$0.33 first verification, selfie-only reauth on every return for free, cross-partner share via short-lived encrypted tokens. 500 verifications free every month.
Robinhood Ventures
Trusted by 2,000+ organizations worldwide.
What identity owes
Once a user is verified to the Didit bar, iBeta Level 1 anti-spoof, sub-2-second verdict, 14,000+ documents, that verification is portable. Same brand, second app: free selfie-only reauth. Trusted partner, fresh signup: a short-lived encrypted share token onboards them instantly. The user owns the credential, eIDAS2-aligned.
Pick the checks you want, ID, liveness, face match, sanctions, address, age, phone, email, custom questions. Drag them into a flow in the dashboard, or post the same flow to our API. Branch on conditions, run A/B tests, no code required.
Embed natively with our Web, iOS, Android, React Native, or Flutter SDK. Redirect to a hosted page. Or just send your user a link, by email, SMS, WhatsApp, anywhere. Pick what fits your stack.
Didit hosts the camera, the lighting cues, the mobile hand-off, and accessibility. While the user is in the flow, we score 200+ fraud signals in real time and verify every field against authoritative data sources. Result in under two seconds.
Real-time signed webhooks keep your database in sync the moment a user is approved, declined, or sent to review. Poll the API on demand. Or open the console to inspect every session, every signal, and manage cases your way.
Didit · User-owned credential
Step 2 / 3
Re-present identity
Didit · Share session
Partner A
Partner B
Didit · Trust policy
Didit · Reusable KYC reauth
Didit · Privacy controls
Consent record
Token + audit
Didit · Network
$ curl -X POST https://verification.didit.me/v3/session/$SID/share/ \
-H "x-api-key: $DIDIT_API_KEY" \
-d '{
"audience": "partner_b",
"expires_in": 900
}'$ curl -X POST https://verification.didit.me/v3/session/import-shared/ \
-H "x-api-key: $PARTNER_B_KEY" \
-d '{
"share_token": "eyJhbGci…",
"workflow_id": "partner_b_wf",
"vendor_data": "user-on-partner-b",
"trust_review": true
}'You are integrating Didit reusable identity. Your users get verified once with full KYC and then re-present that verification on every subsequent service — your own platforms (same-platform reuse via Reusable KYC) and trusted partner platforms (cross-partner Share Session API).
Three pillars:
1. Verify once with full KYC ($0.33 bundle) via POST /v3/session/.
2. On the SAME platform, returning users re-prove identity with a selfie only — free, via the Reusable KYC workflow.
3. To a TRUSTED PARTNER, the first platform generates a short-lived share token (POST /v3/session/{id}/share/); the partner imports it (POST /v3/session/import-shared/) and the user lands fully onboarded.
Cost:
- First verification: $0.33 (Sessions API)
- Same-platform selfie-only reauth: free (Reusable KYC workflow)
- Cross-partner import: priced per call, from $0.30 — Partner B pays the import fee
- First 500 verifications free every month, forever
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60s, no card).
- Webhook endpoint with HMAC SHA-256 verification using the X-Signature-V2 header and your webhook secret.
- Two workflows in the Workflow Builder:
wf_first_verification — ID Verification + Passive Liveness + Face Match 1:1 + Device & IP Analysis + Anti-Money Laundering (AML) Screening
wf_reusable_kyc — Reusable KYC (selfie-only reauth)
- For cross-partner: a pre-arranged backend channel with the partner (a webhook, a queue, or even an authenticated REST call between your services) so the share token can be transmitted out-of-band.
STEP 1 — First verification (Sessions API)
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<wf_first_verification>",
"vendor_data": "<your user id, max 256 chars>",
"callback": "https://<your-app>/identity/callback"
}
Response: 201 Created with the hosted session URL. Sub-2-second median verdict on completion.
STEP 2 — Read the signed webhook on verification completion
Didit POSTs to your callback. Session statuses are Title Case With Spaces:
Body (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"id_verification": { "status": "Approved" },
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 }
}
Status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
Verify the X-Signature-V2 header BEFORE reading the body — HMAC SHA-256 of the raw bytes with your webhook secret.
Store the (user_id, session_id, status) tuple. session_id is the handle you reuse for shares.
STEP 3 — Same-platform reuse (Reusable KYC selfie-only reauth)
When the same user returns for a new flow:
POST https://verification.didit.me/v3/session/
Body:
{
"workflow_id": "<wf_reusable_kyc>",
"vendor_data": "<your user id>",
"callback": "https://<your-app>/identity/reauth-callback"
}
The hosted UI prompts the user for a selfie only — no document re-capture. Didit matches the selfie against the original verified template, returns Approved in under two seconds, free.
STEP 4 — Cross-partner share (Partner A generates a share token)
Only finished sessions (Approved / Declined / In Review) can be shared.
POST https://verification.didit.me/v3/session/{sessionId}/share/
Headers:
x-api-key: <Partner A's api key>
Content-Type: application/json
Body:
{
"audience": "<partner_b_identifier>",
"expires_in": 900
}
Response (excerpted):
{
"share_token": "eyJhbGciOiJIUzI1NiJ9...",
"session_kind": "kyc",
"expires_at": "<ISO8601>"
}
Transmit the share_token to Partner B via your pre-arranged backend channel.
STEP 5 — Cross-partner import (Partner B imports the session)
POST https://verification.didit.me/v3/session/import-shared/
Headers:
x-api-key: <Partner B's api key>
Content-Type: application/json
Body:
{
"share_token": "eyJhbGciOiJIUzI1NiJ9...",
"workflow_id": "<Partner B's workflow id>",
"vendor_data": "<Partner B's internal user id>",
"trust_review": true
}
trust_review options:
true — Partner B trusts Partner A's verdict (Approved / Declined). The imported session keeps the original status.
false — Partner B copies the data but sets status to "In Review" so Partner B's compliance team can apply their own thresholds.
Constraints (verified against mintlify-docs/core-technology/reusable-kyc/share-kyc-via-api.mdx):
- A specific session can be imported only ONCE into a given partner application.
- The share_token is short-lived (defaults to 15 minutes).
- End-to-end encrypted; only the named audience can import.
STEP 6 — Audit the consent + the share
Log every share + every import with:
- user_pid (the pseudonymous user identifier)
- audience (which partner)
- purpose (onboarding, lending, payments, etc.)
- scope (kyc, kyc + aml, kyc + kyb)
- share_token id + expiry
- import status
Default retention 5 years post-relationship per the EU AML package; longer under your supervisor's guidance.
WEBHOOK EVENT NAMES
- Sessions: status changes flow through the standard session webhook.
- Verify X-Signature-V2 on every payload.
CONSTRAINTS
- Session statuses use Title Case With Spaces (Approved, In Review). Don't transform them.
- Share tokens are scoped to the named audience and the named purpose — they're not bearer tokens for free reuse.
- The user must consent before a share happens. Capture explicit consent in your UI; Didit logs the consent against the session.
- Reusable KYC selfie-only reauth is free; cross-partner imports are priced at Partner B's account.
- 200+ fraud signals are evaluated on every fresh session at no extra cost.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/sessions-api/share-session/share
- https://docs.didit.me/sessions-api/share-session/import
- https://docs.didit.me/core-technology/reusable-kyc/overview
- https://docs.didit.me/core-technology/reusable-kyc/share-kyc-via-api
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.$0 / month. No credit card required.
Pay only for what you use. 25+ modules. Public per-module pricing, no monthly minimum fee.
Custom MSA & SLA. For large volumes and regulated programs.
Start free → pay only when a check runs → unlock Enterprise for a custom contract, SLA, or data residency.
Didit is infrastructure for identity and fraud, the platform we wished existed when we were building products ourselves: open, flexible, and developer-friendly, so it works as a real part of your stack instead of a black box you integrate around.
One API covers verifying people (KYC, know your customer), verifying businesses (KYB, know your business), screening crypto wallets (KYT, know your transaction), and monitoring transactions in real time, on a stack built to be:
The footprint underneath: 14,000+ document types in 48+ languages, 1,000+ data sources, and 200+ fraud signals on every session. The Didit infrastructure dynamically learns from every session and gets better every day.
It's an identity verification you do once, full document + face + AML, that the user can then re-present on every future service without redoing the document capture.
Two flavours:
The credential lives with the user, they consent to each reuse. The shape of the data they share is auditable, scoped, and time-bound.
Three things drop:
For the user, the benefit is just "I already did this". For the platform, it's higher activation, lower CAC (Cost of Acquisition), and a competitive moat against any flow that doesn't reuse.
The full flow normally takes under 30 seconds end-to-end, pick up the ID, snap the document, snap the selfie, done. That is the fastest in the market. Legacy KYC providers usually take more than 90 seconds for the same flow.
On the back end, Didit returns the result in under two seconds at p99, measured from the moment the user finishes the selfie to the moment your webhook fires. Mobile capture is tuned for slow phones and slow networks: progressive image compression, lazy software development kit load, and a one-tap hand-off from desktop to phone via QR code if the user starts on web.
eIDAS 2 (officially Regulation (EU) 2024/1183) is the EU's updated digital-identity regulation, it mandates that every EU citizen gets access to a European Digital Identity Wallet by late 2026.
The wallet's defining property is exactly what reusable identity delivers: the user holds verified credentials in a wallet they control, and re-presents them on demand to public and private services. Didit's reusable-identity recipe is aligned with eIDAS 2, same shape, same user-ownership principle, so platforms building on it today are also building toward the EU's official-wallet world.
Outside the EU, the same recipe still works. The legal anchor is local (UK FCA, US state lender rules, etc.); the technical shape is the same.
Every session lands on one of seven clear statuses, so your code always knows what to do:
Approved, every check passed. Move the user forward.Declined, one or more checks failed. You can allow the user to resubmit the specific failed step (for example, re-take the selfie) without re-running the whole flow.In Review, flagged for compliance review. Open the case in the console, see every signal, decide approve or decline.In Progress, user is mid-flow.Not Started, link sent, user has not opened it yet. Send a reminder if it sits too long.Abandoned, user opened the link but did not finish in time. Re-engage or expire.Expired, the session link aged out. Create a new session.A signed webhook fires on every status change, so your database always stays in sync. Abandoned and declined sessions are free.
Production data is processed and stored in the European Union by default, on Amazon Web Services. Enterprise contracts can request alternative regions for jurisdictions whose regulators require it.
Encryption everywhere. AES-256 at rest across every database, object store, and backup. Transport Layer Security 1.3 in transit on every API call, webhook, and Business Console session. Biometric data is encrypted under a separate Customer Master Key.
Retention is yours to control. Default retention is indefinite (unlimited) unless you configure shorter, between 30 days and 10 years per application, and you can delete any individual session at any time from the dashboard or the API.
Certifications: SOC 2 Type 1 (Type 2 audit in progress), ISO/IEC 27001:2022, iBeta Level 1 PAD, and a public attestation from Spain''s Tesoro / SEPBLAC / CNMV that Didit''s remote identity verification is safer than verifying someone in person. Full report at /security-compliance.
Didit ships compliant by default for the regulators that matter to identity infrastructure:
Detailed memo, every certificate, every regulator letter: /security-compliance.
Three integration paths, pick whichever fits your stack:
Same dashboard, same billing, same pay-per-success price for all three. Step-by-step guide at docs.didit.me/integration/integration-prompt.
Two consent moments:
Didit logs the consent against the session, purpose, audience, scope, expiry, and the log is exportable to your data-subject-access-request (DSAR) and audit tools. Default retention 5 years post-relationship per the EU Anti-Money-Laundering package. Aligned with the General Data Protection Regulation (GDPR), ISO/IEC 27001, and SOC 2 Type 1, all of which Didit holds.
Three load-bearing limits:
Approved, Declined, In Review). Pending sessions can't be shared.The token is signed and end-to-end encrypted. The only thing that travels between Partner A and Partner B is the opaque token; the underlying data fields stay inside Didit until Partner B's authenticated import call.
Pricing breakdown:
$0.33 per user (Sessions API), paid by the verifierThe model rewards reuse: the verifier pays once, the user re-uses many times on the same brand for free, and the only paid step at a partner is the import call, which is materially cheaper than the partner running fresh KYC themselves.
One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.