Une identité de niveau bancaire en scannant la puce du passeport électronique.

Didit is infrastructure for identity and fraud, the platform we wished existed when we were building products ourselves: open, flexible, and developer-friendly, so it works as a real part of your stack instead of a black box you integrate around.

One API covers verifying people (KYC, know your customer), verifying businesses (KYB, know your business), screening crypto wallets (KYT, know your transaction), and monitoring transactions in real time, on a stack built to be:

• Fast, sub-2-second p99 on every session
• Reliable, in production with 1,500+ companies across 220+ countries
• Secure, SOC 2 Type 1, ISO 27001, GDPR-native, and formally attested by Spain's financial regulator as safer than verifying someone in person

The footprint underneath: 14,000+ document types in 48+ languages, 1,000+ data sources, and 200+ fraud signals on every session. The Didit infrastructure dynamically learns from every session and gets better every day.

Modern passports (and increasingly modern national ID cards in the EU) carry a tiny contactless chip, the same kind of chip you tap to pay with a card. The chip holds:

• Data Group 1 (DG1), the same machine-readable text as the visual page (name, date of birth, document number, expiry)
• Data Group 2 (DG2), the portrait of the holder, at much higher resolution than the photo printed on the visual page
• Data Group 11 (DG11), extra personal details when the issuing country chooses to publish them (full address, nationality detail)
• A digital signature from the issuing government over the entire data set

That last bit is the magic. The chip is cryptographically bound to the issuing country, which means an attacker can't forge or tamper with what it returns, they'd have to forge a government signature. Didit reads the chip via NFC on the user's phone in 2-4 seconds for $0.15 per read.

Three reasons, in order of how much they matter:

• Cryptographic authenticity, the chip data is signed by the issuing country. A document-scan check can be fooled by a high-quality forgery; a chip-read check fails unless the forger has the country's private signing key.
• Higher-resolution portrait, the chip carries a far better-quality photo than the one printed on the data page. Matching a selfie against the chip portrait is meaningfully more accurate.
• Tamper-proof binding, the chip is sealed inside the document. Changing the chip data would require physical access to the issuing country's production line.

For most onboarding flows, document-scan is good enough. For bank, fintech, eIDAS-grade public service, and any flow where a single false positive costs real money, NFC chip reading is the standard control.

The full flow normally takes under 30 seconds end-to-end, pick up the ID, snap the document, snap the selfie, done. That is the fastest in the market. Legacy KYC providers usually take more than 90 seconds for the same flow.

On the back end, Didit returns the result in under two seconds at p99, measured from the moment the user finishes the selfie to the moment your webhook fires. Mobile capture is tuned for slow phones and slow networks: progressive image compression, lazy software development kit load, and a one-tap hand-off from desktop to phone via QR code if the user starts on web.

ICAO Doc 9303 is the international specification for machine-readable travel documents (MRTDs), every modern passport in the world is built to this spec. Three pieces matter for NFC verification:

• Passive Authentication (PA), checks that the chip data is signed by the issuing country's signing certificate, and that the signing certificate chains up to the country's master Country Signing Certificate Authority. Trust is anchored in the ICAO Public Key Directory (PKD), a shared directory of country signing certificates.
• Chip Authentication (CA), establishes a secure channel with the chip so an attacker can't replay a recording of an earlier chip exchange.
• Active Authentication (AA), sends a random challenge to the chip, the chip signs it with its private key, and the response proves the chip is the original physical chip (not a cloned chip with copied data).

Didit runs all three and exposes each verdict separately in the decision payload. ICAO Doc 9303 conformant means the chip-read path is the same one border agents use at airport e-gates.

Every session lands on one of seven clear statuses, so your code always knows what to do:

• Approved, every check passed. Move the user forward.
• Declined, one or more checks failed. You can allow the user to resubmit the specific failed step (for example, re-take the selfie) without re-running the whole flow.
• In Review, flagged for compliance review. Open the case in the console, see every signal, decide approve or decline.
• In Progress, user is mid-flow.
• Not Started, link sent, user has not opened it yet. Send a reminder if it sits too long.
• Abandoned, user opened the link but did not finish in time. Re-engage or expire.
• Expired, the session link aged out. Create a new session.

A signed webhook fires on every status change, so your database always stays in sync. Abandoned and declined sessions are free.

Production data is processed and stored in the European Union by default, on Amazon Web Services. Enterprise contracts can request alternative regions for jurisdictions whose regulators require it.

Encryption everywhere. AES-256 at rest across every database, object store, and backup. Transport Layer Security 1.3 in transit on every API call, webhook, and Business Console session. Biometric data is encrypted under a separate Customer Master Key.

Retention is yours to control. Default retention is indefinite (unlimited) unless you configure shorter, between 30 days and 10 years per application, and you can delete any individual session at any time from the dashboard or the API.

Certifications: SOC 2 Type 1 (Type 2 audit in progress), ISO/IEC 27001:2022, iBeta Level 1 PAD, and a public attestation from Spain''s Tesoro / SEPBLAC / CNMV that Didit''s remote identity verification is safer than verifying someone in person. Full report at /security-compliance.

Didit ships compliant by default for the regulators that matter to identity infrastructure:

• GDPR + UK GDPR, controller / processor split, full Data Processing Agreement published, lead supervisory authority named (Spain''s AEPD).
• AMLD6 + EU AML Single Rulebook, 1,300+ sanctions, politically exposed person, and adverse-media lists screened in real time.
• eIDAS 2.0, EU Digital Identity Wallet aligned; reusable-identity ready.
• MiCA (Markets in Crypto-Assets), ready for crypto on-ramps, exchanges, and custodians.
• DORA, Digital Operational Resilience Act, EU financial-services operational resilience.
• BIPA, CUBI, Washington HB 1493, CCPA / CPRA, US biometric privacy (Illinois, Texas, Washington) and California consumer privacy.
• UK Online Safety Act, age-gating and child-safety obligations.
• FATF Travel Rule, originator and beneficiary data on crypto transfers, IVMS-101 interoperable.

Detailed memo, every certificate, every regulator letter: /security-compliance.

• 60 seconds to a sandbox account at business.didit.me, no credit card.
• 5 minutes to a working verification through Claude Code, Cursor, or any coding agent via our Model Context Protocol (MCP) server.
• A weekend to a production-ready integration with signed-webhook verification, retries, and a remediation flow when a user is declined.

Three integration paths, pick whichever fits your stack:

• Embed natively with our Web, iOS, Android, React Native, or Flutter SDK.
• Redirect the user to the hosted verification page, zero SDK.
• Send a link by email, SMS, WhatsApp, or any channel, zero front-end work.

Same dashboard, same billing, same pay-per-success price for all three. Step-by-step guide at docs.didit.me/integration/integration-prompt.

Three common failure modes, all handled by the workflow:

• NFC unavailable on the device, iPhone 6 or earlier, NFC permission denied, tablet without NFC. The flow surfaces "NFC unavailable" and falls back to ID Verification on the visual page.
• Chip not present in the document, pre-2010 passport, older national ID. The MRZ tells the flow there's no chip; falls back to ID Verification.
• Chip damaged or unreadable, physical damage, antenna placement issues on certain Android phones, RF interference. The flow offers up to three retry attempts before falling back.

The fallback path is the same /v3/session/, same webhook, same statuses. The decision payload tells you which path succeeded so you can route on it, face.matched_against === "chip_portrait" for the NFC path, "id_document_portrait" for the OCR fallback. Bank-grade workflows can reject the OCR fallback and require a fresh attempt on a different device.

Under eIDAS 2, the EU's electronic-identification framework, a chip-verified e-passport with biometric matching can support Substantial or High assurance, depending on the workflow's surrounding controls.

Didit's role is to deliver the underlying identity-binding evidence:

• ICAO 9303 chip-signed identity data → Substantial assurance baseline
• High-resolution chip-portrait face match → high-confidence binding
• Passive liveness → spoof-resistance evidence
• AML screen → sanctions / PEP / adverse-media discharge

Whether the complete flow reaches Substantial or High depends on the consuming wallet, the trust framework, and the regulator's interpretation in your country. Didit is the only KYC provider with a formal EU-government attestation, Spain's Treasury, Banco de España, and SEPBLAC jointly attested the service as safer than in-person verification. That report is the most-cited starting point for an eIDAS High discussion.

Most NFC providers price between $1.50 and $5.00 per chip read, often with minimums in the thousands of euros per month and per-country surcharges for chip-signing-cert subscriptions. The Onfido / Jumio / Veriff archetype.

Didit's published price is $0.15 per NFC chip read + $0.50 for the full bundle (NFC + Liveness + Face Match + AML). No floor, no minimum, no per-country surcharge. The first 500 verifications free every month absorbs most pilots entirely.

That's roughly 10-30× cheaper than the incumbent stack on the same regulatory output. At a 10,000-user month, the saving versus a $2.00-per-chip incumbent is around $18,500. At European-bank volumes (100,000+ KYCs / month) the saving compounds into mid-six-figures annually. Full pricing at /pricing.