API Gateway Patterns for Dynamic Risk Orchestration with Didit and Kong

Dynamic Risk OrchestrationImplementing dynamic risk orchestration at the API gateway level allows for real-time security adjustments based on user behavior and identity verification outcomes, significantly reducing fraud and enhancing compliance.

Kong as an Enforcement PointKong's API Gateway provides an ideal infrastructure layer for intercepting requests and applying identity and risk policies before they reach backend services, ensuring proactive security.

Didit for Intelligent Identity VerificationDidit’s AI-native identity platform offers modular verification primitives like ID Verification, Liveness, and AML Screening, enabling precise and adaptive risk assessments.

Seamless Integration and ScalabilityCombining Kong with Didit allows for a highly scalable and flexible solution, leveraging webhooks and API calls to process identity data and inform gateway decisions without introducing latency.

In today's digital landscape, securing APIs and protecting user data is paramount. Traditional static security measures often fall short against evolving threats. This is where dynamic risk orchestration comes into play, allowing organizations to adapt their security posture in real-time based on contextual risk factors. When combined with a powerful API Gateway like Kong and an intelligent identity verification platform like Didit, businesses can build highly resilient and adaptive security infrastructures.

The Power of API Gateways in Risk Management

An API Gateway acts as the single entry point for all client requests, providing a crucial layer for security, traffic management, and policy enforcement. Kong, a leading open-source API Gateway, offers a robust and extensible platform for managing APIs. By positioning risk orchestration logic at the gateway, organizations can:

• Intercept and Analyze Requests: Before a request even reaches your backend services, Kong can inspect headers, payloads, and other metadata to identify potential risks.
• Apply Policies Dynamically: Based on the analysis, the gateway can apply different policies—such as requiring additional authentication, blocking suspicious requests, or escalating to human review.
• Centralize Security: All security logic related to API access and user identity can be managed in one place, simplifying governance and reducing the attack surface.
• Reduce Backend Load: By filtering out malicious or unauthorized requests at the edge, backend services are protected from unnecessary processing, improving performance and stability.

Kong's plugin architecture makes it particularly well-suited for dynamic risk orchestration. Custom plugins can be developed to integrate with external identity and risk assessment services, or existing plugins can be configured to enforce various security policies.

Integrating Didit for Intelligent Identity Verification

While an API Gateway provides the enforcement point, it needs intelligence to make informed risk decisions. This is where Didit, an AI-native identity platform, becomes invaluable. Didit offers a suite of modular identity verification primitives that can be seamlessly integrated into your risk orchestration workflows.

Imagine a scenario where a user attempts to perform a high-value transaction. Instead of a one-size-fits-all authentication, Kong could trigger a Didit verification flow. This might involve:

• ID Verification: Using Didit's OCR, MRZ, and barcode scanning capabilities to verify the user's identity document in real-time.
• Passive & Active Liveness: Confirming the user is a real, present human and not a deepfake or spoofing attempt, crucial for fraud prevention.
• 1:1 Face Match: Comparing the user's live selfie to their ID document photo to ensure identity.
• AML Screening: Running the user's details against global watchlists and sanctions lists using Didit's AML Screening & Monitoring to ensure compliance.

Didit's modular architecture means you can pick and choose the verification steps relevant to the risk context. For example, a low-risk action might only require Phone & Email Verification, while a high-risk action demands a full ID Verification with Liveness and AML checks.

API Gateway Patterns for Dynamic Risk Orchestration

Let's explore some practical API Gateway patterns using Kong and Didit:

1. Conditional Access Pattern

In this pattern, Kong evaluates initial request parameters (e.g., IP address, device intelligence, user history) to determine a risk score. If the score exceeds a certain threshold, Kong can redirect the user to a Didit verification flow. Once Didit successfully verifies the user, it can send a webhook notification back to your system, which then updates a user's session or profile, allowing Kong to grant access to protected resources.

For instance, if an unusual login attempt is detected from a new device or location, Kong can trigger a Didit Passive & Active Liveness check combined with 1:1 Face Match to re-authenticate the user biometrically before granting access. This proactive approach significantly reduces account takeover fraud.

2. Progressive Verification Pattern

This pattern involves gradually increasing the level of identity verification as a user performs more sensitive actions. Initially, a user might only need a basic email or phone verification (using Didit's Phone & Email Verification). As they attempt actions like withdrawing funds or changing personal details, Kong can trigger additional Didit checks, such as Proof of Address or a full ID Verification.

This approach balances user experience with security, only imposing stricter verification when necessary. Didit's Age Estimation can also be integrated here for age-gated content or services, providing a privacy-preserving way to verify age without full identity disclosure unless required.

3. Real-time Compliance Enforcement

For industries with strict regulatory requirements, Kong can enforce compliance checks at the API level. For example, before processing a financial transaction, Kong can ensure that the user has undergone a recent AML Screening & Monitoring check via Didit. If the screening is outdated or if new suspicious activity is detected, Kong can block the transaction and trigger a re-screening or manual review.

This pattern ensures that compliance is not an afterthought but an integral part of every API interaction, leveraging Didit's robust compliance tools.

How Didit Helps

Didit is uniquely positioned to facilitate dynamic risk orchestration alongside API Gateways like Kong. Our platform offers:

• Modular Architecture: Didit's composable identity primitives mean you only use what you need, allowing for tailored risk assessments. Whether it's ID Verification, Passive & Active Liveness, 1:1 Face Match, AML Screening & Monitoring, Proof of Address, or NFC Verification, you can integrate specific checks into your Kong workflows.
• AI-Native Intelligence: Our AI-powered verification processes deliver accurate and fast results, enabling real-time decision-making at the API gateway without introducing significant latency. This is critical for dynamic risk orchestration.
• Developer-First Approach: With clean APIs and comprehensive documentation, integrating Didit into your Kong plugins or custom logic is straightforward. Our instant sandbox allows for rapid prototyping and testing.
• Cost-Effective Solutions: Didit offers Free Core KYC and a pay-per-successful check model, with no setup fees, making it an accessible solution for businesses of all sizes to implement advanced risk orchestration.
• Orchestrated Workflows: Didit's no-code Business Console allows you to define complex verification workflows, which can then be triggered and managed by your API Gateway.

By leveraging Didit's capabilities, organizations can move beyond static security to implement truly adaptive and intelligent risk management strategies at the API edge, ensuring both robust security and a frictionless user experience.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.