Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Selfie-only re-auth

Sign the user back in. With one selfie.

Drop in a sub-2-second face match for returning users. Skip the password reset. Skip the SMS delay. Skip the magic-link bounce. $0.10 per re-auth, 500 verifications free every month.

Start freeRead the docs
Backed by
Y Combinator
GBTC Finance
Bondex
Crnogorski Telekom
UCSF Neuroscape
Shiply
Adelantos

Trusted by 2,000+ organizations worldwide.

Dark cinematic selfie-only re-auth stack — four floating translucent glass panels in 3D perspective on pure black, threaded by a luminous Didit Blue line and framed by glowing scanner brackets. Each panel carries a small pale-white motif representing a circular refresh loop, a binding line between two dots, a clock face, and a continuity ring.

Passwordless · phishing-resistant

Stop losing returning users at sign-in. Two seconds. They're back.

Password resets drop ~30% of returning users; Short Message Service (SMS) codes can take up to 90 seconds. A selfie against the user's enrolled portrait completes in roughly two seconds — drop-in callback contract for any existing OAuth / OpenID Connect flow. $0.10 per re-auth. 500 verifications free every month.

How it works

From sign-up to verified user in four steps.

  1. Step 01

    Create the workflow

    Pick the checks you want — ID, liveness, face match, sanctions, address, age, phone, email, custom questions. Drag them into a flow in the dashboard, or post the same flow to our API. Branch on conditions, run A/B tests, no code required.

  2. Step 02

    Integrate

    Embed natively with our Web, iOS, Android, React Native, or Flutter SDK. Redirect to a hosted page. Or just send your user a link — by email, SMS, WhatsApp, anywhere. Pick what fits your stack.

  3. Step 03

    User goes through the flow

    Didit hosts the camera, the lighting cues, the mobile hand-off, and accessibility. While the user is in the flow, we score 200+ fraud signals in real time and verify every field against authoritative data sources. Result in under two seconds.

  4. Step 04

    You receive the results

    Real-time signed webhooks keep your database in sync the moment a user is approved, declined, or sent to review. Poll the API on demand. Or open the console to inspect every session, every signal, and manage cases your way.

Replace password · Skip SMS · Drop magic link

Six capabilities. $0.10 per re-auth.

One Sessions API call, one signed verdict, drop-in callback contract. Pair with Device & IP Analysis to skip the selfie entirely on known-good sessions.
Read the docsGet an API key
01 · Tap-to-sign-in flow

One tap. One selfie. Back in.

Open a Sessions API call, redirect the user to the hosted Uniform Resource Locator (URL), capture one passive frame. Liveness + Face Match 1:1 + the signed webhook return inside the same two seconds. No app install, no Software Development Kit (SDK), no carrier path.
Biometric Authentication module
02 · vs password / SMS / magic link

Lower friction. No phishing. Cheaper than SMS.

Passwords get phished, forgotten, and reset (a $1-$3 support ticket each time). Short Message Service (SMS) one-time-password is phishable, carrier-dependent, and SIM-swap-vulnerable. Magic links bounce in spam filters. A selfie against the enrolled portrait is phishing-resistant, instant, and flat-priced.
Method matrix
03 · Conversion uplift

Stop losing returning users at the door.

Password resets typically drop ~30% of returning users mid-flow; SMS codes can take 5-90 seconds end-to-end. A selfie re-auth completes in roughly two seconds, with no message to wait for and nothing to remember. Net: a measurable lift in returning-user sign-in conversion.
Returning-user benchmarks
04 · Reusable across surfaces

Enrol once. Every Didit-powered app, free.

Bind a Reusable Credential to every enrolled user. The next Didit-powered surface that needs the same re-auth consumes the credential at zero cost. The user holds the proof; your application verifies the signature. Network effect compounds across every customer that ships Reusable Credentials.
Reusable KYC module
05 · Adaptive step-up

Skip the selfie on known device + known IP.

Pair with Device & IP Analysis (bundled into the 200+ fraud-signal stack). A returning user on a known device and known Internet Protocol (IP) skips the selfie entirely. Brand-new device or new IP triggers passive; Tor / Virtual Private Network (VPN) exit on a brand-new device escalates to Active 3D. Same flow, smart triggers.
Device & IP Analysis module
06 · Public pricing

$0.10 per re-auth. Flat. Worldwide.

Public price, no minimum, no contract. United States Tier-1 SMS one-time-password costs $0.05-$0.30 per send and you pay even when the user never receives the code. A password reset costs $1-$3 per support ticket. A selfie re-auth is a flat $0.10 with 500 verifications free every month, forever.
See pricing
Integrate

One session. One callback. Mint a token.

Open a biometric authentication session, capture the selfie in the hosted UI, verify the signed verdict, sign the user in.
POST /v3/session/Re-auth
$ curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -d '{
    "workflow_id": "wf_reauth",
    "workflow_type": "biometric_authentication",
    "vendor_data": "user-42",
    // base64 enrolment selfie, ≤ 1MB (omit for liveness-only)
    "portrait_image": "/9j/4AAQSkZJRgABAQE..."
  }'
201Created{ "session_url": "verify.didit.me/..." }
Hosted UI runs LIVENESS + FACE_MATCH against the supplied portrait_image.docs →
GET /v3/session/{sessionId}/decision/Verdict
$ curl https://verification.didit.me/v3/session/<id>/decision/ \
  -H "x-api-key: $DIDIT_API_KEY"

# Returns the re-auth verdict
{
  "status": "Approved",
  "face": { "similarity_score": 0.96 }
}
200OKstatus Approved · In Review · Declined · Not Finished
Verify X-Signature-V2 on the signed webhook first.docs →
Agent-ready integration

Replace password / SMS / magic link in one prompt.

Paste into Claude Code, Cursor, Codex, Devin, Aider, or Replit Agent. Fill in your stack. The agent provisions Didit, swaps the existing returning-user callback, and ships in a weekend.
didit-integration-prompt.md
You are integrating Didit&apos;s selfie-only re-authentication into <my_stack>. Replace password, SMS one-time-password, or magic-link on returning-user surfaces with a sub-2-second face match against the enrolled portrait. Phishing-resistant, no carrier dependency, no SIM-swap surface, no email-delivery delay.

  1. Enrol the user&apos;s portrait ONCE at sign-up (standard Know Your Customer (KYC) session).
  2. On every returning-user sign-in, open a re-auth session that runs Passive Liveness + Face Match 1:1 against the stored portrait. ~2 seconds end-to-end.

Pricing (public):
  - Selfie re-auth: $0.10 per authentication (Sessions API)
  - First 500 verifications free every month, forever

PRE-REQUISITES
  - Production API key from https://business.didit.me (sandbox key in 60s, no card).
  - Webhook endpoint with Hash-based Message Authentication Code (HMAC) SHA-256 verification using the X-Signature-V2 header.
  - The user has previously enrolled via a Didit KYC session (the portrait captured during the liveness step is stored automatically, bound to vendor_data).
  - A workflow_id from the Workflow Builder. The workflow MUST contain LIVENESS, and the session is opened with workflow_type = "biometric_authentication".

STEP 1 — Open a re-auth session

  POST https://verification.didit.me/v3/session/
  Headers:
    x-api-key: <your api key>
    Content-Type: application/json
  Body:
    {
      "workflow_id": "<your biometric_authentication workflow>",
      "workflow_type": "biometric_authentication",
      "vendor_data": "<the same user id used at enrolment>",
      "callback": "https://<your-app>/reauth/callback",
      "metadata": {
        "purpose": "returning_user_signin",
        "device_id": "<optional, your device fingerprint>",
        "from_ip": "<optional, the request IP>"
      },
      "portrait_image": "<base64 JPEG of the user's enrolment selfie, ≤ 1 MB — REQUIRED when the workflow has FACE_MATCH active; OMIT for liveness-only mode>"
    }

  Response: 201 Created with the hosted session_url. Redirect the user. The hosted UI opens the front camera, captures one passive frame, runs Liveness + Face Match 1:1 against the user&apos;s enrolled portrait, returns the verdict in sub-2-seconds.

STEP 2 — Read the signed verdict on the webhook

  Body (excerpted for a passing re-auth):
    {
      "session_id": "<uuid>",
      "vendor_data": "<your user id>",
      "status": "Approved",
      "liveness": {
        "status": "Approved",
        "method": "PASSIVE",
        "score": 96
      },
      "face": {
        "status": "Approved",
        "similarity_score": 0.96
      }
    }

  Verify X-Signature-V2 BEFORE trusting the body — HMAC SHA-256 of the raw bytes with your webhook secret.

  Session status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.

STEP 3 — Branch your sign-in logic on the verdict

  Approved      → mint your session token, sign the user in.
  Declined      → block sign-in; fall back to a higher-friction recovery (support contact / full KYC re-do).
  In Review     → hold; route to your operations queue.
  Not Finished  → user abandoned the capture; safe to re-prompt or fall back to a backup factor.

STEP 4 — Adaptive step-up (recommended)

  Pair the selfie with Device & IP Analysis (bundled into the 200+ fraud-signal stack at no extra cost). Adaptive rules to consider:

    Known device + known Internet Protocol (IP)  → skip the selfie, mint a session token.
    Known device + new IP                         → run the selfie (passive).
    New device + new IP                           → run the selfie (passive).
    Tor / Virtual Private Network (VPN) exit +
      new device                                  → escalate to ACTIVE_3D method (motion challenge).

  Implement the branching in your application or in the Workflow Builder via per-session overrides.

CONSTRAINTS
  - Base URL for /v3/* endpoints is verification.didit.me (NOT apx.didit.me).
  - Feature enum is UPPERCASE: LIVENESS, FACE_MATCH, IP_ANALYSIS, ID_VERIFICATION, AML, AGE_ESTIMATION.
  - Method enum is UPPERCASE: PASSIVE, FLASHING, ACTIVE_3D.
  - Auth header is x-api-key (lowercase, hyphenated).
  - Webhook signature header is X-Signature-V2 (NOT X-Signature).
  - Status casing matches exactly: Approved, Declined, In Review, Expired, Not Finished, Resubmitted, Kyc Expired, Abandoned.
  - The face template is irreversible (a one-way hash). The user can request deletion via the standard data-subject-request path.

PRO TIPS
  - Bind a Reusable Credential to each enrolled user. The next Didit-powered surface that needs the same gate consumes the credential at zero cost.
  - Keep a fallback factor (password, magic link, support recovery) for users who cannot complete the selfie — accessibility, device camera failure, religious head covering, etc.

Read the docs:
  - https://docs.didit.me/core-technology/biometric-auth/overview
  - https://docs.didit.me/sessions-api/create-session
  - https://docs.didit.me/integration/webhooks

Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.
Need more context? See the full module docs.docs.didit.me →
Compliant by design

Open a new country in one click. We do the hard work.

We open the local subsidiaries, secure the licenses, run the penetration tests, earn the certifications, and align with every new regulation. To ship verifications in a new country, flip a toggle. 220+ countries live, audited and pen-tested every quarter — the only identity provider an EU member-state government has formally called safer than in-person verification.
Read the security & compliance dossier
EU financial sandbox
Tesoro · SEPBLAC · BdE
ISO/IEC 27001
Information security · 2026
SOC 2 · Type I
AICPA · 2026
iBeta Level 1 PAD
NIST / NIAP · 2026
GDPR
EU 2016/679
DORA
EU 2022/2554
MiCA
EU 2023/1114
AMLD6 · eIDAS 2.0
EU-aligned by design

Proof numbers

Proof numbers
  • ~2s
    End-to-end re-auth — selfie capture to signed verdict on entry-level Android.
  • $0.00
    Per re-auth, flat. Below US SMS one-time-password and the $1+ password-reset support ticket.
  • 0
    Passwords to phish, codes to phish, SIMs to swap, links to bounce.
  • 0
    Free verifications every month, forever.
Three tiers, one price list

Start free. Pay per usage. Scale to Enterprise.

500 free verifications every month, forever. Pay-as-you-go for production. Custom contracts, data residency, and SLAs (Service Level Agreements) on Enterprise.
Free

Free

$0 / month. No credit card required.

  • Free KYC bundle (ID Verification + Passive Liveness + Face Match + Device & IP Analysis) — 500 / month, every month
  • Blocklisted Users
  • Duplicate Detection
  • 200+ fraud signals on every session
  • Reusable KYC across the Didit network
  • Case Management Platform
  • Workflow Builder
  • Public docs, sandbox, SDKs, MCP (Model Context Protocol) server
  • Community support
Start free
Most popular
Pay per usage

Usage Based

Pay only for what you use. 25+ modules. Public per-module pricing, no monthly minimum fee.

  • Full KYC at $0.33 (ID + Biometric + IP / Device)
  • 10,000+ AML datasets — sanctions, PEPs, adverse media
  • 1,000+ government data sources for Database Validation
  • Transaction Monitoring at $0.02 per transaction
  • Live KYB at $2.00 per business
  • Wallet Screening at $0.15 per check
  • Whitelabel verification flow — your brand, our infrastructure
See full list of pricesStart free
Enterprise

Enterprise

Custom MSA & SLA. For large volumes and regulated programs.

  • Annual contracts
  • Custom MSA, DPA, and SLA
  • Dedicated Slack and WhatsApp channel
  • Manual reviewers on demand
  • Reseller and white-label terms
  • Exclusive features and partner integrations
  • Named CSM, security review, compliance support
Talk to us

Start free → pay only when a check runs → unlock Enterprise for a custom contract, SLA, or data residency.

FAQ

Common questions

Related

Related modules + workflows

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page