Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Bot Detection

Keep bots out with a Passive Liveness gate. One frame. One decision.

A single Passive Liveness check in front of any high-value action. Bots have no face to present — they cannot pass. Sub-two-second verdict, $0.10 per check, 500 free every month.

Start freeRead the docs
Backed by
Y Combinator
GBTC Finance
Bondex
Crnogorski Telekom
UCSF Neuroscape
Shiply
Adelantos

Trusted by 2,000+ organizations worldwide.

A dark abstract bot-detection stack — four floating translucent dark-glass panels in 3D perspective on pure black, threaded by a luminous Didit Blue vertical line and framed by glowing scanner brackets. Each panel carries one tiny pale-white abstract motif of the gate (robot head, flat waveform, anomaly grid, suspicious timing).

Why CAPTCHA stopped working

Solver farms beat CAPTCHA. Liveness still asks for a face.

Commercial CAPTCHA-solver farms clear hCaptcha and reCAPTCHA Enterprise for fractions of a cent. Passive Liveness asks for something a script does not have — a real human in front of a real camera. $0.10 per gate, sub-two-second, 500 free every month.

How it works

From sign-up to verified user in four steps.

  1. Step 01

    Create the workflow

    Pick the checks you want — ID, liveness, face match, sanctions, address, age, phone, email, custom questions. Drag them into a flow in the dashboard, or post the same flow to our API. Branch on conditions, run A/B tests, no code required.

  2. Step 02

    Integrate

    Embed natively with our Web, iOS, Android, React Native, or Flutter SDK. Redirect to a hosted page. Or just send your user a link — by email, SMS, WhatsApp, anywhere. Pick what fits your stack.

  3. Step 03

    User goes through the flow

    Didit hosts the camera, the lighting cues, the mobile hand-off, and accessibility. While the user is in the flow, we score 200+ fraud signals in real time and verify every field against authoritative data sources. Result in under two seconds.

  4. Step 04

    You receive the results

    Real-time signed webhooks keep your database in sync the moment a user is approved, declined, or sent to review. Poll the API on demand. Or open the console to inspect every session, every signal, and manage cases your way.

Built for the gate · Priced like infrastructure

One Passive Liveness check. $0.10 per gate.

A bot-gate is a composition — surface, pre-screen, liveness, decision. Toggle each module per workflow in the Workflow Builder.
Read the docsGet an API key
01 · Attack surface

Where bots show up — and where the gate goes.

Sign-up forms, leaderboards, airdrop / token claims, referral payouts, comment sections, ticket queues. Same Workflow Builder workflow protects every surface. Trigger only on the actions that actually matter — day-to-day reads do not need a gate.
Workflow Orchestrator module
02 · Liveness gate

A real human in front of a real camera.

Passive Liveness asks the user to hold still for one frame. The model returns a verdict in under two seconds at $0.10 per check. No puzzles, no character recognition, no behavioural-mouse traces — just a frame and a decision. iBeta Level 1 PAD certified against ISO/IEC 30107-3.
Liveness module
03 · Attack-vector defence

Every bot vector — same verdict.

Headless Chrome with scripted submission, browser-automation farms, virtual-camera AI face injectors, pre-recorded screen replays, image-only submissions with no camera attached, AI-generated deepfakes — all blocked. The model is independently re-tested at iBeta every year as new vectors appear in the wild.
How Liveness works
04 · IP + device pre-screen

Skip the camera on the obvious bots.

Device & IP Analysis returns a 0–100 score plus Virtual Private Network (VPN), Tor, datacenter Autonomous System Number (ASN), headless-browser, and device-velocity flags. $0.03 per call, under 100ms. Decline up-front when the network is obviously scripted; only spend the liveness budget on plausible humans.
Device & IP Analysis module
05 · Reusable KYC replay

Once a human. Always a human.

Users who have already passed a Didit-verified session can replay the credential at no cost via Reusable KYC. No second camera permission, no friction — the gate stays in front of unknown traffic only. Free forever.
Reusable KYC module
06 · Webhook pipeline

Signed verdict. Three branches. Done.

A signed webhook lands with the verdict — Approved, Declined, In Review, Not Finished. Verify X-Signature-V2 with Hash-based Message Authentication Code (HMAC) SHA-256 before reading the body. 200+ fraud signals exposed at no extra cost. Branch the original action accordingly.
Webhook reference
Integrate

One session. One signed verdict. Three branches.

Open the gate. Read the signed verdict. Allow, block, or invite a retry.
POST /v3/session/Liveness
$ curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "wf_bot_gate",
    "vendor_data": "signup-918",
    "metadata": { "surface": "signup_form" }
  }'
201Created{ "session_url": "verify.didit.me/..." }
Block the action until the webhook lands status: Approved.docs →
POST /webhooks/diditVerdict
// X-Signature-V2 verified upstream
if (payload.status === "Approved") {
  allowSignup(payload.vendor_data);
} else if (payload.status === "Declined") {
  throttleIP(payload.ip_analysis.ip);
  blockAndLog(payload.vendor_data);
}
200OKstatus Approved · Declined · In Review · Not Finished
Verify X-Signature-V2 before reading the payload.docs →
Agent-ready integration

Ship a Passive Liveness bot-gate in one prompt.

Paste into Claude Code, Cursor, Codex, Devin, Aider, or Replit Agent. Fill in your stack. The agent wires the trigger, opens the liveness session, verifies the webhook, and gates the action.
didit-integration-prompt.md
You are integrating Didit Passive Liveness as a bot-gate on a high-value action — sign-up, leaderboard submission, airdrop / token claim, referral payout, comment, or ticket queue. Bots cannot pass Passive Liveness because they have no face to present to the camera. One API call. One signed webhook. One decision.

WHY THIS SHAPE
  - Bots scale because they cost nothing per attempt. CAPTCHA stops the dumbest ones but commercial solver farms beat hCaptcha and reCAPTCHA Enterprise at fractions of a cent per solve.
  - Passive Liveness asks for something a script does not have: a live human face in front of a real camera. The model decides on one frame, in under two seconds, with no user interaction beyond "hold still".
  - $0.10 per check (Passive Liveness module). 500 verifications free every month. Combine with $0.03 IP / device pre-screen to keep the camera off the obvious bots and the budget on real candidates.

PRE-REQUISITES
  - Production API key from https://business.didit.me (sandbox key in 60 seconds, no credit card).
  - A webhook endpoint with HMAC SHA-256 verification of the X-Signature-V2 header using your webhook secret.
  - A Workflow Builder workflow containing the Passive Liveness module — optionally Device & IP Analysis pre-step.
  - The high-value action wrapped in a server-side gate that defaults to BLOCK and only unblocks on a verified webhook with status: Approved.

STEP 1 — (Optional) Cheap IP / device pre-screen
  Before opening a camera, score the network with Device & IP Analysis ($0.03 / call, under 100ms).
  If the score is low and no datacenter / VPN / scripted-user-agent flags fire, run Step 2.
  If the score is high or any of those flags fire, skip the liveness call and decline up-front — this saves the camera budget for plausible humans.

STEP 2 — Open a Passive Liveness session
  POST https://verification.didit.me/v3/session/
  Headers:
    x-api-key: <your api key>
    Content-Type: application/json
  Body:
    {
      "workflow_id": "<wf id with the Passive Liveness module>",
      "vendor_data": "<your action / user id, max 256 chars>",
      "callback": "https://<your-app>/bot-gate/callback",
      "metadata": {
        "surface": "signup_form",
        "action_id": "<your internal reference>"
      }
    }

  Response: 201 Created with a hosted session URL. Redirect inline (web) or open in a Software Development Kit (SDK) webview (mobile). The action stays BLOCKED on your side until the signed webhook lands.

STEP 3 — Read the signed webhook
  Didit POSTs the verdict. Verify X-Signature-V2 (HMAC SHA-256 of the raw body using your webhook secret) BEFORE reading the JSON.

  Payload (excerpted):
    {
      "session_id": "<uuid>",
      "vendor_data": "<your action / user id>",
      "status": "Approved",
      "liveness": { "status": "Approved" }
    }

  Session status enum (exact case, Title Case With Spaces): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.

STEP 4 — Branch the action
  Approved      → allow the sign-up / claim / submission.
  Declined      → block the action. Log liveness warnings (image-only / virtual-cam / replay / deepfake) and throttle the source IP.
  Not Finished  → invite the user to retry with a fresh session URL.
  Expired       → session timed out. Resend the link.
  Abandoned     → the user closed the flow before completing. Resend the link.

STEP 5 — (Optional) Replay Reusable Know Your Customer (KYC) for known humans
  If a user has previously completed a Didit-verified session, a fresh liveness check is not required for re-entry — they can replay their verified credential at no cost via Didit Reusable KYC. Use the user's existing session_id to confirm enrollment and skip Step 2. Free forever.

WEBHOOK EVENT NAMES
  - Sessions: standard session webhook. One endpoint, status field tells you where in the lifecycle.
  - Verify X-Signature-V2 (HMAC SHA-256) on every payload.

WHAT GETS BLOCKED
  - Headless Chrome with scripted form submission
  - Browser-automation farms (Puppeteer, Playwright, Selenium)
  - Image-only submissions (no camera attached)
  - Virtual-camera AI face injectors
  - Pre-recorded screen replays
  - Print or paper attacks
  - Silicone / latex masks
  - AI-generated deepfake faces

  All independently tested at iBeta and certified at Level 1 Presentation Attack Detection (PAD) against the full ISO/IEC 30107-3 catalogue. Re-tested every year.

CONSTRAINTS
  - Session statuses use Title Case With Spaces. Never use UPPER_SNAKE_CASE for session verdicts — that's the Transactions API.
  - Default to BLOCK on the server. Only unblock when the verified webhook says Approved.
  - 200+ fraud signals are evaluated on every session at no extra cost — read them off the decision payload, don't re-query.

Read the docs:
  - https://docs.didit.me/sessions-api/create-session
  - https://docs.didit.me/core-technology/liveness/overview
  - https://docs.didit.me/core-technology/ip-analysis/overview
  - https://docs.didit.me/core-technology/reusable-kyc/overview
  - https://docs.didit.me/integration/webhooks

Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.
Need more context? See the full module docs.docs.didit.me →
Compliant by design

Open a new country in one click. We do the hard work.

We open the local subsidiaries, secure the licenses, run the penetration tests, earn the certifications, and align with every new regulation. To ship verifications in a new country, flip a toggle. 220+ countries live, audited and pen-tested every quarter — the only identity provider an EU member-state government has formally called safer than in-person verification.
Read the security & compliance dossier
EU financial sandbox
Tesoro · SEPBLAC · BdE
ISO/IEC 27001
Information security · 2026
SOC 2 · Type I
AICPA · 2026
iBeta Level 1 PAD
NIST / NIAP · 2026
GDPR
EU 2016/679
DORA
EU 2022/2554
MiCA
EU 2023/1114
AMLD6 · eIDAS 2.0
EU-aligned by design

Proof numbers

Proof numbers
  • iBeta L1
    Independently certified Presentation Attack Detection — re-tested every year.
  • <0s
    Verdict end-to-end on entry-level Android.
  • $0.00
    Per Passive Liveness check. $0.03 optional IP pre-screen on top.
  • 0
    Free verifications every month, on every account.
Three tiers, one price list

Start free. Pay per usage. Scale to Enterprise.

500 free verifications every month, forever. Pay-as-you-go for production. Custom contracts, data residency, and SLAs (Service Level Agreements) on Enterprise.
Free

Free

$0 / month. No credit card required.

  • Free KYC bundle (ID Verification + Passive Liveness + Face Match + Device & IP Analysis) — 500 / month, every month
  • Blocklisted Users
  • Duplicate Detection
  • 200+ fraud signals on every session
  • Reusable KYC across the Didit network
  • Case Management Platform
  • Workflow Builder
  • Public docs, sandbox, SDKs, MCP (Model Context Protocol) server
  • Community support
Start free
Most popular
Pay per usage

Usage Based

Pay only for what you use. 25+ modules. Public per-module pricing, no monthly minimum fee.

  • Full KYC at $0.33 (ID + Biometric + IP / Device)
  • 10,000+ AML datasets — sanctions, PEPs, adverse media
  • 1,000+ government data sources for Database Validation
  • Transaction Monitoring at $0.02 per transaction
  • Live KYB at $2.00 per business
  • Wallet Screening at $0.15 per check
  • Whitelabel verification flow — your brand, our infrastructure
See full list of pricesStart free
Enterprise

Enterprise

Custom MSA & SLA. For large volumes and regulated programs.

  • Annual contracts
  • Custom MSA, DPA, and SLA
  • Dedicated Slack and WhatsApp channel
  • Manual reviewers on demand
  • Reseller and white-label terms
  • Exclusive features and partner integrations
  • Named CSM, security review, compliance support
Talk to us

Start free → pay only when a check runs → unlock Enterprise for a custom contract, SLA, or data residency.

FAQ

Common questions

Related

Related modules + workflows

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page