How to Become a UIDAI Sub-AUA (Step-by-Step Guide)

For banks, fintechs, and government service providers, verifying identities securely. The Aadhaar Authentication is managed by the Unique Identification Authority of India (UIDAI). It helps confirm the identity of millions of Indian residents in real time.

Over 1.4 billion Aadhaar Numbers have been issued in India, and UIDAI processes over 100 crore authentication requests annually. An organization can become AUA and connect directly, but it is a complex process. On the other hand, becoming a Sub-AUA is a simple and practical alternative.

Why Become a Sub-AUA?

Every organization can directly integrate with UIDAI as an AUA (Authentication User Agency). Becoming a Sub-AUA offers a practical alternative. It allows businesses to access the Aadhaar Authentication service through a parent AUA/KUA.

Key Terms: AUA, KUA, Sub-AUA, Sub-KUA, ASA, CIDR

These are key terms that you must know:

• AUA (Authentication User Agency)

An organization registered with UIDAI. It uses Aadhaar authentication services. AUAs send authentication requests to UIDAI’s Central Identities Data Repository (CIDR) via an ASA.

• KUA (KYC User Agency)

A special type of AUA authorized to perform Aadhaar-based e-KYC (Know Your Customer). KUAs can access and share Aadhaar demographic details.

• Sub-KUA (Sub KYC User Agency)

A Sub-KUA uses Aadhaar e-KYC services through its parent KUA, without direct integration with UIDAI.

• ASA (Authentication Service Agency)

A UIDAI-licensed entity that provides secure connectivity between AUAs/KUAs and the CIDR.

• CIDR (Central Identities Data Repository)

It is a central database that stores Aadhaar numbers, demographic data, and biometric data. All authentication requests are matched and verified here.

Eligibility and Responsibilities (legal and technical)

Becoming a Sub-AUA under UIDAI requires both legal and technical eligibility. Only organizations that operate under an existing AUA/KUA. These are the mandatory responsibilities.

• No Storage of biometric or PID Data: Sub-AUAs can’t store Aadhaar biometric information or PID blocks. All Aadhaar verification requests must securely transmit PID data to the parent AUA/KUA.
• Use Aadhaar Only for Approved Purposes: Authentication or e-KYC services must be performed solely for legitimate purposes. Misuse of the details is a violation.
• Staff training and Accountability: All personnel handling Aadhaar Authentication should undergo training on data security, privacy, and compliance procedures.
• Compliance with UIDAI agreements and regulations: Sub-AUAs must comply with all clauses in the parent AUA/KUA agreement, including license key management, security policies, and reporting requirements. Non-compliance may lead to termination of Sub-AUA privileges.

Step-by-Step UIDAI AUA sub AUA Process

This is the step-by-step guide you can follow:

Step 1 – Application and Joint Undertaking 

The parent AUA/KUA submits the Sub-AUA application form along with the Joint Undertaking to UIDAI. This application includes organization details, IT infrastructure, security measures, and parent AUA/KUA authorization.

Step 2: In Principle Approval and Invoice

UIDAI reviews the application and issues approval if all requirements are met. At this stage, a proforma invoice for the license fee and also been issued. Payment must be completed before final approval.

Step 3: Audit and Compliance Documentation

Sub-AUAs must complete mandatory audits as per UIDAI regulations. It includes submission of compliance checklists, IT security audits, and reports from STQC or CERT-IN empaneled auditors. UIDAI verifies that infrastructure, network, and staff practices comply with Aadhaar Act requirements.

Step 4: Agreement, License Key, and Sub-AUA Code Issuance

After auditing and compliance checks, the UIDAI issues final approval. The parent AUA then assigns a unique Sub-AUA code and gives a license key for integration. The application must be digitally signed to confirm secure request transmission.

Step 5: Technical Integration and Pre-Production Testing

Integrate SDK or Client into your systems and perform end-to-end testing. This test includes authentication flows, biometric or face verification, and secure communication with parent AUA and ASA.

Step 6: Production Cutover and Periodic Audits

Once pre-production tests are approved, Sub-AUA can go live. UIDAI mandates periodic audits, compliance updates, and continuous monitoring to confirm data security and compliance with the Aadhaar Act.

Compliance, Audits, and Security Checklist

Sub-AUAs must strictly comply with UIDAI guidelines to ensure secure and legal Aadhaar Authentication.

• Information Security (InforSec) Policy: A documented policy defining data security measures, encryption standards, access controls, and procedures for handling Aadhaar data.
• STQC/CERT-IN Audit Reports: Mandatory audits by UIDAI-approved auditors to verify IT infrastructure, security practices, and compliance with Aadhaar Act provisions. Reports must be submitted to UIDAI for verification.
• Network Segregation and Secure Connectivity: It confirms that authentication traffic is routed through secure channels. Segregate production and test environments to prevent unauthorized access or data leaks.
• Logging and Monitoring: Maintain detailed logs of all authentication requests, system access, and security events. Continuous monitoring is required to detect anomalies or unauthorized access.
• Digitally Signed Client / SDK: It is a must for you to use UIDAI-approved, digitally signed SDKs or client software for authentication requests. It prevents tampering and ensures the integrity of transmitted data.

Common Troubleshooting

These are the troubleshooting issues you must be aware of:

• Parent AUA not registering Sub-AUA properly: It confirms that UIDAI acknowledgement of Sub-AUA onboarding before proceeding.
• Missing Digital Signature on Client/SDK: It confirms that all binaries are digitally signed as per UIDAI’s DS-Sign requirement.
• Audit non-compliance (e.g., storage of biometric/PID block): Do not store raw biometric strictly in compliance with the Aadhaar Act and UIDAI security guidelines.
• Incorrect Sub-AUA code usage in requests: Double-check request payload fields; wrong codes cause authentication failures.
• Weak InfoSec Practices: Missing logs, unencrypted data at rest, or inadequate monitoring can lead to compliance penalties.

Conclusion

Aadhaar is the main identity used by Fintech, Banks, and more. Only UIDAI and AUA can verify the Aadhaar details. If another organization can perform verification by becoming Sub-AUA or Sub-KUA. With these licences and approval businesses can seamlessly perform verification without any legal issues. They just need to perform verification by following all the regulations.

FAQs

Ques: How to become an AUA?

Ans: Apply to UIDAI.

Follow the security and compliance norms.

Tie up with an ASA.

Get Authorized for Aadhaar Authentication.

Ques: What is Sub AUA?

Ans: A Sub-AUA access Aadhaar Authentication through a parent AUA without direct UIDAI integration.

Ques: What is the full form of AUA in Insurance?

Ans: The full form of AUA is Authentication User Agency.

Ques: What is an Aadhaar AUA License?

Ans: It’s the UIDAI official license that allows organizations to use Aadhaar authentication.

Ques: What is the difference between AUA and Sub AUA?

Ans: AUA connects directly with UIDAI, while Sub-AUA works with a parent AUA. It depends on the AUA license and infrastructure.