AI identity verification — document, selfie, and liveness checks plus PEP/sanctions and proof of address, integrated via hosted flow, Web SDK, or native iOS/Android SDKs.
- 01document + selfie KYC
- 02biometric liveness
- 03proof of address
- 04global IDV
- 05regulated fintech / crypto onboarding
- pnpm add @veriff/incontext-sdk @veriff/js-sdk
| Variable | Scope | Description |
|---|---|---|
| VERIFF_API_KEY | Server | Veriff public API key (used in `X-AUTH-CLIENT` header). |
| VERIFF_API_SECRET | Server | Veriff shared secret used to compute the X-HMAC-SIGNATURE on requests and to verify webhooks. |
Use Veriff for document + selfie identity verification. Server-side, call `POST https://stationapi.veriff.com/v1/sessions` with header `X-AUTH-CLIENT: <VERIFF_API_KEY>` and an HMAC-SHA256 signature of the body in `X-HMAC-SIGNATURE` (HMAC key = `VERIFF_API_SECRET`); body contains `verification.callback`, `verification.person`, `verification.document.country`, and a unique `vendorData` (your user id). Pass the returned `verification.url` to the client and either redirect or embed via the InContext SDK (`createVeriffFrame({ url, onEvent })`). Receive results on the decision webhook (`status: approved | declined | resubmission_requested | review`) — verify the `X-HMAC-SIGNATURE` header on every webhook and only persist the decision after that check. Use the events webhook for funnel telemetry (`started`, `submitted`).
- ⚑Webhook signature is HMAC-SHA256 of the raw request body keyed with `VERIFF_API_SECRET`, hex-encoded — recomputing over a JSON-parsed-and-restringified body produces a different signature. Always sign the raw bytes.
- ⚑`resubmission_requested` decisions arrive ~5 minutes after the session for SDK flows (not immediately) — design your UX for the delay rather than polling tightly.
- ⚑Document and country coverage is broad but unevenly deep — confirm supported document types per country and configure alternates so users in unsupported corridors aren't dead-ended.
- ⚑Liveness rejection rates rise sharply on low-light or low-resolution mobile cameras — instrument retry and abandonment metrics by device class, not just country.
- ⚑Sandbox (`stationapi.veriff.com` with sandbox keys) accepts shortcut decisions via test documents — do not measure approval/fraud rates against sandbox.
- ⚑Data retention is configurable per contract — confirm the retention window for selfies and documents matches your privacy disclosures, and pull audit artifacts before expiry.
- ⚑Jurisdiction support for PEP/sanctions add-on differs from base IDV — enable explicitly and check list coverage for your regulator.