Uma autenticação biométrica por etapas nos momentos exatos em que os atacantes visam — transferências, redefinições de senha, logins em novos dispositivos. Veredito em menos de dois segundos, cerca de $0.13 por evento. 500 verificações gratuitas todos os meses.
Confiado por mais de 2.000 organizações em todo o mundo.
Como os atacantes atacam
Ataques de "credential stuffing", "SIM-swap" e "stolen-session-cookie" contornam senhas e códigos de uso único. Troque-os por uma autenticação por etapas Didit no momento da ação — $0.10 por chamada, veredito em menos de dois segundos, 500 gratuitos todos os meses.
Escolha as verificações que deseja — ID, prova de vida, correspondência facial, sanções, endereço, idade, telefone, e-mail, perguntas personalizadas. Arraste-as para um fluxo no painel, ou publique o mesmo fluxo na nossa API. Crie ramificações com base em condições, execute testes A/B, sem necessidade de código.
Incorpore nativamente com o nosso SDK para Web, iOS, Android, React Native ou Flutter. Redirecione para uma página alojada. Ou simplesmente envie um link ao seu utilizador — por e-mail, SMS, WhatsApp, em qualquer lugar. Escolha o que melhor se adapta à sua pilha.
A Didit aloja a câmara, as indicações de iluminação, a transição móvel e a acessibilidade. Enquanto o utilizador está no fluxo, pontuamos mais de 200 sinais de fraude em tempo real e verificamos cada campo contra fontes de dados autorizadas. Resultado em menos de dois segundos.
Webhooks assinados em tempo real mantêm a sua base de dados sincronizada no momento em que um utilizador é aprovado, recusado ou enviado para revisão. Consulte a API sob demanda. Ou abra a consola para inspecionar cada sessão, cada sinal e gerir os casos à sua maneira.
Didit · Política de Step-up
Didit · Autenticação Biométrica
Passo 2 / 2
Mantenha-se imóvel para a verificação
Didit · Correspondência Facial 1:1
Registo
Step-up
Didit · Vivacidade Passiva
Didit · Análise de Dispositivo e IP
Didit · Webhook · X-Signature-V2
{
"session_id": "abc-…",
"vendor_data": "user-42",
"status": "Approved",
"liveness": { "status": "Approved" },
"face": { "status": "Approved",
"similarity_score": 0.94 }
}$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"workflow_id": "wf_ato_step_up",
"vendor_data": "user-42",
"metadata": { "trigger": "high_value_transfer" },
// base64 KYC enrolment selfie, ≤ 1MB
"portrait_image": "/9j/4AAQSkZJRgABAQE..."
}'status: Approved.documentos →// X-Signature-V2 verified upstream
if (payload.status === "Aprovado") {
unblockAction(payload.vendor_data);
} senão se (payload.status === "Recusado") {
logWarnings(payload.liveness.warnings);
blockAndAlert(payload.vendor_data);
}X-Signature-V2 antes de ler o payload.documentos →You are integrating Didit account-takeover defence into an application that already has the user signed in. Your job: when a sensitive action fires (large transfer, password reset, payout to a new destination, new-device login, geo anomaly), gate it on a Didit biometric step-up. One API call. One signed webhook. Three branches.
WHY THIS SHAPE
- Credential stuffing, SIM-swap, and stolen-session-cookie attacks all walk past passwords and SMS one-time codes. A face check at the moment of the sensitive action does not.
- Didit runs Passive Liveness (the user is alive, present, not a deepfake) plus 1:1 Face Match against the portrait captured at sign-up. A stolen selfie cannot pass — the comparison target is locked to the original enrollment.
- $0.10 per step-up (Biometric Authentication module) + $0.03 IP pre-check (optional) = around $0.13 per event. Sub-two-second verdict on entry-level Android. 500 verifications free every month.
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60 seconds, no credit card).
- A webhook endpoint with HMAC SHA-256 verification of the X-Signature-V2 header using your webhook secret.
HMAC-SHA256 verification MUST run against the raw body bytes (the raw payload as Didit sent it) BEFORE any JSON parsing — re-serialising the parsed body changes whitespace and key order, which invalidates the signature. - A Workflow Builder workflow that bundles Passive Liveness + Face Match 1:1 (with the user's stored sign-up portrait as the comparison target). Optionally compose Device & IP Analysis ahead of the step-up to pre-gate the check.
- Persist the user's sign-up portrait — either base64 on your side, or rely on Didit's stored enrollment via vendor_data lookup.
STEP 1 — Decide WHEN to step up (your code, not Didit's)
Run your usual fraud signals. Common triggers worth a biometric step-up:
- Wire / crypto transfer above the user's daily limit
- Password / email reset on a session less than 24h old
- Payout to a bank account or wallet seen for the first time
- Login from a new device or new country
- Velocity anomaly — N actions of type T within window W
Cheap pre-check (optional, ~100ms, $0.03):
- Score the user's IP via Device & IP Analysis. If the IP is a residential trusted address with a low risk score AND the device fingerprint matches the user's trusted device, skip the step-up. Otherwise run Step 2.
STEP 2 — Create a biometric step-up session
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<wf id bundling Passive Liveness + Face Match 1:1>",
"vendor_data": "<your user id, max 256 chars>",
"callback": "https://<your-app>/ato/step-up/callback",
"metadata": {
"trigger": "high_value_transfer",
"action_id": "<your internal action reference>"
},
"portrait_image": "<base64 JPEG of the user's stored sign-up portrait, ≤ 1 MB — REQUIRED when the workflow has FACE_MATCH active; the step-up matches the new live selfie against this stored reference>"
}
Response: 201 Created with a hosted session URL. Redirect the user there inline (or open it in a webview / Didit mobile SDK). The action stays BLOCKED on your side until the signed webhook lands.
STEP 3 — Read the signed webhook on completion
Didit POSTs the decision to your callback. Verify X-Signature-V2 (HMAC SHA-256 of the raw request body using your webhook secret) BEFORE reading the JSON.
Payload (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 },
"ip_analysis": { "status": "Approved", "score": 11 }
}
Session status enum (exact case, Title Case With Spaces): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
STEP 4 — Branch the original action on status
Approved → unblock the sensitive action. Log session_id + similarity score on the audit trail.
In Review → hold the action, route to a human review queue.
Declined → block the action, log liveness warnings (mask / deepfake / replay / morph), alert the user.
Not Finished → invite the user to retry with a fresh session URL.
Expired → resend the link; the original session has timed out.
Abandoned → the user closed the flow before completing; resend the link.
STEP 5 — (Optional) Pull the full decision payload
GET https://verification.didit.me/v3/session/{session_id}/decision/
Headers:
x-api-key: <your api key>
Returns the same payload as the webhook plus the structured signals (liveness warnings, face-match similarity, IP / device flags). Use for analyst review.
WEBHOOK EVENT NAMES
- Sessions: standard session webhook (one endpoint, status field tells you where in the lifecycle).
- Verify X-Signature-V2 (HMAC SHA-256) on every payload.
CONSTRAINTS
- Session statuses use Title Case With Spaces (Approved, In Review). Never use UPPER_SNAKE_CASE for session verdicts — that's the Transactions API and lives in a different surface.
- 1:1 face match's comparison target is the user's STORED sign-up portrait, not a freshly captured one. A stolen selfie cannot pass.
- iBeta Level 1 Presentation Attack Detection (PAD) certified against the full ISO/IEC 30107-3 catalogue — print, replay, paper / silicone / latex mask, deepfake, morph.
- The Workflow Builder is where you choose the modules in the step-up — change them in the console without redeploying.
- 200+ fraud signals are surfaced on every session at no extra cost — read them off the decision payload, don't re-query.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/core-technology/biometric-auth/overview
- https://docs.didit.me/core-technology/ip-analysis/overview
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.$0 / mês. Não é necessário cartão de crédito.
Pague apenas pelo que usa. Mais de 25 módulos. Preços públicos por módulo, sem taxa mínima mensal.
MSA e SLA personalizados. Para grandes volumes e programas regulados.
Comece gratuitamente → pague apenas quando uma verificação for executada → desbloqueie o Enterprise para um contrato personalizado, SLA ou residência de dados.
Uma API para KYC, KYB, Monitorização de Transações e Rastreio de Carteiras. Integre em 5 minutos.