Installez les douze compétences d'agent open source de Didit dans Cursor, Claude Code, Codex ou OpenCode avec une seule commande `npx`. Demandez à l'agent en langage naturel. Il écrit le code et appelle l'API en direct.
Robinhood Ventures
Approuvé par plus de 2 000 organisations dans le monde entier.
Pourquoi des compétences, pas des docs
Donnez un onglet de documentation à Cursor et il invente des endpoints et met en minuscules les énumérations de statut. Donnez-lui une compétence Didit et chaque ligne pointe vers la vraie API, endpoint verrouillé, en-têtes verrouillés, gestionnaire de webhook signé échafaudé. Une seule commande `npx`.
Exécutez `npx skills add didit-protocol/skills` dans votre projet. La CLI détecte Cursor, Claude Code, Codex ou OpenCode et dépose chaque compétence dans le bon dossier. Installez-en une seule avec `--skill didit-face-match`.
Soit vous en obtenez une en 60 secondes sur [business.didit.me](https://business.didit.me) et `export DIDIT_API_KEY=…`, soit vous laissez l'agent s'enregistrer programmatiquement, `POST /programmatic/register/` suivi de `verify-email/`, et une clé est renvoyée dans la réponse. Aucun navigateur n'est nécessaire.
*« Ajoutez le KYC Didit à mon flux d'inscription. »* *« Vérifiez cet utilisateur par rapport aux listes AML. »* L'agent lit la compétence pertinente, écrit le code et câble le gestionnaire de webhook signé. Correct du premier coup, pas de basculement d'onglet de documentation.
Didit héberge la caméra, la capture de documents, le selfie, le transfert mobile. Moins de 30 secondes pour l'utilisateur. Verdict en moins de 2 secondes sur votre webhook, signé avec `X-Signature-V2` pour que vous puissiez lui faire confiance.
Didit · Catalog
Didit · npx install
Didit · Hosts
Didit · What skills lock
Didit · Setup
Didit · github.com/didit-protocol/skills
In every skill
Three install paths
$ npx skills add didit-protocol/skills
✓ 12 compétences installées
# or just one
$ npx skills add didit-protocol/skills \
--skill didit-face-match
# set the api key
$ export DIDIT_API_KEY="sk_live_..."Cursor, Claude Code, Codex, OpenCode détectés automatiquement.$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"workflow_id": "$DIDIT_WORKFLOW_ID",
"vendor_data": "user-42",
"callback_url": "https://app/cb"
}'{ "url": "verify.didit.me/..." }You are installing the Didit Agent Skills into this project and wiring the first verification session against the live https://verification.didit.me/v3/ API. After this prompt, the project should pass identity verification — Know Your Customer (KYC), Anti-Money Laundering (AML) screening, document Optical Character Recognition (OCR) — through Didit.
Didit ships twelve open-source Agent Skills at https://github.com/didit-protocol/skills and follows the open standard at https://agentskills.io. The CLI auto-detects whether you are running inside Cursor, Claude Code, Codex, or OpenCode and drops the skills into the right folder.
PRE-REQUISITES
- A Didit API key (DIDIT_API_KEY). Either issued from https://business.didit.me, or self-registered by the agent via POST /programmatic/register/ + POST /programmatic/verify-email/ (no browser needed).
- A workflow_id from the Workflow Builder that bundles ID Verification + Passive Liveness + Face Match + IP Analysis + AML — or just use the didit-kyc-onboarding skill below to create one programmatically.
- A webhook endpoint that verifies the X-Signature-V2 header with HMAC-SHA256 on the raw body bytes (do NOT re-serialise the parsed JSON; the signature will not match).
STEP 1 — Install the skills
Recommended:
npx skills add didit-protocol/skills
This installs all twelve skills. To install only one:
npx skills add didit-protocol/skills --skill didit-face-match
Or git clone the repo and copy what you need:
git clone https://github.com/didit-protocol/skills.git
cp -r skills/didit-kyc-onboarding .claude/skills/
cp -r skills/didit-id-document-verification .claude/skills/
The twelve skills:
- didit-verification-management : the hub. Account, sessions, workflows, billing, blocklist, webhook config. 45+ endpoints
- didit-kyc-onboarding : full KYC recipe (ID + selfie + face match) in one call
- didit-id-document-verification : passports, ID cards, driver's licences. OCR, MRZ, NFC. 4,000+ documents, 220+ countries
- didit-liveness-detection : 99.9%-accurate liveness from a single selfie
- didit-face-match : compare two faces, get a 0–100 score
- didit-face-search : 1:N face search for deduplication and blocklists
- didit-biometric-age-estimation : estimate age from a selfie
- didit-email-verification : email OTP, detects breached / disposable / undeliverable
- didit-phone-verification : phone OTP via SMS, WhatsApp, or Telegram. Catches VoIP
- didit-aml-screening : 1,300+ sanctions, PEP, adverse-media lists. Dual-score risk
- didit-proof-of-address : utility bills, bank statements. OCR + geocoding
- didit-database-validation : government databases across 18 countries
STEP 2 — Set the environment
Every skill reads DIDIT_API_KEY. Session-based skills also expect DIDIT_WORKFLOW_ID. Signed-webhook handlers expect DIDIT_WEBHOOK_SECRET.
export DIDIT_API_KEY="<your api key>"
export DIDIT_WORKFLOW_ID="<your workflow id>" # optional
export DIDIT_WEBHOOK_SECRET="<your secret>" # optional
Programmatic alternative (no browser):
curl -X POST https://apx.didit.me/auth/v2/programmatic/register/ \
-H "Content-Type: application/json" \
-d '{"email": "dev@example.com", "password": "MyStr0ng!Pass"}'
# check the email, get the 6-char code, then:
curl -X POST https://apx.didit.me/auth/v2/programmatic/verify-email/ \
-H "Content-Type: application/json" \
-d '{"email": "dev@example.com", "code": "<code>"}'
# response includes api_key — export it as DIDIT_API_KEY.
STEP 3 — Create a verification session
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: $DIDIT_API_KEY
Content-Type: application/json
Body:
{
"workflow_id": "$DIDIT_WORKFLOW_ID",
"vendor_data": "<your user id, max 256 chars>",
"callback_url": "https://<your-app>/kyc/callback",
"metadata": { "source": "agent-skill" }
}
Response: 201 Created. The hosted session URL is on the `url` field. Redirect the user, or send them the link by email / SMS / WhatsApp. Sub-2-second p99 verdict on completion.
STEP 4 — Read the signed webhook
Didit POSTs to your callback. KYC session statuses are Title Case With Spaces.
Body (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"id_verification": { "status": "Approved" },
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 },
"aml": { "status": "Approved", "hits": [] }
}
Full enum:
Approved | Declined | In Review | In Progress | Not Started | Abandoned | Expired | Resubmitted | Awaiting User | Not Finished
Verify X-Signature-V2 BEFORE parsing the body — HMAC-SHA256 of the raw bytes with your webhook secret. Re-serialising the parsed body changes whitespace and key order and the signature will not match.
STEP 5 — Read the decision on demand
GET https://verification.didit.me/v3/session/{sessionId}/decision/
Headers:
x-api-key: $DIDIT_API_KEY
Returns the full decision payload — id_verification, liveness, face, ip_analysis, aml. Use this whenever the agent needs to confirm the user's status before allowing an action. Never trust client-supplied "I'm verified" flags.
STEP 6 — Branch on status
Approved → continue
Declined → block, surface decision_reason_code, allow resubmit of the failed step
In Review → wait for the analyst webhook; don't block forever
Resubmitted → user re-took a failed step; new verdict is coming
Awaiting User → user hasn't completed the flow; nudge with a reminder
Expired → create a new session
Abandoned and Declined sessions are NOT billed.
STEP 7 — Optional: ongoing AML monitoring
If AML monitoring is enabled on the workflow ($0.07 per user per year), Didit fires status.updated whenever the user lands on a new sanctions / PEP / adverse-media list. No extra endpoint to call.
WEBHOOK EVENT NAMES
- status.updated : KYC or KYB session status changed
- data.updated : session data corrected after creation
- user.status.updated : User entity changed status (Active, Flagged, Blocked)
- user.data.updated : User entity counters, metadata, or aggregate fields changed
- activity.created : timeline activity recorded
Verify X-Signature-V2 on every payload. The webhook secret is per-environment — sandbox is separate from production.
CONSTRAINTS
- KYC session statuses use Title Case With Spaces (Approved, In Review). Do NOT transform them to UPPER_SNAKE_CASE — that casing is for Know Your Business (KYB) sessions and Transaction Monitoring, not KYC.
- HMAC verification runs against the RAW request body bytes. Never re-serialise the parsed JSON.
- Bundle price is $0.30 (ID + Liveness + Face Match + IP Analysis). AML adds $0.20. 500 verifications free every month, forever.
- Default record retention is unlimited unless you configure it shorter (30 days to 10 years per application).
Read the docs:
- https://docs.didit.me/getting-started/agent-skills
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/sessions-api/retrieve-session
- https://docs.didit.me/integration/webhooks
Skills repo:
- https://github.com/didit-protocol/skills
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.0 $ / mois. Aucune carte de crédit requise.
Payez uniquement ce que vous utilisez. Plus de 25 modules. Tarification publique par module, sans minimum mensuel.
MSA et SLA personnalisés. Pour les gros volumes et les programmes réglementés.
Commence gratuitement → ne paie que lorsqu'une vérification est effectuée → débloque l'Enterprise pour un contrat personnalisé, un SLA ou la résidence des données.
Didit is infrastructure for identity and fraud, the platform we wished existed when we were building products ourselves: open, flexible, and developer-friendly, so it works as a real part of your stack instead of a black box you integrate around.
One API covers verifying people (KYC, know your customer), verifying businesses (KYB, know your business), screening crypto wallets (KYT, know your transaction), and monitoring transactions in real time, on a stack built to be:
The footprint underneath: 14,000+ document types in 48+ languages, 1,000+ data sources, and 200+ fraud signals on every session. The Didit infrastructure dynamically learns from every session and gets better every day.
A small Markdown file that teaches your AI agent how to call one of Didit's APIs, endpoint, headers, body shape, error cases, with working code in TypeScript, Python, and cURL.
Install it once. The next time you ask Cursor or Claude Code “add KYC to my signup flow”, the agent reads the skill and writes the right code on the first try. No tab-switching to docs. No invented endpoints. No wrong status casing.
It's the Agent Skills open standard. Didit ships twelve of them, free and open-source at github.com/didit-protocol/skills.
One skill per Didit capability, twelve in total, 51 endpoints tested end-to-end:
Install the lot in one command: npx skills add didit-protocol/skills. Install just one: npx skills add didit-protocol/skills --skill didit-face-match.
The full flow normally takes under 30 seconds end-to-end, pick up the ID, snap the document, snap the selfie, done. That is the fastest in the market. Legacy KYC providers usually take more than 90 seconds for the same flow.
On the back end, Didit returns the result in under two seconds at p99, measured from the moment the user finishes the selfie to the moment your webhook fires. Mobile capture is tuned for slow phones and slow networks: progressive image compression, lazy software development kit load, and a one-tap hand-off from desktop to phone via QR code if the user starts on web.
Cursor, Claude Code, Codex, and OpenCode, plus anything that follows the agentskills.io open standard.
The npx CLI detects your agent and drops the skill into the right place, .claude/skills/, .cursor/skills/, and so on. Same Markdown file everywhere, no host-specific SDK.
Under the hood every skill points at the same https://verification.didit.me/v3/* API with the same x-api-key header and the same signed webhook. The skill is just how the agent reads it.
Every session lands on one of seven clear statuses, so your code always knows what to do:
Approved, every check passed. Move the user forward.Declined, one or more checks failed. You can allow the user to resubmit the specific failed step (for example, re-take the selfie) without re-running the whole flow.In Review, flagged for compliance review. Open the case in the console, see every signal, decide approve or decline.In Progress, user is mid-flow.Not Started, link sent, user has not opened it yet. Send a reminder if it sits too long.Abandoned, user opened the link but did not finish in time. Re-engage or expire.Expired, the session link aged out. Create a new session.A signed webhook fires on every status change, so your database always stays in sync. Abandoned and declined sessions are free.
Production data is processed and stored in the European Union by default, on Amazon Web Services. Enterprise contracts can request alternative regions for jurisdictions whose regulators require it.
Encryption everywhere. AES-256 at rest across every database, object store, and backup. Transport Layer Security 1.3 in transit on every API call, webhook, and Business Console session. Biometric data is encrypted under a separate Customer Master Key.
Retention is yours to control. Default retention is indefinite (unlimited) unless you configure shorter, between 30 days and 10 years per application, and you can delete any individual session at any time from the dashboard or the API.
Certifications: SOC 2 Type 1 (Type 2 audit in progress), ISO/IEC 27001:2022, iBeta Level 1 PAD, and a public attestation from Spain''s Tesoro / SEPBLAC / CNMV that Didit''s remote identity verification is safer than verifying someone in person. Full report at /security-compliance.
Didit ships compliant by default for the regulators that matter to identity infrastructure:
Detailed memo, every certificate, every regulator letter: /security-compliance.
Three integration paths, pick whichever fits your stack:
Same dashboard, same billing, same pay-per-success price for all three. Step-by-step guide at docs.didit.me/integration/integration-prompt.
One command:
``bash
npx skills add didit-protocol/skills
``
The CLI detects whether you're in Cursor, Claude Code, Codex, or OpenCode and drops every skill into the right folder. Install just one with --skill didit-face-match.
Prefer Git? git clone https://github.com/didit-protocol/skills and copy what you want. Prefer no tooling? Open the repo and copy a single SKILL.md into your agent's skill directory, every skill is self-contained.
The only env var every skill needs is DIDIT_API_KEY. Get one in 60 seconds at business.didit.me, or let the agent register itself programmatically via POST /programmatic/register/.
Plain English, no jargon, no boilerplate:
The agent reads the relevant skill and writes production-ready code in TypeScript, Python, or Bash. No guesswork, the skill ships the exact endpoint, header, body, and status enum.
Docs are written for humans. Agents trip on the same things over and over:
POST /v3/wallet-screening/ when the real path lives inside /v3/transactions/Approved, KYB is APPROVED, agents mix them upSkills lock all of that. Versioned alongside the API: when Didit ships a new endpoint, the skill ships the same day. 51 endpoints tested, every release.
Une seule API pour le KYC, le KYB, la surveillance des transactions et le screening de portefeuilles. Intégration en 5 minutes.