Documentation

Developer overview

Verifi360 provides APIs and SDKs to embed KYC verification, document intelligence, and sanctions screening into your applications.

What the APIs do

Create verification sessions, accept document and selfie uploads, run liveness, poll status, configure webhooks, and manage tenant settings.

Who should use them

Fintech, marketplaces, HR platforms, and regulated businesses building customer onboarding or periodic re-verification.

Integration types

Hosted verification links, embedded SDK flows, direct REST from any backend, and dashboard APIs for operations teams.

Enterprise use cases

High-volume onboarding, multi-region deployments, custom retention, URIM screening, and audit-ready decision exports.

Two auth modes

KYC integrations use API keys (x-publishable-key / x-api-key). Dashboard features (credits, URIM, hosted links, settings) use your logged-in Bearer JWT.

Quick start

Integrate in six steps from account creation to production.

  1. 1

    Create account

    Sign up in the Verifi360 dashboard.

  2. 2

    Get API keys

    Dashboard → API Keys (publishable + secret).

  3. 3

    Use SDK or REST

    Build with @verifyx/kyc-sdk (packages/sdk) or HTTP.

  4. 4

    Start a session

    POST /kyc/start with the secret key from your server.

  5. 5

    Complete flow

    Upload documents/selfie/liveness; poll GET /kyc/status/:sessionId.

  6. 6

    Webhooks

    Set webhookUrl and webhookSecret in tenant settings (dashboard).

First API call — create session
1import { init, startSession } from '@verifyx/kyc-sdk';
2
3init({
4  baseUrl: 'https://www.verifi360.com/api',
5  secretKey: process.env.VERIFI360_SECRET_KEY!,
6});
7
8const session = await startSession({
9  docTypes: ['passport'],
10  requireSelfie: true,
11});
12
13console.log(session.sessionId, session.clientToken);

SDK

In-repo TypeScript SDK and direct REST.

@verifyx/kyc-sdk

Stable

TypeScript/JavaScript SDK shipped in this repository (packages/sdk). Node 18+ and browser.

v0.1.1

Install
1npm run build:sdk (monorepo) — package name @verifyx/kyc-sdk
DocumentationAPI keys

REST API

Stable

HTTP integration using x-api-key or x-publishable-key headers.

Install
1curl, fetch, or any HTTP client
DocumentationAPI keys

API authentication

Secure every request with the right credential type.

API keys

x-publishable-key for uploads and status. x-api-key (secret) for POST /kyc/start, extract, and rotate-keys.

Bearer tokens

Dashboard JWT for end-user management, credits, analytics, and hosted links. Not for public KYC session creation.

Request headers

Include Content-Type, x-api-key or Authorization, and for signed routes: x-timestamp and x-signature.

Environment variables

Store VERIFI360_SECRET_KEY and VERIFI360_WEBHOOK_SECRET in your secrets manager — never commit to source control.

Signed request example

cURL with signing headers
1curl -X POST https://www.verifi360.com/api/kyc/start \
2  -H "Content-Type: application/json" \
3  -H "x-api-key: YOUR_SECRET_KEY" \
4  -H "x-timestamp: $(date +%s)000" \
5  -H "x-signature: YOUR_HMAC_HEX" \
6  -d '{"docTypes":["passport"],"requireSelfie":true}'

Production security guidelines

  • Rotate keys after sandbox testing and on a scheduled cadence.
  • Restrict secret keys to server environments with egress controls.
  • Validate webhook timestamps and signatures on every delivery.
  • Use HTTPS only for webhook endpoints and hosted callbacks.

API reference

Base URL: https://www.verifi360.com/api

KYC (API keys)

Verification session lifecycle. Requires tenant API keys.

POSThttps://www.verifi360.com/api/kyc/start

Start session

Creates a session. Secret key only. Consumes one credit when successful.

Auth: x-api-key (secret). HMAC (x-timestamp, x-signature) when enabled.

ParameterTypeDescription
docTypesstring[]passport, id_card, driving_license, driver_license, auto
requireSelfiebooleanDefault true
requireLivenessbooleanDefault false
metadataobjectOptional metadata (may include endUser)
Request
1{
2  "docTypes": ["passport"],
3  "requireSelfie": true,
4  "requireLiveness": false
5}
Response
1{
2  "sessionId": "...",
3  "clientToken": "...",
4  "stepsRequired": { "doc": true, "selfie": true, "liveness": false },
5  "expiresAt": "..."
6}
POSThttps://www.verifi360.com/api/kyc/upload

Upload document

Multipart upload of ID image (JPEG/PNG, max 10 MB).

Auth: x-publishable-key or x-api-key

ParameterTypeDescription
sessionId*stringSession ID
docType*stringDocument type
side*stringfront or back
document*fileImage file
POSThttps://www.verifi360.com/api/kyc/upload-url

Get signed upload URL

Returns a presigned S3 URL for direct client upload.

Auth: x-publishable-key or x-api-key

POSThttps://www.verifi360.com/api/kyc/upload/confirm

Confirm upload

Confirms a completed presigned upload.

Auth: x-publishable-key or x-api-key

POSThttps://www.verifi360.com/api/kyc/selfie

Upload selfie

Multipart selfie upload for the session.

Auth: x-publishable-key or x-api-key

POSThttps://www.verifi360.com/api/kyc/liveness

Liveness check

Submit liveness data for the session.

Auth: x-publishable-key or x-api-key

POSThttps://www.verifi360.com/api/kyc/extract

Extract document text

OCR / field extraction from uploaded documents.

Auth: x-api-key (secret)

GEThttps://www.verifi360.com/api/kyc/status/:sessionId

Session status

Returns status, steps, decision, and signed artifact URLs when available.

Auth: x-publishable-key or x-api-key

Response
1{
2  "sessionId": "...",
3  "status": "completed",
4  "steps": { "doc": {}, "selfie": {}, "liveness": {} },
5  "decision": {},
6  "expiresAt": "..."
7}

Tenant (API key)

Server-side tenant operations with API keys.

POSThttps://www.verifi360.com/api/tenant/:tenantId/rotate-keys

Rotate API keys

Rotates publishable and secret keys.

Auth: x-api-key (secret). HMAC when signing enabled.

Tenant (dashboard JWT)

Logged-in dashboard routes. Authorization: Bearer <JWT>.

PATCHhttps://www.verifi360.com/api/tenant/:tenantId/settings

Update tenant settings

Webhook URL, webhook secret, rateLimitPerMinute, retention, etc.

Auth: Bearer JWT (dashboard)

ParameterTypeDescription
webhookUrlstringHTTPS webhook endpoint
webhookSecretstringWebhook HMAC secret
rateLimitPerMinutenumberDefault 300 if unset
POSThttps://www.verifi360.com/api/enduser

Create end user

Creates a customer record for hosted verification.

Auth: Bearer JWT (dashboard)

POSThttps://www.verifi360.com/api/tenant/:tenantId/urim/searches/batch

URIM batch screening

Batch upload (CSV/XLSX) or JSON subjects array (max 500).

Auth: Bearer JWT (dashboard)

GEThttps://www.verifi360.com/api/credits/balance

Credit balance

Current verification credit balance.

Auth: Bearer JWT (dashboard)

POSThttps://www.verifi360.com/api/credits/checkout

Buy credits

Creates a Stripe checkout session for credits.

Auth: Bearer JWT (dashboard)

GEThttps://www.verifi360.com/api/analytics/usage

Usage analytics

Tenant usage metrics for the dashboard.

Auth: Bearer JWT (dashboard)

Webhooks

Receive real-time verification lifecycle events at your HTTPS endpoint.

Setup

Set webhookUrl and webhookSecret via PATCH /tenant/{tenantId}/settings or thedashboard. Respond with 2xx within 10 seconds.

Event types

VERIFICATION_STARTEDDOC_UPLOADEDSELFIE_UPLOADEDLIVENESS_COMPLETEDVERIFICATION_COMPLETEDVERIFICATION_FAILEDRETRY_REQUIREDEXPIRED

Retry logic

Up to 5 delivery attempts with exponential backoff. Use X-Webhook-Event-Id for idempotency.

Signature verification

Verify X-Webhook-Signature
1import crypto from 'crypto';
2
3function verifyWebhook(rawBody: string, timestamp: string, signature: string, secret: string) {
4  const expected = crypto.createHmac('sha256', secret).update(timestamp + '\n' + rawBody).digest('hex');
5  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
6}
7// Headers from Verifi360: X-Webhook-Timestamp, X-Webhook-Signature
Example payload (VERIFICATION_STARTED)
1{
2  "sessionId": "...",
3  "status": "collecting"
4}

Rate limits & usage

SettingValue
Default per-tenant limit300 requests / minute
Configurabletenant.settings.rateLimitPerMinute (dashboard)
ScopePer API key, 60-second window

Error codes

CodeMeaning
401Missing or invalid API key
403Suspended tenant, policy block, or insufficient credits
429Rate limit exceeded (see resetAt in response)
400Validation error
500Server error

On 429, backoff until resetAt. On 5xx, retry with backoff.

Security

API keys

Separate publishable and secret keys; optional key rotation via POST /tenant/:tenantId/rotate-keys.

Request signing

HMAC-SHA256 on secret-key requests when enabled (x-timestamp + x-signature).

Webhooks

HMAC-signed outbound events with delivery retries (max 5 attempts).

Rate limiting

Per-tenant, per-key limit (default 300/minute).

Audit logs

Server-side audit log entries for sensitive actions (e.g. status reads).

Upload limits

JPEG/PNG only; 10 MB max per upload.

FAQ

x-publishable-key: client uploads and status. x-api-key (secret): start session, extract, rotate keys. Starting a session requires the secret key.

Support & resources

API reference

Endpoints in this documentation.

Learn more →

API keys

Dashboard → API Keys.

Learn more →

Contact

Support and sales.

Learn more →