Skip to main content
Didit Raises $7.5M to Build the Infrastructure for Identity and Fraud
Didit
Back to blog
Blog · March 6, 2026

Securing API Gateway KYC Routing with Kong and Didit

Discover how to implement robust Know Your Customer (KYC) verification directly within your API gateway using Kong and Didit. This guide covers leveraging custom plugins for dynamic routing, enhancing security, and ensuring.

By DiditUpdated
securing-api-gateway-kyc-routing-kong-didit-plugins.png

Dynamic KYC RoutingImplement intelligent, real-time routing of API requests based on user verification status or risk profiles using Kong's powerful plugin architecture.

Enhanced Security and ComplianceIntegrate advanced identity verification directly into your API gateway, significantly bolstering security against fraud and ensuring adherence to regulatory requirements like AML.

Streamlined Developer ExperienceUtilize Didit's developer-first APIs and modular design to easily embed comprehensive KYC checks without complex backend overhauls.

Didit's AI-Native AdvantageDidit provides a modular, AI-native platform with Free Core KYC, enabling flexible and scalable identity verification solutions that seamlessly integrate with Kong.

The Critical Role of API Gateways in Modern KYC

In today's digital landscape, API gateways serve as the crucial entry point for all digital interactions. They are not just traffic managers but strategic control points for security, performance, and compliance. For businesses needing to perform Know Your Customer (KYC) checks, integrating identity verification directly into the API gateway layer offers unparalleled advantages. This approach allows for real-time decision-making, dynamic routing, and a more secure, compliant ecosystem.

Imagine a scenario where a user attempts to access a high-value API. Instead of simply authenticating their session, the API gateway can intelligently determine if a full KYC check is required based on predefined rules, IP analysis, or even previous interaction history. If a check is needed, the request can be routed to a dedicated KYC service, like Didit, which then handles the verification process and returns a result to the gateway. This dynamic routing ensures that only verified and compliant users gain access, while unverified users are guided through the necessary steps.

Leveraging Kong for Intelligent KYC Routing

Kong Gateway, with its robust plugin architecture, is an ideal platform for implementing such intelligent KYC routing. Kong allows developers to extend its functionality through custom plugins, enabling sophisticated logic to be executed at various points in the request/response lifecycle. For KYC, this means you can:

  • Inspect Incoming Requests: Analyze headers, body, and other request parameters to determine the user's verification status or risk level.
  • Conditional Routing: Based on the inspection, route the request to different upstream services. For example, a user attempting a sensitive transaction might be routed to a Didit verification workflow, while a low-risk action proceeds directly.
  • Inject Verification Data: Add KYC-related data to the request headers for upstream services to consume, ensuring they have the necessary context.
  • Enforce Policies: Block or throttle requests from unverified or high-risk users.

This level of control transforms your API gateway into an active participant in your compliance and fraud prevention strategy, rather than just a passive proxy.

Integrating Didit's Identity Verification with Kong Plugins

Didit, as an AI-native, developer-first identity platform, is perfectly suited for integration with Kong. Didit's modular architecture means you can pick and choose the identity verification components you need, from ID Verification (OCR, MRZ, barcodes) and Passive & Active Liveness to AML Screening & Monitoring and NFC Verification. This flexibility is critical when designing a Kong plugin for KYC routing.

A custom Kong plugin could:

  1. Intercept an incoming API request.
  2. Query an internal user database or a Didit API endpoint to check the user's current verification status.
  3. If the user is unverified or requires a higher level of verification for the requested action, the plugin can initiate a Didit verification session. This involves calling Didit's API to create a session for the user, specifying the required workflow (e.g., KYC, Adaptive Age Verification, Biometric Authentication, or Address Verification) and a callback URL.
  4. The plugin can then redirect the user to the Didit hosted verification flow or return a response to the client instructing them to complete verification.
  5. Once Didit completes the verification, it sends a webhook to your application, which can then update the user's status and notify the Kong plugin to allow future requests.

This seamless integration ensures that verification happens in real-time, preventing unverified users from accessing sensitive resources while maintaining a smooth user experience for those already verified.

Building a Custom Kong Plugin for Didit KYC

Developing a custom Kong plugin involves writing logic in Lua (or using other supported languages via serverless functions) to interact with Didit's APIs. Here's a conceptual outline:

  1. Configuration: The plugin would need Didit API keys and workflow IDs configured.
  2. Request Phase: During the access phase, the plugin checks a user identifier (e.g., from a JWT token or request header).
  3. Didit API Call: If KYC is required, the plugin makes an internal API call (or uses an asynchronous approach) to Didit's session creation endpoint. This call would specify the workflow_id (e.g., for full KYC, age verification via Age Estimation, or Proof of Address) and a callback URL.
  4. Response Handling: Based on Didit's API response (e.g., a session URL), the plugin can either redirect the user or return a custom error message indicating that verification is pending.
  5. Webhook Processing: Your backend service would receive webhooks from Didit upon verification completion, updating the user's status in your database. This status can then be queried by the Kong plugin on subsequent requests.

This robust architecture ensures that your APIs are always protected by the latest identity verification standards, enforced at the edge by your API gateway.

How Didit Helps

Didit is uniquely positioned to empower businesses in implementing advanced KYC routing with Kong. Our platform offers:

  • Free Core KYC: Get started with essential identity verification at no cost, making it easy to integrate and test your solutions.
  • Modular Architecture: Our composable identity primitives mean you only use what you need. Whether it's ID Verification, Passive & Active Liveness for fraud prevention, AML Screening & Monitoring for compliance, or Phone & Email Verification for account security, Didit provides the building blocks.
  • AI-Native Technology: Didit's advanced AI capabilities ensure highly accurate and efficient verification, reducing manual review and improving user experience.
  • Developer-First Approach: With clean APIs, comprehensive documentation, and an instant sandbox, integrating Didit into your Kong plugins is straightforward and fast.
  • Orchestrated Workflows: Define complex verification flows in the Didit Console, then simply reference them via a workflow_id in your Kong plugin, abstracting away the complexity of multi-step verification.

By combining Kong's powerful API gateway capabilities with Didit's flexible and secure identity verification platform, you can create a highly resilient and compliant digital ecosystem.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page
Secure API Gateway KYC Routing with Kong and Didit Plugins.