Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Passive Liveness

Verify any face.
Without asking them to do anything.

Prove the person on camera is real and live. iBeta-certified anti-spoof — defeats deepfakes, masks, replays, and morph attacks in sub-2 seconds. Passive at $0.10, active at $0.15. 500 free/month.

Start freeRead the docs
Backed by
Y Combinator
GBTC Finance
Bondex
Crnogorski Telekom
UCSF Neuroscape
Shiply
Adelantos

Trusted by 2,000+ organizations worldwide.

iBeta-certified

Passive. Flash.
Active. All certified.

Catch 3D masks, deepfakes, replay attacks, and printed photos. iBeta-certified, sub-2-second verdict, $0.10 per check, 500 free every month.

How it works

From sign-up to verified user in four steps.

  1. Step 01

    Create the workflow

    Pick the checks you want — ID, liveness, face match, sanctions, address, age, phone, email, custom questions. Drag them into a flow in the dashboard, or post the same flow to our API. Branch on conditions, run A/B tests, no code required.

  2. Step 02

    Integrate

    Embed natively with our Web, iOS, Android, React Native, or Flutter SDK. Redirect to a hosted page. Or just send your user a link — by email, SMS, WhatsApp, anywhere. Pick what fits your stack.

  3. Step 03

    User goes through the flow

    Didit hosts the camera, the lighting cues, the mobile hand-off, and accessibility. While the user is in the flow, we score 200+ fraud signals in real time and verify every field against authoritative data sources. Result in under two seconds.

  4. Step 04

    You receive the results

    Real-time signed webhooks keep your database in sync the moment a user is approved, declined, or sent to review. Poll the API on demand. Or open the console to inspect every session, every signal, and manage cases your way.

Built for developers · Built against fraud · Open by design

Six capabilities. One feature flag. LIVENESS.

Every capability below is a toggle on the same module. No upsell tiers, no separate SKUs, no add-on calls. Switch them on per workflow in the console, or pass them inline on the standalone endpoint.
Read the docsGet an API key
01 · Methods

Passive, 3D Flash, 3D Action. Pick per risk.

Three methods on one module. Passive (one frame, zero user action) for low-friction sign-up. 3D Flash (a short light sequence captures depth from reflection) for higher-value passive flows. 3D Action & Flash (motion + flash) for regulator-sensitive markets and large-value onboarding.
02 · Certified anti-spoof

Tested against the full presentation-attack catalogue.

Independently tested and iBeta-certified — the standard NIST and the Open Identity Exchange cite. Blocks printed photos, screen replays, paper masks, silicone masks, latex masks, morph attacks, and AI-generated deepfakes. Re-tested annually as the attack catalogue grows.
03 · Sub-2-second verdict

End-to-end inference in under two seconds.

Edge-served inference. No model download, no on-device acceleration assumption, no degraded experience on entry-level Android. Passive completes in under a second on most devices. Flash adds ~600ms. Active 3D adds ~1.5s — still sub-2 end to end.
04 · Warnings

Tunable risk policy per workflow.

Seven configurable warnings — low score, possible duplicate, duplicate face, multiple faces, low face quality, low light, high light — each mapped to decline, review, or approve per application. Three auto-decline triggers (no face, attack detected, blocklisted face) stay enforced no matter what.
05 · Age estimation

One capture, two signals.

Toggle Age Estimation on a liveness workflow and the same selfie returns a liveness verdict plus an estimated age band. Built for UK Online Safety Act and EU age-gating — real-human-AND-old-enough without putting a user through ID upload. $0.10 per check.
06 · Biometric authentication

The same engine you use at sign-up. Now at every login.

Liveness is the foundation for Biometric Authentication — reuse the same anti-spoof model to verify returning users at every sensitive action: high-value transfer, password reset, large withdrawal. $0.10 per auth, drop-in for SMS 2FA, no carrier bill, no SIM-swap exposure.
Integrate

Two endpoints. Same JSON. Same price.

Create a session when you want our hosted UI to handle capture (required for active methods), or call the standalone passive endpoint when you already have the selfie. Both return the same liveness report.
POST /v3/session/Hosted UI
$ curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "wf_liveness_3d",
    "vendor_data": "user-42"
  }'
201Created{ "session_url": "verify.didit.me/..." }
We host the capture UI. Required for FLASHING and ACTIVE_3D.docs →
POST /v3/passive-liveness/Server to server
$ curl -X POST https://verification.didit.me/v3/passive-liveness/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -F "image=@selfie.jpg"
200OK{ "status": "Approved", "score": 98 }
You own the capture. We return the verdict inline.docs →
Agent-ready integration

Ship Liveness in one prompt.

Paste the block below into Claude Code, Cursor, Codex, Devin, Aider, or Replit Agent. Fill in the my_stack placeholder with your framework, language, and use case. The agent provisions Didit, builds the workflow with Liveness enabled, wires the webhook, and ships.
didit-integration-prompt.md
# Didit Liveness — integrate in 5 minutes

You are integrating Didit's Liveness (presentation-attack detection) module
into <my_stack>. Follow these steps exactly. Every URL, header, and enum
value below is canonical — do not paraphrase or "improve" them.

## 1. Provision an account
- Sign up: https://business.didit.me (no credit card required).
- Or provision programmatically: POST https://apx.didit.me/auth/v2/programmatic/register/
  (returns an API key bound to the workspace + application).

## 2. Two integration paths — pick one

### Path A — Workflow Builder (hosted UI)
Best when you want Didit to handle camera, motion prompts, low-light
fallback, mobile handoff, and accessibility for you.

1. Create a workflow that contains the LIVENESS feature:
   POST https://verification.didit.me/v3/workflows/
   Authorization header:  x-api-key: <your-api-key>
   Body: workflow_label, features array with the single entry
         { feature: "LIVENESS" }   (UPPERCASE — strict enum)
   Optional config: liveness_method ("PASSIVE" | "FLASHING" | "ACTIVE_3D")
   and per-warning threshold overrides.

2. Create a verification session for an end user:
   POST https://verification.didit.me/v3/session/
   Body: workflow_id (from step 1), vendor_data (your own user id).
   Response: session_url — redirect the user to it.

3. Listen for webhook callbacks (see "Webhooks" below).

### Path B — Standalone server-to-server API
Best when you already have a selfie image (mobile SDK capture, native
onboarding app, reseller pipeline). Standalone is single-frame
PASSIVE only — for ACTIVE_3D or FLASHING you must use Path A.

POST https://verification.didit.me/v3/passive-liveness/
Content-Type: multipart/form-data
Body fields:
  - image        (required, file — single selfie)
  - vendor_data  (optional string, your user id)

Response: JSON report with liveness score, method, and warnings array.

## 3. Webhooks (Path A only — Path B returns synchronously)
- Register a webhook destination once via
  POST https://verification.didit.me/v3/webhook/destinations/
  Body: url, subscribed_events: ["session.verified", "session.review_started",
                                  "session.declined"]
- Response includes secret_shared_key — store it.
- Every webhook delivery carries an X-Signature-V2 header you MUST verify
  before trusting the payload.  HMAC-SHA256 verification MUST run against the raw body bytes (the raw payload as Didit sent it) BEFORE any JSON parsing — re-serialising the parsed body changes whitespace and key order, which invalidates the signature.Algorithm:
    1. sortKeys(payload) recursively
    2. shortenFloats (truncate trailing zeros after the decimal point)
    3. JSON.stringify the result
    4. HMAC-SHA256 with the secret_shared_key
    5. Hex-encode, compare to the X-Signature-V2 header.

## 4. Reading the report (both paths return the same shape)
The liveness object includes:
- status: "Approved" | "Declined" | "In Review" | "Not Finished"
- method: "PASSIVE" | "FLASHING" | "ACTIVE_3D"
- score: number 0-100 (normalized liveness score)
- reference_image: signed URL to the captured selfie (expires in 1 hour)
- video_url: signed URL to the capture video, present only for FLASHING
  and ACTIVE_3D (expires in 1 hour)
- age_estimation: { age, age_range } when enabled in the workflow
- warnings: Array<{ risk, log_type, short_description, long_description }>

Auto-decline risks (always enforced by Didit, not configurable):
- NO_FACE_DETECTED
- LIVENESS_FACE_ATTACK
- FACE_IN_BLOCKLIST

Configurable risks (action per workflow — Decline, Review, or Approve):
- LOW_LIVENESS_SCORE
- POSSIBLE_DUPLICATED_FACE
- DUPLICATED_FACE
- MULTIPLE_FACES_DETECTED
- LOW_FACE_QUALITY
- LOW_FACE_LUMINANCE
- HIGH_FACE_LUMINANCE

## 5. Hard rules — do not change
- Base URL for /v3/* endpoints is verification.didit.me (NOT apx.didit.me).
- Feature enum is UPPERCASE: LIVENESS, ID_VERIFICATION, FACE_MATCH, AML, IP_ANALYSIS.
- Method enum is UPPERCASE: PASSIVE, FLASHING, ACTIVE_3D.
- Auth header is x-api-key (lowercase, hyphenated).
- Webhook signature header is X-Signature-V2 (NOT X-Signature).
- Always verify webhook signatures before trusting payload data.
- Status casing matches exactly: "Approved", "Declined", "In Review",
  "Not Finished" (title-cased, space-separated).

## 6. Pricing reference (public)
- PASSIVE method: $0.10 per check (standalone or bundled)
- FLASHING / ACTIVE_3D methods: $0.15 per check
- Bundled in a full KYC workflow: $0.33 per session (includes Liveness)
- 500 free checks every month, forever, on every account.

## 7. Verify your integration
- Sandbox starts on signup at https://business.didit.me — no separate flag.
- Test images: deterministic synthetic faces returned in sandbox (Approved
  by default; trigger Declined by sending the canonical "spoof" test image).
- Switch to live: flip the application's environment toggle in console.

When in doubt: https://docs.didit.me/core-technology/liveness/overview
Need more context? See the full module docs.docs.didit.me →
Compliant by design

Open a new country in one click. We do the hard work.

We open the local subsidiaries, secure the licenses, run the penetration tests, earn the certifications, and align with every new regulation. To ship verifications in a new country, flip a toggle. 220+ countries live, audited and pen-tested every quarter — the only identity provider an EU member-state government has formally called safer than in-person verification.
Read the security & compliance dossier
EU financial sandbox
Tesoro · SEPBLAC · BdE
ISO/IEC 27001
Information security · 2026
SOC 2 · Type I
AICPA · 2026
iBeta Level 1 PAD
NIST / NIAP · 2026
GDPR
EU 2016/679
DORA
EU 2022/2554
MiCA
EU 2023/1114
AMLD6 · eIDAS 2.0
EU-aligned by design

Proof numbers

Proof numbers
  • iBeta
    Independently certified anti-spoof (presentation attack detection).
  • 0
    Liveness methods — passive, 3D flash, 3D action + flash.
  • <0s
    End-to-end inference per verification.
  • $0.00
    Per passive liveness check. 500 free every month.
Three tiers, one price list

Start free. Pay per usage. Scale to Enterprise.

500 free verifications every month, forever. Pay-as-you-go for production. Custom contracts, data residency, and SLAs (Service Level Agreements) on Enterprise.
Free

Free

$0 / month. No credit card required.

  • Free KYC bundle (ID Verification + Passive Liveness + Face Match + Device & IP Analysis) — 500 / month, every month
  • Blocklisted Users
  • Duplicate Detection
  • 200+ fraud signals on every session
  • Reusable KYC across the Didit network
  • Case Management Platform
  • Workflow Builder
  • Public docs, sandbox, SDKs, MCP (Model Context Protocol) server
  • Community support
Start free
Most popular
Pay per usage

Usage Based

Pay only for what you use. 25+ modules. Public per-module pricing, no monthly minimum fee.

  • Full KYC at $0.33 (ID + Biometric + IP / Device)
  • 10,000+ AML datasets — sanctions, PEPs, adverse media
  • 1,000+ government data sources for Database Validation
  • Transaction Monitoring at $0.02 per transaction
  • Live KYB at $2.00 per business
  • Wallet Screening at $0.15 per check
  • Whitelabel verification flow — your brand, our infrastructure
See full list of pricesStart free
Enterprise

Enterprise

Custom MSA & SLA. For large volumes and regulated programs.

  • Annual contracts
  • Custom MSA, DPA, and SLA
  • Dedicated Slack and WhatsApp channel
  • Manual reviewers on demand
  • Reseller and white-label terms
  • Exclusive features and partner integrations
  • Named CSM, security review, compliance support
Talk to us

Start free → pay only when a check runs → unlock Enterprise for a custom contract, SLA, or data residency.

FAQ

Common questions

Related

Related modules

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page