GET /get-candidate-background-check is the single endpoint behind the unified
candidate page at /candidate-portal/background-check/:accessId. Given only an
access code it resolves which of five states the candidate sees. This page documents those
states, the four package flows that reach them, and — the part that matters most — which
states are protected by a valid session cookie or by live eID verification.
The candidate link (and the deprecated identification / review / review-callback /
review-identity-gate links, now 301 redirects) all land on the same page. It calls the
endpoint, whose handler runs buildCandidateBackgroundCheckResultGated to derive
the state from the stored background-check status, the package's gates, and the presence of a
valid session cookie.
?token=….
Two independent gates protect candidate outcomes. Cookie gate —
buildCandidateBackgroundCheckResultGated hides a finished Flow-A outcome unless
the caller presents a valid session cookie, so holding the access-code URL alone never reveals
the result. eID gate — report-review-required demands a fresh eID
verification before the report can be viewed or approved.
| State / outcome | Valid session cookie | Live eID verification | Notes |
|---|---|---|---|
| not-found | n/a | n/a | Nothing to reveal. |
| identity-collection-required | no | not yet | The pre-verification state itself. The candidate submits their identity here (which mints the cookie). |
| report-review-required | no | required | legalChecks or OCSSD gate. Candidate re-verifies via SubmitBackgroundCheckReportReviewVerifiedIdentityHttp before seeing the report. |
| report-ready | no | no | approval-no-gate: JWT redirect to approve inside the BGC app. |
| submitted · verified | required | done earlier | Cookie-gated when status ∈ collection statuses; without a valid cookie it downgrades to identity-collection-required. Exception: a verified outcome reached from completed-ok/completed-anomalies is not gated (the candidate may never have done identity collection). |
| submitted · proceeded-unverified | required | no | Candidate declared a country instead of verifying. Cookie-gated; without it → identity-collection-required. |
| submitted · declined | required | n/a | Status candidate-declined. Cookie-gated; without it → identity-collection-required. |
| submitted · approved | no | done earlier | Flow-B terminal. Any eID gate already happened at report-review; the terminal itself is not cookie-gated. |
| submitted · report-declined | no | n/a | Flow-B terminal (status candidate-review-declined). Not cookie-gated. |