

Server Error (500)

{
    "data": null,
    "status_code": 401,
    "success": false,
    "message": "Authentication credentials were not provided or are invalid.",
    "message_code": "unauthorized"
}

Returned when the JWT Bearer token is missing, malformed, or expired. Ensure you are passing a valid token in the Authorization header as Bearer <JWT_TOKEN>.

Integration Best Practices

Security Recommendations

Never expose your JWT token in client-side code, public repositories, or log files. Store it in environment variables or a secrets manager.

Use separate tokens for sandbox and production environments to prevent accidental cross-environment data access.

Refresh tokens proactively before they expire to avoid request failures in production workflows.

Download and archive certificates promptly — the certificate_link is a pre-signed S3 URL that expires after 600 seconds. Store the PDF on your own infrastructure if long-term access is required.

Validate HTTPS on all requests and never disable SSL verification, even in testing environments.

User Experience Guidelines

Show a loading indicator while the API request is in progress, as certificate generation may take a few seconds.

Handle link expiry gracefully — if a user tries to open the certificate_link after 600 seconds, prompt them to re-initiate the verification rather than displaying a raw AWS error.

Display meaningful error messages to end users based on message_code values rather than raw HTTP status codes.

Cache the client_id for audit trail and support purposes so verification events can be traced back to specific requests.

Implement retry logic for 5xx server errors using exponential backoff (e.g., retry after 1s, 2s, 4s) to handle transient failures gracefully.

Code Samples

cURL

Python

Node.js

Compliance and Legal Considerations

This API accesses FSSAI license data sourced from official government records. Ensure that your use of this data complies with applicable Indian data protection and privacy regulations, including the Digital Personal Data Protection Act, 2023 (DPDPA).

Obtain appropriate user consent before initiating verification on behalf of an individual or business entity.

Certificate documents retrieved via certificate_link are for verification purposes only and should not be redistributed or published without authorization.

Maintain an audit log of all verification requests (using client_id) in accordance with your organization's data retention policies and applicable compliance requirements.

Use the sandbox environment (https://sandbox.surepass.app) exclusively for development and testing. Never use production credentials or real license numbers in sandbox calls.

Provide your bearer token in the

Authorization

header when making requests to protected resources.

Example:

Authorization: Bearer ********************

curl --location --request POST 'https://kyc-api.surepass.app/api/v1/corporate/fssai-form-c' \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "id_number": "22819012011312" }'

{ "data": { "client_id": "fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD", "id_number": "22819012011312", "certificate_link": "https://aadhaar-kyc-docs.s3.amazonaws.com/fssai_form_3/105813727/fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD-2026-03-26-110019253624.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY5K3QRM5KVPBYKKE%2F20260326%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20260326T110019Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=767656da9fe885841b806e1db3f50e1e2b983ad73e0d3114fe84a4e8b2d8ce9a" }, "status_code": 200, "success": true, "message": "Success", "message_code": "success" }

Description#

Use Cases#

Technical Implementation#

Request Headers#

Request Body#

Example Request#

Response Parameters#

Example Successful Response#

Possible Error Responses#

Integration Best Practices#

Code Samples#

Request

Responses