DocumentationHybrid ExperienceIntegrations GuideMobile Applications

Mobile App Permissions

Hybrid Experience may begin inside your own native borrower flow, but after offer selection the borrower moves into Hosted Experience. Hosted and lender-owned pages may need device capabilities for KYC, document upload, mandates, agreements, or lender redirection.

Your mobile app should make those capabilities available to Hosted Experience and to trusted lender pages opened during the journey.

This page is stack-neutral. Map these requirements to the WebView, browser surface, or mobile app container used by your product.

Why Permissions Matter

Credit journeys can include:

  • location checks for address, eligibility, fraud, or lender policy
  • camera access for selfie capture, document capture, video KYC, or lender KYC pages
  • microphone access when a video KYC step requires audio
  • file or media upload for PAN, Aadhaar, bank statements, income documents, photographs, or lender-required proofs

These steps may be shown inside Hosted Experience, inside lender-owned pages, or inside an app-controlled external surface opened from Hosted.

If the app container does not handle permissions correctly, the same lender page may work in a normal mobile browser but fail inside your app.

Permission Layers

Mobile Hybrid integrations usually need three layers once the borrower reaches Hosted handoff:

LayerWhat it means
Platform declarationsDeclare the capabilities your app may request, such as camera, location, microphone, or photo/media access.
Runtime requestsAsk the borrower for permission at the moment the journey needs it.
WebView or browser-surface handlingForward web permission requests from Hosted or lender pages to the native permission model, then grant or deny safely.

The third layer is commonly missed. A web page inside your app cannot always access camera, location, microphone, or file upload unless the parent app handles the request.

  • Do not request every permission at app launch.
  • Explain why the permission is needed before asking.
  • Request the permission close to the step that needs it.
  • Grant web permissions only for trusted Hosted and lender domains.
  • Deny permission requests from unknown or untrusted domains.
  • Provide a clear retry path when the borrower denies permission.
  • Provide an app-settings path when the borrower has permanently denied permission.

Capability Guide

CapabilityWhy it may be neededApp responsibility
LocationAddress verification, eligibility, fraud checks, or lender policy checks.Declare foreground location access, check whether location services are enabled, request while-in-use permission, and handle approximate location where applicable.
CameraSelfie capture, document capture, KYC, or video KYC.Declare camera access, request it in context, and grant browser-surface camera requests only for trusted journey or lender pages.
MicrophoneVideo KYC or audio-enabled verification.Declare microphone access only if required, request it in context, and grant it only to trusted pages.
File or media uploadDocuments, photos, statements, or lender-required proofs.Use system pickers or scoped media/file access where possible. Avoid broad storage access unless there is a separately approved need.

Runtime Flow

Use this borrower flow:

WebView Or Browser-Surface Handling

Your app container should behave like a mobile browser for Hosted and lender pages.

Your implementation should support:

  • JavaScript
  • DOM storage
  • cookies and session storage needed by Hosted and lender pages
  • window.open and target-blank navigation
  • child window or popup creation
  • closing a child surface when the lender page requests close
  • camera, microphone, location, and file-upload permission prompts
  • returning to the parent Hosted surface after external steps
  • approved Hosted and lender domains

If one of these is missing, KYC, e-mandate, loan agreement, document upload, or lender redirection steps may fail inside the app even if they work in a normal browser.

Account Aggregator URLs

Some Hybrid journeys may return an Account Aggregator URL before offers are ready. Open this URL in a trusted browser or app-controlled surface that can preserve session state and return the borrower to your product.

Do not attach the Aarthik Labs API key to this URL. The API key remains server-side.

After the borrower completes or exits AA consent, continue polling the Hybrid offers endpoint from your back-end.

Testing Checklist

Before launch, test the mobile journey for:

  • Account Aggregator opening and return behavior
  • Hosted handoff after offer selection
  • camera access for KYC and document capture
  • location access where required by the lender or product path
  • file and photo upload flows
  • external lender steps opened through the bridge
  • returning from external lender pages into Hosted Experience
  • denied permission and retry behavior
  • borrower exit behavior from Hosted