$0.33 para fazer o onboarding do tomador, $0.02 por parcela, AML contínuo incluído. 500 verificações gratuitas todo mês, sandbox em 60 segundos.
Robinhood Ventures
Confiado por mais de 2.000 organizações em todo o mundo.
O que o BNPL deve
Um plano BNPL não é uma decisão, é uma sequência. A Didit faz a subscrição do tomador no checkout, registra cada parcela na API de Transações e reavalia automaticamente para sanções ou ocorrências de PEP (Pessoas Politicamente Expostas) ao longo da vida útil do plano. $0.33 na aplicação, $0.02 por parcela, AML contínuo incluído. 500 verificações gratuitas todo mês.
Escolha as verificações que você quer, ID, prova de vida, reconhecimento facial, sanções, endereço, idade, telefone, e-mail, perguntas personalizadas. Arraste-as para um fluxo no painel, ou envie o mesmo fluxo para nossa API. Crie ramificações com base em condições, execute testes A/B, sem necessidade de código.
Incorpore nativamente com nossos SDKs Web, iOS, Android, React Native ou Flutter. Redirecione para uma página hospedada. Ou simplesmente envie um link para seu usuário, por e-mail, SMS, WhatsApp, em qualquer lugar. Escolha o que melhor se adapta à sua stack.
A Didit hospeda a câmera, as dicas de iluminação, a transição para dispositivos móveis e a acessibilidade. Enquanto o usuário está no fluxo, pontuamos mais de 200 sinais de fraude em tempo real e verificamos cada campo em relação a fontes de dados confiáveis. Resultado em menos de dois segundos.
Webhooks assinados em tempo real mantêm seu banco de dados sincronizado no momento em que um usuário é aprovado, recusado ou enviado para revisão. Consulte a API sob demanda. Ou abra o console para inspecionar cada sessão, cada sinal e gerenciar casos do seu jeito.
Didit · BNPL onboarding
Step 3 / 5
Verify your identity
Didit · Device + IP
Didit · Ongoing AML + TM
Didit · Underwriting audit
Borrower
Underwriting
Didit · FPD signals
Didit · Cross-border BNPL
$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-d '{
"workflow_id": "wf_bnpl_apply",
"vendor_data": "borrower-42",
"metadata": { "plan_id": "plan-9182" }
}'status: Approved.docs →$ curl -X POST https://verification.didit.me/v3/transactions/ \
-H "x-api-key: $DIDIT_API_KEY" \
-d '{
"transaction_id": "plan-9182-inst-1",
"transaction_details": { "direction": "INBOUND", "amount": "125,00", "currency": "GBP", "currency_kind": "fiat" },
"subject": { "vendor_data": "borrower-42", "full_name": "Jamie Exemplo" },
"contraparte": { "nome_completo": "Merchant Ltda" }
}'You are integrating Didit into a Buy-Now-Pay-Later (BNPL) checkout flow — Klarna / Affirm / Clearpay / Tabby / Tamara / Kueski archetype. The recipe handles three obligations on every BNPL plan:
1. Verify the borrower at checkout — identity, liveness, face match, device + IP, AML against 1,300+ sanctions / PEP / adverse-media lists. ONE call to the Sessions API.
2. Log every instalment charge — Transaction Monitoring catches velocity, structuring, and chargeback patterns. ONE call to the Transactions API per instalment.
3. Continuous AML — the borrower is rescreened automatically across the lifetime of the plan. NO separate endpoint to call.
Cost:
- Borrower Know Your Customer (KYC) bundle: $0.33 per application (Sessions API)
- Transaction monitoring per instalment charge: $0.02 (Transactions API)
- Ongoing AML monitoring: $0.07 per user per year (automatic on any session with AML enabled)
- First 500 verifications free every month, forever
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60s, no card).
- Webhook endpoint with HMAC SHA-256 verification using the X-Signature-V2 header and your webhook secret.
- A workflow_id from the Workflow Builder that bundles ID Verification + Passive Liveness + Face Match 1:1 + Device & IP Analysis + AML Screening.
- Transaction Monitoring enabled in the Business Console (Transactions > Settings).
STEP 1 — Underwrite the borrower at checkout
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<wf id with KYC + AML bundle>",
"vendor_data": "<your borrower id, max 256 chars>",
"callback": "https://<your-app>/bnpl/apply/callback",
"metadata": {
"purpose": "bnpl_application",
"plan_id": "<your internal plan reference>",
"merchant_id": "<merchant id>",
"principal_amount": "500.00",
"currency": "GBP"
}
}
Response: 201 Created with the hosted session URL. Embed the URL inline in the BNPL widget at checkout. Sub-2-second median verdict on completion.
STEP 2 — Read the signed webhook on application completion
Didit POSTs to your callback. Session statuses are Title Case With Spaces:
Body (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your borrower id>",
"status": "Approved",
"id_verification": { "status": "Approved" },
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 },
"ip_analysis": { "status": "Approved" },
"aml": { "status": "Approved", "hits": [] }
}
Status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
Verify the X-Signature-V2 header BEFORE reading the body — HMAC SHA-256 of the raw bytes with your webhook secret.
On Approved + clean AML + acceptable Device & IP, approve the plan and schedule the instalments. On Declined or AML hit, decline. On In Review or AWAITING_USER, hold the plan and route to your underwriting analyst queue.
STEP 3 — Log every instalment charge
POST https://verification.didit.me/v3/transactions/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body (required fields verified live 2026-05-16):
{
"transaction_id": "<plan-id>-instalment-1",
"transaction_category": "finance",
"transaction_details": {
"direction": "INBOUND",
"amount": "125.00",
"currency": "GBP",
"currency_kind": "fiat",
"action_type": "deposit"
},
"subject": {
"entity_type": "individual",
"vendor_data": "<your borrower id>",
"full_name": "<borrower full name>"
},
"counterparty": {
"entity_type": "individual",
"full_name": "<merchant or BNPL settlement counterparty>"
}
}
REQUIRED fields the API rejects if missing:
- subject.vendor_data + subject.full_name
- counterparty.full_name
- transaction_details.direction + currency + currency_kind + amount
Response shape (excerpted from a real successful 201):
{
"uuid": "<server transaction uuid>",
"txn_id": "<your transaction_id echoed back>",
"status": "APPROVED",
"score": 0,
"severity": null,
"cost_breakdown": {
"total_price": 0.02,
"items": [{ "usage_type": "transaction_monitoring", "price": 0.02 }]
}
}
Transaction status enum (exact case, UPPER_SNAKE_CASE): APPROVED | IN_REVIEW | DECLINED | AWAITING_USER.
When a transaction enters AWAITING_USER, Didit creates a linked remediation session automatically and returns a verification URL on the response.
Per-instalment cost: $0.02 (transaction-monitoring base).
Branch logic:
APPROVED → charge the card / pull the bank transfer.
IN_REVIEW → hold the instalment, route to analyst queue.
DECLINED → hard-fail the instalment, mark the plan delinquent.
AWAITING_USER → redirect the borrower to the remediation session URL.
STEP 4 — Continuous AML monitoring is automatic
Any session with AML enabled is rescreened DAILY by Didit's continuous monitoring at $0.07 per user per year. There is NO separate endpoint to call.
When a previously-approved borrower crosses an AML threshold, the session status changes to "In Review" or "Declined" automatically and your webhook fires the update. Hold the remaining instalments and route the case to your collections / fraud team.
STEP 5 — Returning borrowers re-use the verified identity
When a borrower comes back for a second plan, open a new session against their existing vendor_data — Didit reuses the previously verified document and face match where policy allows, and you avoid paying for the full bundle again. Pair with Reusable KYC for the lightest path.
WEBHOOK EVENT NAMES
- Sessions: status changes flow through the standard session webhook.
- Transactions: transaction.created · transaction.updated · transaction.status.changed · transaction.alert.generated.
- Verify X-Signature-V2 on every payload.
CONSTRAINTS
- Session statuses use Title Case With Spaces (Approved, In Review). Transaction statuses use UPPER_SNAKE_CASE (APPROVED, IN_REVIEW). They live in different APIs — don't mix them in the same code path.
- Never approve a BNPL plan before the X-Signature-V2 webhook lands with status Approved + AML clear.
- 200+ fraud signals are evaluated on every session at no extra cost — surface the score via the session decision payload, don't re-query.
- Default record retention is 5 years post-relationship per the EU AML package; UK FCA rules and similar national rules sit on top.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/transaction-monitoring/overview
- https://docs.didit.me/transaction-monitoring/transactions
- https://docs.didit.me/core-technology/aml-screening/continuous-monitoring-aml-screening
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.$0 / mês. Não precisa de cartão de crédito.
Pague apenas pelo que usar. Mais de 25 módulos. Preços públicos por módulo, sem taxa mínima mensal.
MSA e SLA personalizados. Para grandes volumes e programas regulamentados.
Comece grátis → pague apenas quando uma verificação for executada → desbloqueie o Enterprise para um contrato personalizado, SLA ou residência de dados.
Didit is infrastructure for identity and fraud, the platform we wished existed when we were building products ourselves: open, flexible, and developer-friendly, so it works as a real part of your stack instead of a black box you integrate around.
One API covers verifying people (KYC, know your customer), verifying businesses (KYB, know your business), screening crypto wallets (KYT, know your transaction), and monitoring transactions in real time, on a stack built to be:
The footprint underneath: 14,000+ document types in 48+ languages, 1,000+ data sources, and 200+ fraud signals on every session. The Didit infrastructure dynamically learns from every session and gets better every day.
BNPL lets a shopper take goods home today and pay for them in instalments, typically four payments over six weeks, sometimes longer plans with interest.
The industry shape:
The regulatory shift: BNPL used to sit in a soft-touch consumer-credit grey zone. As of 2025-2026, the UK FCA (Financial Conduct Authority) brings BNPL under formal regulation, the EU Consumer Credit Directive II (CCD II) extends to BNPL, and US state lenders apply existing licensing law. The compliance bar is now: real ID, real underwriting, real monitoring, real audit pack.
Because BNPL extends credit, not just processes a card.
Real identity verification (ID + face + AML) cuts first-payment default (FPD) at the source. The shopper presents a real document and a real face; Didit binds the application to a single human, not just a token.
The full flow normally takes under 30 seconds end-to-end, pick up the ID, snap the document, snap the selfie, done. That is the fastest in the market. Legacy KYC providers usually take more than 90 seconds for the same flow.
On the back end, Didit returns the result in under two seconds at p99, measured from the moment the user finishes the selfie to the moment your webhook fires. Mobile capture is tuned for slow phones and slow networks: progressive image compression, lazy software development kit load, and a one-tap hand-off from desktop to phone via QR code if the user starts on web.
Not anymore. The regulatory map circa 2026:
The shape of the compliance bar is the same in every region: verify the borrower, screen for sanctions and PEPs, monitor across the plan, keep a 5+ year audit trail. Didit ships that bar globally.
Every session lands on one of seven clear statuses, so your code always knows what to do:
Approved, every check passed. Move the user forward.Declined, one or more checks failed. You can allow the user to resubmit the specific failed step (for example, re-take the selfie) without re-running the whole flow.In Review, flagged for compliance review. Open the case in the console, see every signal, decide approve or decline.In Progress, user is mid-flow.Not Started, link sent, user has not opened it yet. Send a reminder if it sits too long.Abandoned, user opened the link but did not finish in time. Re-engage or expire.Expired, the session link aged out. Create a new session.A signed webhook fires on every status change, so your database always stays in sync. Abandoned and declined sessions are free.
Production data is processed and stored in the European Union by default, on Amazon Web Services. Enterprise contracts can request alternative regions for jurisdictions whose regulators require it.
Encryption everywhere. AES-256 at rest across every database, object store, and backup. Transport Layer Security 1.3 in transit on every API call, webhook, and Business Console session. Biometric data is encrypted under a separate Customer Master Key.
Retention is yours to control. Default retention is indefinite (unlimited) unless you configure shorter, between 30 days and 10 years per application, and you can delete any individual session at any time from the dashboard or the API.
Certifications: SOC 2 Type 1 (Type 2 audit in progress), ISO/IEC 27001:2022, iBeta Level 1 PAD, and a public attestation from Spain''s Tesoro / SEPBLAC / CNMV that Didit''s remote identity verification is safer than verifying someone in person. Full report at /security-compliance.
Didit ships compliant by default for the regulators that matter to identity infrastructure:
Detailed memo, every certificate, every regulator letter: /security-compliance.
Three integration paths, pick whichever fits your stack:
Same dashboard, same billing, same pay-per-success price for all three. Step-by-step guide at docs.didit.me/integration/integration-prompt.
Every borrower produces an exportable pack:
borrower_pid, your pseudonymous borrower idkyc_status, Approved / Declined / In Review (Title Case With Spaces)aml_status, Clear / Hit / Manual reviewdevice_risk, score + top contributing signalsplan_parameters, instalment count, total amount, currency, merchant idsignature, X-Signature-V2 HMAC SHA-256Pipe to your collections + compliance systems and to your regulator-facing reporting layer. Default retention is 5 years post-relationship per the EU AML package; the UK FCA's BNPL rules will sit on top. Aligned with SOC 2 Type 1, ISO/IEC 27001, and the General Data Protection Regulation, all of which Didit holds.
Yes. The same /v3/ API covers every market:
One contract, one API key, one Workflow Builder. Per-region rules tuned per workflow, Didit handles 14,000+ document types across 220+ countries, sub-2-second verdict on entry-level Android, 48+ languages in the hosted UI.
Four wires, one afternoon:
business.didit.me, sandbox key in 60 seconds, no credit cardPOST /v3/session/ to the apply step + the signed webhook to your decision enginePOST /v3/transactions/ to every instalment charge + handle the four-value status enumThe Didit MCP (Model Context Protocol) server is included free, paste the integration prompt above into Claude Code, Cursor, Codex, Replit Agent, Devin, or Aider and the agent scaffolds the whole thing against the live /v3/ API.
Uma API para KYC, KYB, Monitoramento de Transações e Análise de Carteiras. Integre em 5 minutos.