> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gu1.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Get KYC validation media

> Download document images, portrait, liveness video, and other assets stored for a session-based KYC validation — in the gu1 KYC API for identity verification.

## Overview

After a session-based KYC validation finishes (for example **approved**), media references appear inside **`decision`** on `GET /api/kyc/validations/:id` (document images, portrait, liveness video, nested images, etc.).

**Current format:** each reference is usually a **`kyc/...` key** (a path string). Download bytes with the media endpoint below and your API key.

**Decision shape:** feature results appear as **both** singular objects and one-element arrays (for example `id_verification` and `id_verifications[0]`). Image fields may exist on either shape; Gu1 keeps them in sync. See [KYC webhook events](/en/webhooks/events/kyc-events#decision-object-payloaddecision) for a full `decision` example.

**Older rows:** some validations still have **HTTPS URLs** in `decision` (short-lived links from the verification flow). Use those URLs directly (for example in an `<img>` or a server-side fetch) **while they remain valid**. They are **not** passed to `GET .../media?key=` — that parameter is only for `kyc/...` keys.

This page applies to **full session KYC** (`global_gueno_validation_kyc`). Face Match and ID Verification use **other** endpoints (see Face Match / ID Verification in the sidebar).

## Older Validations (HTTPS Links vs. `kyc/...` Keys)

* **No data is deleted:** existing API responses stay valid JSON; behavior depends on what each string contains.
* **Keys (`kyc/...`):** use [`GET /api/kyc/validations/:id/media`](#request) with `key` URL-encoded. Access is scoped to your organization and that validation.
* **HTTPS strings:** your app should treat them like normal temporary asset URLs until they expire. The API may replace them with `kyc/...` keys on a **later sync** with the verification provider (webhook or sync), as long as the hosted link can still be fetched.
* **If a link has already expired** before migration, that field may stay as a dead URL until a new sync supplies fresh links or Gu1 support runs an internal media repair for your organization.

## Request

### Endpoint

```
GET https://api.gu1.ai/api/kyc/validations/{validationId}/media
```

### Headers

* **`Authorization`**: `Bearer YOUR_API_KEY` (required)

### Query Parameters

| Parameter | Required | Description                                                                              |
| --------- | -------- | ---------------------------------------------------------------------------------------- |
| `key`     | Yes      | The storage key string from `decision`. **URL-encode** the value (slashes become `%2F`). |

### Permissions

Your API key must be allowed to **read KYC** (`kyc:read` when the key uses granular permissions; otherwise the key follows the owner user’s role, with legacy fallback where applicable—same as `GET /api/kyc/validations/:id`).

### Response

Raw file bytes. **`Content-Type`** reflects the asset (e.g. `image/jpeg`, `video/webm`).

## Example

```bash theme={null}
curl -sS -o portrait.jpg \
  -H "Authorization: Bearer YOUR_API_KEY" \
  "https://api.gu1.ai/api/kyc/validations/VALIDATION_UUID/media?key=kyc%2Fglobal_gueno_validation_kyc%2F..."
```

In application code, build the query with `encodeURIComponent(key)` so every `/` in the key is encoded.

<Warning>
  The `key` query parameter alone is **not** a secret and does not replace authentication. Always send **`Authorization: Bearer`**; the API checks that the object key belongs to that validation and to your organization.
</Warning>

## Related

* [Create KYC validation](/en/use-cases/kyc/create-validation) — start the flow and obtain `validationId`
* [Check validation status](/en/use-cases/kyc/check-status) — poll until `decision` is populated
