Didit is **infrastructure for identity and fraud** — the platform we wished existed when we were building products ourselves: **open, flexible, and developer-friendly**, so it works as a real part of your stack instead of a black box you integrate around. One API covers verifying people (**KYC**, *know your customer*), verifying businesses (**KYB**, *know your business*), screening crypto wallets (**KYT**, *know your transaction*), and monitoring transactions in real time — on a stack built to be: - **Fast** — sub-2-second p99 on every session - **Reliable** — in production with **1,500+ companies** across **220+ countries** - **Secure** — SOC 2 Type 1, ISO 27001, GDPR-native, and formally attested by Spain's financial regulator as safer than verifying someone in person The footprint underneath: **14,000+ document types** in **48+ languages**, **1,000+ data sources**, and **200+ fraud signals** on every session. The Didit infrastructure dynamically learns from every session and gets better every day.

How fast can I ship a verification flow end-to-end?

Fast. You can create an account in **under a minute**, get a free sandbox, and start testing the platform right away — no sales call, no contract, no minimums. If you're an engineer, the **SDKs** for Web, iOS, Android, React Native, and Flutter let you drop a verification flow into your app over a weekend. Most teams reach production in a **few days**, with **p99 inference under 2 seconds** on every session. If you'd rather have your AI coding agent build it (Claude Code, Cursor, Codex, etc.), our **MCP server** can scaffold the whole integration end-to-end — sign up, keys, workflow, and webhook listener — without you opening the console.

Can I run KYC, KYB, AML, and transaction monitoring in one workflow?

Yes — everything runs on one API and one visual workflow builder. From the same console you can: - Verify a person (**KYC**) with documents + selfie + liveness in one bundle for **$0.33** - Verify a business (**KYB**) — Didit automatically runs a KYC on every Ultimate Beneficial Owner - Monitor transactions in real time and auto-trigger a re-verification when something looks risky - Screen crypto wallets at **$0.15 per check** — or bring your own screening provider and run it inside Didit Everything shares the same audit log and the same webhooks. You don't need a second vendor for any of it.

How does Didit catch deepfakes, face swaps, and AI-generated documents?

Every session runs **200+ fraud signals** in real time. The ones people ask about most: - **Liveness** — proves the person is real and present (not a photo, video replay, or AI-generated face). iBeta Level 1 certified. - **Face matching** — checks the selfie matches the document, and catches face-morph attacks. - **Document tampering** — flags edits, splices, and AI-generated documents. - **AML + sanctions + PEP screening** — checked against **1,300+ lists** in the same call. - **IP + device intelligence** — network, fingerprint, and behavioural heuristics. The reason we stay ahead of new attacks: we run **automated monitoring + retraining loops on autopilot**. Every new attack pattern we see gets folded back into the models continuously — your defences improve without you having to migrate or upgrade anything.

Is Didit actually compliant for regulated industries?

Yes — and we can prove it on paper. We're the only identity-verification platform an EU national government has formally said is **safer than meeting someone in person**. Spain's **Tesoro**, the **Banco de España**, and **SEPBLAC** reviewed our architecture and the maths. The full report is public. Certifications: - **SOC 2 Type 1** - **ISO/IEC 27001** - **iBeta Level 1** (anti-spoofing) - **GDPR-native**, with **EU data residency** by default We're also aligned with AMLD6, MiCA, eIDAS 2.0, and DORA. Every certificate and audit report lives on our security page — request the Trust Pack and we send it back in one PDF.

What does it cost, and what happens at scale?

Everything is publicly priced — no quote form, no minimum. The headline numbers: - **Full KYC bundle: $0.33** (ID + liveness + face match + IP) - **Wallet screening: $0.15 per check** — or bring your own screening provider and run it inside Didit - **Live KYB: $2.00 per business** - **Ongoing AML monitoring: $0.07 per user, per year** - **500 verifications free every month, forever** — no credit card If you go past the free tier, volume discounts kick in automatically. Enterprise adds a custom contract, SLA, data-residency choice, and a dedicated Slack + WhatsApp channel.

Can my AI agent integrate Didit without me in the loop?

Yes — we built Didit for both humans and AI agents. Our **MCP server** (Model Context Protocol) is live and plugs straight into modern AI coding tools. Your agent can sign up, generate API keys, design a workflow, run test sessions, listen for webhooks, and check the results — all without you opening the console. We've tested the full integration with **Claude Code, Codex, Cursor, Devin, Aider, and Replit Agent**. Each one of them completes the integration end-to-end. The canonical agent prompt is paste-ready on the `/developers` page.

Identity infrastructure

Infrastructure for
identity and fraud.

With one open API, integrate any identity and fraud flow — across users, businesses, and transactions. Ship in 5 minutes, or one prompt with your coding agent.

Start free Read the docs

Backed by

didit/live/workflows/kyc-onboarding-v3Copy linkv3Saved 2m ago

AMJ

$0.45/ sessionPublished

Start

Beginning of your workflow.

Step

ID Verification$0.15

Step

Liveness$0.10

Step

AML Screening$0.20

Outcome

Session approved

100%

Beginning of your workflow
0
Start
Step
1
ID Verification$0.15
Step
2
Passive Liveness$0.10
Step
3
AML Screening$0.20
Status
Session approved

Trusted by 2,000+ organizations worldwide.

One platform. Authenticate. Verify. Monitor.

Build, deploy, and monitor identity + fraud workflows on a single API. Pre-built modules or compose your own — from biometric auth to real-time transaction monitoring.

See user verification Start building

Authenticate

Confirm a user is real and present right now. Biometric auth, passive liveness, age estimation, IP and device intel, plus phone and email OTP (one-time passcode) for step-up.

Verify

One-time KYC (Know Your Customer), KYB (Know Your Business), AML (Anti-Money Laundering), and document checks for every individual and every business. 220+ countries, 14,000+ documents, 10,000+ AML datasets, 1,000+ government and bureau data sources.

Monitor

Real-time transaction monitoring, ongoing AML, and crypto wallet screening. An AI tunes your rules and workflows as patterns change. Post-onboarding risk that never sleeps.

For developers · For AI agents · Open by design

Built for developers and AI agents.

One Application Programming Interface (API) for identity and fraud. Public docs, public pricing, instant sandbox, Model Context Protocol (MCP) server, and Software Development Kits (SDKs) for every stack. Developers ship in an afternoon; AI agents ship in one prompt over MCP.

Read the docs Get an API key

01 · One API

One API for identity and fraud.

One Application Programming Interface (API) covers every identity and fraud check — Know Your Customer (KYC), Know Your Business (KYB), Anti-Money Laundering (AML), transaction monitoring, biometric matching. Same key, same workflow engine, chainable in a single session — no extra integration work between products.

Read the API docs

POSThttps://verification.didit.me/v3/session/

curl

$ curl -X POST /v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "3daf4c64-...",
    "vendor_data": "u_42",
    "callback": "https://acme.com/webhook"
  }'

201Created

{ "session_id": "4c5c7f3a-...", "url": "verify.didit.me/..." }

02 · Agent-native

Integrate in a single prompt.

Our Model Context Protocol (MCP) server is live and the agent skills are published. Ask Claude Code, Codex, or Cursor to integrate Didit — the agent creates the workspace, configures the workflow, and ships the first API call on its own. No dashboard, no human, no support ticket.

Read the integration prompt

promptdidit-integration.md

# Integrate Didit into my application

You are integrating Didit — infrastructure for identity and fraud — into my application end-to-end. Didit ships KYC, KYB, AML screening, biometric verification, transaction monitoring, and wallet screening behind one API. 220+ countries, 14,000+ document types, 48+ languages. Pay-per-call from $0.33, 500 free verifications per core feature per month, no minimums, no contract.

## My application context

<my_stack>
Stack: [framework + language — e.g. Next.js 15 + TypeScript, Django, Rails, Go]
Surface: [web | iOS | Android | React Native | Flutter | backend-only]
Use case: [KYC at signup | KYB at business onboarding | age gate | re-auth | transaction monitoring | other]
Database: [Postgres | MySQL | Mongo | other]
</my_stack>

## Step 1 — Create the Didit account programmatically

Two API calls. No browser. No 2FA. Returns an `api_key` you use for every subsequent request.

```bash
# 1) Register — creates org + app + emails a 6-character code
curl -X POST https://apx.didit.me/auth/v2/programmatic/register/   -H "Content-Type: application/json"   -d '{"email": "dev@example.com", "password": "StrongP@ss1"}'

# 2) Verify email with the code from the inbox — returns api_key
curl -X POST https://apx.didit.me/auth/v2/programmatic/verify-email/   -H "Content-Type: application/json"   -d '{"email": "dev@example.com", "code": "A3K9F2"}'
# Response.application.api_key — save this
```

Persist the returned `api_key` as the env var `DIDIT_API_KEY`. Auth header for every Didit call:
`x-api-key: $DIDIT_API_KEY`

## Base URLs

| Surface | Base URL |
|---|---|
| Every `/v3/...` endpoint (sessions, workflows, lists, billing, webhook destinations, entities, transactions, standalone APIs) | `https://verification.didit.me` |
| Auth / programmatic registration (`/auth/v2/programmatic/...`) | `https://apx.didit.me` |
| Console (human UI) | `https://business.didit.me` |
| Hosted verification URL handed to end users | `https://verify.didit.me` |
| Docs (cross-check anything) | `https://docs.didit.me` |
| OpenAPI spec (machine-readable, server is `https://verification.didit.me`) | `https://docs.didit.me/openapi-25.json` |

## Step 2 — Choose the integration approach

Pick exactly one, based on my use case:

- **Approach A — Sessions API + SDK (recommended for any end-user verification flow).** My backend creates a Didit session → my frontend opens the Didit-hosted verification UI (via SDK / iframe / redirect) → user completes verification → my backend receives a webhook with the decision. Best for KYC at signup, KYB at business onboarding, age verification, re-auth. Didit-hosted flows are A/B-tested and convert higher than custom UIs.
- **Approach B — Standalone APIs (server-to-server only).** My backend calls individual modules directly (`/v3/id-verification/`, `/v3/aml/`, `/v3/face-match/`, etc.) for batch jobs or fully custom UI. Best for back-office verification pipelines.

If unsure, default to Approach A.

## Step 3 — Create or reuse a workflow

A workflow defines which modules run during a session. Create one via API (or `https://business.didit.me` → Workflows → Create).

```bash
# List existing workflows
curl https://verification.didit.me/v3/workflows/   -H "x-api-key: $DIDIT_API_KEY"

# Create a new KYC workflow — features are UPPERCASE enum values, each an object with optional `config`
curl -X POST https://verification.didit.me/v3/workflows/   -H "x-api-key: $DIDIT_API_KEY"   -H "Content-Type: application/json"   -d '{
    "workflow_label": "Standard KYC",
    "features": [
      { "feature": "OCR" },
      { "feature": "LIVENESS", "config": { "face_liveness_method": "PASSIVE" } },
      { "feature": "FACE_MATCH" },
      { "feature": "IP_ANALYSIS" }
    ]
  }'
# Response.uuid — save as DIDIT_WORKFLOW_ID
```

Feature enum values (UPPERCASE, source: `management-api/workflows/feature-configs.mdx`):
- **KYC features:** `OCR`, `NFC`, `LIVENESS`, `FACE_MATCH`, `AGE_ESTIMATION`, `PHONE_VERIFICATION`, `EMAIL_VERIFICATION`, `DATABASE_VALIDATION`, `AML`, `IP_ANALYSIS`, `PROOF_OF_ADDRESS`, `QUESTIONNAIRE`.
- **KYB features:** `KYB_REGISTRY`, `KYB_DOCUMENTS`, `KYB_KEY_PEOPLE` (each plus AML / DATABASE_VALIDATION as needed).

For a KYB workflow set `"workflow_type": "kyb"` (default is KYC). A workflow is locked to its type at creation; create separate workflows per kind.

## Step 4 — Install the SDK that matches my stack

| Stack | Package | Install |
|---|---|---|
| Web (React, Vue, Next.js, Nuxt, Svelte, vanilla JS) | `@didit-protocol/sdk-web` | `npm install @didit-protocol/sdk-web` |
| iOS (Swift / SwiftUI) | `didit-sdk-ios` | SPM: `https://github.com/didit-protocol/didit-sdk-ios` |
| Android (Kotlin / Jetpack Compose) | `me.didit:didit-sdk` | Maven |
| React Native (Expo or bare) | `@didit-protocol/sdk-react-native` | `npm install @didit-protocol/sdk-react-native` |
| Flutter | `didit_sdk` | `flutter pub add didit_sdk` |
| Backend-only / batch / custom UI | none — call REST directly | — |

Always prefer native iOS / Android SDKs over WebView on mobile (NFC + camera + biometrics work natively).

## Step 5 — Create a session and present it to the user

**Backend creates the session:**

```bash
curl -X POST https://verification.didit.me/v3/session/   -H "x-api-key: $DIDIT_API_KEY"   -H "Content-Type: application/json"   -d '{
    "workflow_id": "'"$DIDIT_WORKFLOW_ID"'",
    "vendor_data": "internal-user-id",
    "callback": "https://myapp.com/done"
  }'
```

Response (201 Created):
```json
{
  "session_id": "4c5c7f3a-...",
  "session_token": "eyJ...",
  "url": "https://verify.didit.me/session/...",
  "status": "Not Started",
  "session_kind": "user",
  "workflow_id": "...",
  "vendor_data": "internal-user-id"
}
```

`vendor_data` is **my internal user ID** — Didit links the session to a User entity (auto-created if new). For KYB workflows it links to a Business entity.

Optional create-session field: `callback_method` (`"initiator"` | `"completer"` | `"both"`, default `"initiator"`) — controls which side of a cross-device flow receives the `callback` redirect. Useful when the verification opens on a phone after a desktop start.

**Frontend presents the verification (pick one):**

| Pattern | Code |
|---|---|
| Web JS SDK (modal) | `import { DiditSdk } from "@didit-protocol/sdk-web"; DiditSdk.shared.startVerification({ url })` |
| Iframe (embedded) | `<iframe src={url} allow="camera; microphone; fullscreen; autoplay; encrypted-media" />` |
| Redirect (cross-device) | `window.location.href = url` |
| iOS / Android / RN / Flutter | `DiditSdk.startVerification(token: session_token)` |

## Step 6 — Set up the webhook to receive results

Build `POST /api/webhooks/didit` in my backend.

**Register the webhook destination once:**

```bash
curl -X POST https://verification.didit.me/v3/webhook/destinations/   -H "x-api-key: $DIDIT_API_KEY"   -H "Content-Type: application/json"   -d '{
    "url": "https://myapp.com/api/webhooks/didit",
    "label": "production",
    "subscribed_events": ["status.updated", "data.updated"]
  }'
```

Response includes `secret_shared_key` — save as `DIDIT_WEBHOOK_SECRET`.

**Cloudflare / restrictive firewall users:** allowlist `18.203.201.92` — Didit webhooks egress from this single IP.

**Three signature headers** ship on every webhook. Verify **one** — `X-Signature-V2` is recommended because it survives JSON middleware re-encoding:

| Header | What it signs | When to use |
|---|---|---|
| `X-Signature-V2` ★ recommended | `JSON.stringify(sortKeys(shortenFloats(parsed_body)))` with unescaped Unicode | Default — works through Express / Django / FastAPI / Next.js body parsers |
| `X-Signature` | The raw request bytes verbatim | Only if you can guarantee no middleware re-encodes the body |
| `X-Signature-Simple` | `"{timestamp}:{session_id}:{status}:{webhook_type}"` | Fallback when nothing else works — does NOT verify the `decision` payload, so only use as a hint |

**Endpoint requirements (in order):**

1. Parse JSON (V2 is parser-tolerant; you can use any framework's default body parser).
2. Read headers: `X-Signature-V2` (HMAC-SHA256 hex), `X-Timestamp` (Unix seconds).
3. Reject if `abs(now - X-Timestamp) > 300` (replay protection).
4. Apply `shortenFloats` (whole-number floats → integers), then `sortKeys` (recursive lexicographic), then `JSON.stringify` (unescaped Unicode — default).
5. Compute `expected = HMAC-SHA256(DIDIT_WEBHOOK_SECRET, canonical_json, "utf8")`.
6. Compare with `X-Signature-V2` using constant-time comparison (`hmac.compare_digest` in Python, `crypto.timingSafeEqual` in Node).
7. Dispatch on `webhook_type`. Return `200` immediately even if processing is async — Didit retries 5xx/404 twice (~1 min, ~4 min).

**Node.js / Next.js App Router example (canonical V2):**

```ts
import crypto from "node:crypto";

// Server-side normalisation: convert whole-number floats to integers.
function shortenFloats(v: unknown): unknown {
  if (Array.isArray(v)) return v.map(shortenFloats);
  if (v && typeof v === "object") {
    return Object.fromEntries(
      Object.entries(v as Record<string, unknown>).map(([k, x]) => [k, shortenFloats(x)])
    );
  }
  if (typeof v === "number" && !Number.isInteger(v) && v % 1 === 0) return Math.trunc(v);
  return v;
}

// Recursively sort object keys (arrays preserved in order).
function sortKeys(v: unknown): unknown {
  if (Array.isArray(v)) return v.map(sortKeys);
  if (v && typeof v === "object") {
    return Object.keys(v as object)
      .sort()
      .reduce<Record<string, unknown>>((acc, k) => {
        acc[k] = sortKeys((v as Record<string, unknown>)[k]);
        return acc;
      }, {});
  }
  return v;
}

export async function POST(req: Request) {
  const raw = await req.text();
  const sig = req.headers.get("x-signature-v2") ?? "";
  const ts = Number(req.headers.get("x-timestamp"));
  if (!ts || Math.abs(Date.now() / 1000 - ts) > 300)
    return new Response("stale", { status: 401 });

  const parsed = JSON.parse(raw);
  const canonical = JSON.stringify(sortKeys(shortenFloats(parsed)));
  const expected = crypto
    .createHmac("sha256", process.env.DIDIT_WEBHOOK_SECRET!)
    .update(canonical, "utf8")
    .digest("hex");
  if (
    sig.length !== expected.length ||
    !crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))
  )
    return new Response("bad sig", { status: 401 });

  // parsed.webhook_type → dispatch …
  return new Response("ok");
}
```

**Webhook event types:** `status.updated`, `data.updated`, `user.status.updated`, `user.data.updated`, `business.status.updated`, `business.data.updated`, `activity.created`, `transaction.created`, `transaction.status.updated`.

**Webhook body shape:**
```json
{
  "session_id": "uuid",
  "status": "Not Started | In Progress | Awaiting User | In Review | Approved | Declined | Resubmitted | Abandoned | Expired | Kyc Expired",
  "webhook_type": "status.updated",
  "timestamp": 1627680000,
  "workflow_id": "uuid",
  "vendor_data": "internal-user-id",
  "metadata": { "any": "json" },
  "decision": { /* present when Approved / Declined / In Review; absent on Expired / Abandoned / Not Started */ }
}
```

The `decision` object holds per-module **plural arrays** (V3 schema — each entry keyed by its `node_id` in the workflow):
- `id_verifications[]`: first_name, last_name, document_type, document_number, date_of_birth, nationality, expiration_date, issuing_state, address, parsed_address, mrz, front_image_quality_score, back_image_quality_score, warnings[]
- `nfc_verifications[]`: status, document_type, mrz, signature_status, chip_data
- `liveness_checks[]`: status, score (0–1), method ("passive" | "active"), reference_image
- `face_matches[]`: status, score (0–100), source_image, target_image, warnings[]
- `phone_verifications[]`: status, phone_number, carrier, is_disposable, is_virtual
- `email_verifications[]`: status, email, is_breached, is_disposable, is_undeliverable, breaches[]
- `poa_verifications[]`: status, document_type, issuer, poa_address, poa_parsed_address, issue_date, expiration_date
- `aml_screenings[]`: status, total_hits, hits[] (pep_matches, sanction_matches, warning_matches, adverse_media_matches), entity_type ("person" | "company")
- `ip_analyses[]`: status, ip_address, country, vpn, proxy, tor, hosting, risk_score
- `database_validations[]`: status, provider, match_type, fields_matched
- `questionnaire_responses`: nullable object keyed by question_id → answer

V2 → V3 migration note: V2 used singular keys (`aml`, `phone`, `email`, `poa`). V3 renamed them to plural arrays so a single workflow can run the same module multiple times on different nodes — index by `node_id`.

## Step 7 — Apply the decision to my database

```ts
switch (event.status) {
  case "Approved":       user.verified = true; user.verifiedAt = new Date(); storeDecision(event.decision); break;
  case "Declined":       user.verificationStatus = "declined"; logWarnings(event.decision); break;
  case "In Review":      user.verificationStatus = "pending_review"; break;
  case "In Progress":    user.verificationStatus = "in_progress"; break;
  case "Awaiting User":  user.verificationStatus = "awaiting_user"; break; // KYB only — waiting for a UBO / officer KYC sub-session
  case "Resubmitted":    user.verificationStatus = "resubmitted"; break; // reviewer asked the user to retry
  case "Abandoned":      scheduleReminderEmail(user); break;
  case "Expired":        break; // session URL aged out before the user finished
  case "Kyc Expired":    user.verified = false; createNewSession(user); break; // verified user's KYC has aged out per retention policy
  case "Not Started":    break;
}
```

Idempotency:
- Session webhooks: dedupe on `session_id + webhook_type + timestamp`.
- Transaction webhooks (`transaction.created`, `transaction.status.updated`): dedupe on the `event_id` field — multiple events can target the same transaction.

Didit retries 5xx/404 twice (~1 min, ~4 min after the prior failure). Return 200 even if processing is async.

## Module catalogue (use whichever ones match my use case)

| Module | Endpoint | Price | Free tier |
|---|---|---|---|
| Core KYC bundle (ID + Liveness + Face Match + IP) | session w/ workflow | **$0.33** | 500/mo (per feature) |
| ID Verification (standalone) | `POST /v3/id-verification/` | $0.20 | 500/mo |
| Passive Liveness (standalone) | `POST /v3/passive-liveness/` | $0.05 | 500/mo |
| Active Liveness | session-only | $0.15 | — |
| Face Match 1:1 | `POST /v3/face-match/` | $0.05 | 500/mo |
| Face Search 1:N | `POST /v3/face-search/` | $0.05 | — |
| Age Estimation | `POST /v3/age-estimation/` | $0.10 | — |
| AML Screening | `POST /v3/aml/` | $0.20 | — |
| Ongoing AML Monitoring | org-level continuous (per active user/yr) | $0.07 / user / year | — |
| Database Validation (gov registries) | `POST /v3/database-validation/` | variable | — |
| Proof of Address | `POST /v3/poa/` | $0.20 | — |
| Email Verification | `POST /v3/email/send/` + `POST /v3/email/check/` | $0.03 | — |
| Phone Verification (SMS / WhatsApp / voice / RCS / Telegram) | `POST /v3/phone/send/` + `POST /v3/phone/check/` | $0.04 + carrier | — |
| NFC Verification (native SDKs only) | session module | $0.15 | — |
| Biometric Authentication (re-auth) | session module | $0.10 | — |
| Device & IP Analysis | session module | $0.03 | — |
| Custom Questionnaire | session module | $0.10 | — |
| Business Verification (KYB) | `POST /v3/session/` w/ KYB workflow | $2.00 | — |
| Company AML Screening | KYB module | $0.20 | — |
| Person AML (per UBO / officer) | KYB module | $0.20 | — |
| Transaction Screening (rule engine) | `POST /v3/transactions/` | $0.02 / tx | — |
| AML Transaction Screening (counterparty sanctions + on-chain wallet risk) | inside `/v3/transactions/` | $0.15 / tx | — |
| Reusable KYC (share verified user across partners) | session feature | Free | — |
| White Label | workflow option | $0.20 | — |

## Operational APIs your code should know

| Action | Endpoint |
|---|---|
| Read full decision JSON | `GET /v3/session/{id}/decision/` |
| List sessions (filter by status, workflow, vendor_data, date) | `GET /v3/sessions` |
| Manually approve / decline / request review | `PATCH /v3/session/{id}/update-status/` |
| Patch metadata or extracted data | `PATCH /v3/session/{id}/update-data/` |
| Download compliance PDF | `GET /v3/session/{id}/generate-pdf` |
| Delete a session (GDPR / cleanup) | `DELETE /v3/session/{id}/delete/` |
| Share session with a partner (Reusable KYC) | `POST /v3/session/{id}/share/` |
| Submit a transaction for monitoring | `POST /v3/transactions/` |
| List / create lists (blocklist, allowlist, custom) | `GET/POST /v3/lists/` |
| Add entry to a list | `POST /v3/lists/{id}/entries/` |
| Upload a face image to a blocklist | `POST /v3/lists/{id}/entries/face-upload/` |
| Check credit balance | `GET /v3/billing/balance/` |
| Top up credits (returns Stripe checkout URL) | `POST /v3/billing/top-up/` |
| List / update / delete vendor users | `GET/PATCH /v3/users/`, `/v3/users/{vendor_data}/` |
| List / update / delete vendor businesses | `GET/PATCH /v3/businesses/` |

Every `/v3/...` endpoint above is served from `https://verification.didit.me` (the canonical OpenAPI server) and authenticates with `x-api-key`. Auth/registration is the only surface on `https://apx.didit.me`.

## Best-practice checklist before you mark this done

- [ ] `DIDIT_API_KEY`, `DIDIT_WORKFLOW_ID`, `DIDIT_WEBHOOK_SECRET` in env. Never committed.
- [ ] Backend route that creates a session for a given user, returns `url` (the hosted verification URL on `verify.didit.me`) and the `session_id`.
- [ ] Frontend that opens the session `url` via the right SDK / iframe / redirect for my stack.
- [ ] Webhook endpoint with: `X-Timestamp` freshness check (≤ 300s), canonical-V2 JSON re-serialisation (`shortenFloats` → `sortKeys` → unescaped `JSON.stringify`) HMAC-SHA256, constant-time compare against `X-Signature-V2`, dispatch on `webhook_type`, return 200.
- [ ] DB schema + update logic for `status in (Not Started, In Progress, Awaiting User, In Review, Approved, Declined, Resubmitted, Abandoned, Expired, Kyc Expired)`.
- [ ] Idempotent webhook handler (dedupe on `session_id + webhook_type`).
- [ ] No API key shipped to the browser. The session creation is server-side only.
- [ ] User-facing consent / disclosure shown BEFORE the session `url` opens (Didit handles biometric consent inside its flow but the legal layer outside is the integrator's responsibility).
- [ ] (Optional) `/v3/session/{id}/generate-pdf` surfaced in compliance UI.

## When you need more detail

- API root: `https://verification.didit.me/v3/` (everything `/v3/`). Auth only: `https://apx.didit.me/auth/v2/programmatic/register/`.
- Sessions overview: `https://docs.didit.me/sessions-api/overview`
- Standalone APIs index: `https://docs.didit.me/standalone-apis/id-verification`
- Programmatic registration: `https://docs.didit.me/integration/programmatic-registration`
- AI agent / MCP integration: `https://docs.didit.me/integration/ai-agent-integration`
- Webhooks reference: `https://docs.didit.me/integration/webhooks`
- SDKs overview: `https://docs.didit.me/integration/sdks`
- Full OpenAPI 3 spec: `https://docs.didit.me/openapi-25.json`
- MCP server config (drop into `.cursor/mcp.json`, `claude_desktop_config.json`, or equivalent):

```json
{
  "mcpServers": {
    "didit": {
      "command": "npx",
      "args": ["@didit-protocol/mcp-server"],
      "env": { "DIDIT_API_KEY": "your_api_key" }
    }
  }
}
```

The MCP server exposes 40+ tools spanning auth, sessions, workflows, questionnaires, users, billing, blocklist, and every standalone API — see `https://docs.didit.me/integration/ai-agent-integration` for the full tool catalogue.

Now build the integration. If anything in `## My application context` is missing, ask once at the top of your reply, then ship the complete change set: env vars wired, backend route, frontend SDK call, webhook endpoint with signature verification, decision-handling DB logic, and idempotent dedupe. Use my stack's idioms (`fetch` / `axios` / `requests` / `okhttp`), keep the API key server-side only, and follow the verification status state machine above.

Paste in Claude Code, Codex, or Cursor · ships the full integration

03 · Modular

Any flow. Any country. Any use case.

Compose any flow from 25+ modules, 1,000+ government data sources, 220+ countries, 14,000+ document types, and 48+ languages. The same orchestrator runs biometric auth, KYC for a neobank, KYB for a B2B fintech, Travel Rule for a crypto exchange, or ongoing AML for a marketplace — you pick the checks and the order.

See every module

Workflowkyc-onboarding-v3

220+ countries

ID Verification
Passive Liveness
Face Match 1:1
AML Screening
Device & IP Analysis
Proof of Address
NFC Reading
Phone Verification
Wallet Screening
Custom Questionnaire

+ 15 more modules · 1,000+ data sources$0.33/session

04 · Self-serve

No paywall. No sales call. Go play with it.

The sandbox is open from minute one. Docs and API are public, with no demo gate between you and the code. Sign up, grab a key, ship the same day. Our sales team is around when you want them — never as a gate.

Try the sandbox

Production API key

Live

didit_sk_live_8f4c2a…9bf3

Issued just now — no card, no contract, no call.

No minimum
No contract
500 free / mo
Open sandbox

05 · Usage-based

Pay for what you use. That's it.

Didit is 3–5× cheaper than incumbent KYC vendors, with every price public on /pricing — $0.33 full KYC bundle, $0.15 wallet screening, $0.03 Device & IP analysis, 500 verifications free every month. No minimums, no annual contracts, no overage surprises — the price on the page is the price on the invoice.

See every price

Public price list

/pricing

ID Verification$0.15
Passive Liveness$0.10
Face Match 1:1$0.05
AML Screening$0.20
Device & IP Analysis$0.03
Wallet Screening (KYT)$0.15

Full KYC bundle$0.33

500 free / month · no minimum · no annual contract.

06 · Open infra

Open API. Build on top.

Every endpoint is open and documented — change a session's status, blocklist a face, download a decision PDF, edit a workflow, or query the event log. Webhooks are signed with Hash-based Message Authentication Code (HMAC), so you can prove every event came from us. Didit is infrastructure, not a closed app.

Browse the API

REST · OpenAPI 3

docs.didit.me

POST/v3/session/
GET/v3/session/{id}/decision/
PATCH/v3/session/{id}/update-status/
GET/v3/session/{id}/generate-pdf
POST/v3/lists/{id}/entries/face-upload/
POST/v3/transactions/

Every endpoint open · every webhook HMAC-signed.

07 · SDKs

SDKs for every platform.

A Software Development Kit (SDK) for every stack — Web, iOS, Android, React Native, Flutter. On the backend, a REST API, signed webhooks, an OpenAPI 3 spec, and ready-made Zapier, Shopify, and Salesforce integrations. Every surface ships with samples, types, and a 5-minute getting-started.

Browse the SDKs

Webv1.4.0iOSv3.0.1Androidv2.6.2

React Nativev1.8.0Flutterv1.3.4

08 · Scale-optimized infra

The fastest verifications on the market.

99% of verifications finish in under 2 seconds, end-to-end — measured in production, not claimed in a deck. We target a 99.99% Service-Level Agreement (SLA), held 100% uptime over the last 12 months, and have never been breached. Tuned for every device and network — iPhone, Android, desktop, tablet, 5G or 2G — and already running millions of verifications a month.

See live status

End-to-end latency · 30d

99.99% SLA

p500.82s
p951.42s
p991.89s

Fastest verifications in market · iPhone, Android, desktop, tablet, 5G or 2G.

Compliant by design

Open a new country in one click. We do the hard work.

We open the local subsidiaries, secure the licenses, run the penetration tests, earn the certifications, and align with every new regulation. To ship verifications in a new country, flip a toggle. 220+ countries live, audited and pen-tested every quarter — the only identity provider an EU member-state government has formally called safer than in-person verification.

Read the security & compliance dossier

EU financial sandbox

Tesoro · SEPBLAC · BdE

ISO/IEC 27001

Information security · 2026

SOC 2 · Type I

AICPA · 2026

iBeta Level 1 PAD

NIST / NIAP · 2026

GDPR

EU 2016/679

DORA

EU 2022/2554

MiCA

EU 2023/1114

AMLD6 · eIDAS 2.0

EU-aligned by design

Trusted infrastructure

0%
Uptime in the last 12 months — SLO measured.
0
Breaches since day one. Zero compromised credentials.
Millions
Humans verified every month.
0+
Countries and territories covered out of the box.

Three tiers, one price list

Start free. Pay per usage. Scale to Enterprise.

500 free verifications every month, forever. Pay-as-you-go for production. Custom contracts, data residency, and SLAs (Service Level Agreements) on Enterprise.

Free

$0 / month. No credit card required.

Free KYC bundle (ID Verification + Passive Liveness + Face Match + Device & IP Analysis) — 500 / month, every month
Blocklisted Users
Duplicate Detection
200+ fraud signals on every session
Reusable KYC across the Didit network
Case Management Platform
Workflow Builder
Public docs, sandbox, SDKs, MCP (Model Context Protocol) server
Community support

Start free

Usage Based

Pay only for what you use. 25+ modules. Public per-module pricing, no monthly minimum fee.

Full KYC at $0.33 (ID + Biometric + IP / Device)
10,000+ AML datasets — sanctions, PEPs, adverse media
1,000+ government data sources for Database Validation
Transaction Monitoring at $0.02 per transaction
Live KYB at $2.00 per business
Wallet Screening at $0.15 per check
Whitelabel verification flow — your brand, our infrastructure

See full list of prices Start free

Enterprise

Custom MSA & SLA. For large volumes and regulated programs.

Annual contracts
Custom MSA, DPA, and SLA
Dedicated Slack and WhatsApp channel
Manual reviewers on demand
Reseller and white-label terms
Exclusive features and partner integrations
Named CSM, security review, compliance support

Talk to us

Start free → pay only when a check runs → unlock Enterprise for a custom contract, SLA, or data residency.

FAQ

Common questions