Wahakiki wanafunzi na watahiniwa kwa sekunde.

# Didit industry onboarding — integrate in 5 minutes

You are integrating Didit's identity + fraud stack into <my_stack>. Follow
these steps exactly. Every URL, header, and enum value below is canonical —
do not paraphrase or "improve" them.

## 1. Provision an account
- Sign up: https://business.didit.me (no credit card required).
- Or provision programmatically: POST https://apx.didit.me/auth/v2/programmatic/register/
  (returns an API key bound to the workspace + application).

## 2. Compose a workflow for your vertical
Create a workflow with the modules your vertical needs:
  POST https://verification.didit.me/v3/workflows/
  Header:  x-api-key: <your-api-key>
  Body:    workflow_label, features array — UPPERCASE enum values

Recommended starter bundle (full KYC):
  [
    { "feature": "ID_VERIFICATION" },
    { "feature": "LIVENESS" },
    { "feature": "FACE_MATCH" },
    { "feature": "IP_ANALYSIS" }
  ]

Add per-vertical modules from this list:
  AML_SCREENING, PROOF_OF_ADDRESS, NFC, AGE_ESTIMATION, BIOMETRIC_AUTH,
  PHONE_VERIFICATION, EMAIL_VERIFICATION, QUESTIONNAIRE, DATABASE_VALIDATION.

## 3. Create a verification session
POST https://verification.didit.me/v3/session/
Headers:
  x-api-key: <your-api-key>
  Content-Type: application/json
Body:
  {
    "workflow_id": "<wf_id_from_step_2>",
    "vendor_data": "<your_internal_user_id>",
    "callback":    "<your_webhook_url>"
  }
Response:
  {
    "session_id":  "ses_...",
    "session_url": "https://verify.didit.me/?session_token=...",
    "status":      "Not Started"
  }

Redirect the user to session_url. The hosted UI handles capture, lighting,
mobile handoff, and accessibility for you.

## 4. Webhooks
- Register a destination once via
  POST https://verification.didit.me/v3/webhook/destinations/
  Body: url, subscribed_events: ["session.verified", "session.review_started",
                                  "session.declined", "kyc_expired"]
- Response includes secret_shared_key — store it.
- Every webhook delivery carries an X-Signature-V2 header you MUST verify
  before trusting the payload. Algorithm:
    1. sortKeys(payload) recursively
    2. shortenFloats (truncate trailing zeros after the decimal point)
    3. JSON.stringify the result
    4. HMAC-SHA256 with the secret_shared_key
    5. Hex-encode, compare to the X-Signature-V2 header.

## 5. Read the report
The session payload returns one object per feature. Common fields:
  - status: "Approved" | "Declined" | "In Review" | "Expired" | "Not Finished"
  - id_verification.document_type, document_number, expiration_date
  - liveness.score (0-100), liveness.passed (boolean)
  - face_match.confidence (0-100), face_match.passed
  - aml.hits: array (sanctions / PEP / adverse-media matches)
  - ip_analysis.country, ip_analysis.risk_level
  - warnings: array of risk codes — each surfaces in the console's risk policy

## 6. Hard rules — do not change
- Base URL for /v3/* endpoints is verification.didit.me (NOT apx.didit.me).
- Feature enum is UPPERCASE (e.g. ID_VERIFICATION, LIVENESS, FACE_MATCH, AML_SCREENING).
- Auth header is x-api-key (lowercase, hyphenated).
- Webhook signature header is X-Signature-V2 (NOT X-Signature).
- Always verify webhook signatures before trusting payload data.
- Status casing matches exactly: "Approved", "Declined", "In Review",
  "Expired", "Not Finished" (title-cased, space-separated).

## 7. Pricing reference (public)
- Full KYC bundle (ID + Liveness + Face Match + IP): $0.33 per session
- AML Screening: $0.20 per check, ongoing $0.07 / user / year
- Wallet Screening: $0.15 per screen — or bring your own provider
- 500 free verifications every month, forever, on every account.

## 8. Verify your integration
- Sandbox starts on signup at https://business.didit.me — no separate flag.
- Switch to live: flip the application's environment toggle in console.

When in doubt: https://docs.didit.me