Ongeza mtiririko nyeti kwa ulinganishaji wa uso wa chini ya sekunde 2 dhidi ya picha iliyosajiliwa. Inayostahimili hadaa. Isiyoweza kubadilishwa SIM. $0.10 kwa uthibitishaji. Uthibitishaji 500 bila malipo kila mwezi.
Inaaminika na mashirika 2,000+ duniani kote.
Inayostahimili hadaa · Isiyoweza kubadilishwa SIM
Kipengele cha pili ni uso wa mtumiaji, unaolinganishwa 1:1 dhidi ya picha waliyosajili wakati wa kujisajili. Uhai huzuia uchapishaji / uchezaji tena / barakoa / shambulio la Mtandao wa Adversarial Generative (GAN) kwenye fremu hiyo hiyo. Uamuzi wa chini ya sekunde 2 kwenye Android ya kiwango cha kuingia. $0.10 kwa uthibitishaji. Uthibitishaji 500 bila malipo kila mwezi.
Chagua ukaguzi unaotaka — Kitambulisho, uhai, ulinganishaji wa uso, vikwazo, anwani, umri, simu, barua pepe, maswali maalum. Ziburute kwenye mtiririko kwenye dashibodi, au chapisha mtiririko huo huo kwenye API yetu. Tawi kwenye masharti, endesha majaribio ya A/B, hakuna msimbo unaohitajika.
Pachika kiasili na Web, iOS, Android, React Native, au Flutter SDK yetu. Elekeza kwenye ukurasa uliopangishwa. Au tuma tu mtumiaji wako kiungo — kwa barua pepe, SMS, WhatsApp, popote. Chagua kinachofaa mrundikano wako.
Didit huandaa kamera, vidokezo vya taa, uhamishaji wa simu, na ufikiaji. Wakati mtumiaji yuko kwenye mtiririko, tunapata alama 200+ za ishara za ulaghai kwa wakati halisi na kuthibitisha kila sehemu dhidi ya vyanzo vya data vya mamlaka. Matokeo chini ya sekunde mbili.
Webhooks zilizosainiwa kwa wakati halisi huweka hifadhidata yako ikisawazishwa mara tu mtumiaji anapoidhinishwa, kukataliwa, au kutumwa kwa ukaguzi. Piga API inapohitajika. Au fungua koni ili kukagua kila kipindi, kila ishara, na kudhibiti kesi kwa njia yako.
Didit · Uthibitishaji wa Kibayometriki
Thibitisha uhamisho
Onyesha uso wako ili uidhinishe
Didit · Kulinganisha Uso 1:1
Amesajiliwa
Ufanano
0.96
LinganishaMoja kwa moja
Didit · Matrix ya mashambulizi
Didit · Vichochezi vya kuongeza hatua
Didit · Webhook · X-Signature-V2
Mzigo
{
"session_id": "<uuid>",
"vendor_data": "user-42",
"status": "Approved",
"face": {
"status": "Approved",
"similarity_score": 0.96
}
}Didit · Uchumi
$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-d '{
"workflow_id": "wf_bio_2fa",
"workflow_type": "biometric_authentication",
"vendor_data": "user-42",
// base64 reference selfie, ≤ 1MB (omit for liveness-only)
"portrait_image": "/9j/4AAQSkZJRgABAQE..."
}'LIVENESS + FACE_MATCH dhidi ya portrait_image iliyotolewa.nyaraka →$ curl -X POST https://verification.didit.me/v3/face-match/ \
-H "x-api-key: $DIDIT_API_KEY" \
-F "image_a=@live.jpg" \
-F "image_b=@enrolled.jpg"You are integrating Didit's Biometric 2FA into <my_stack>. Replace SMS one-time-password (OTP) on sensitive flows — login from a new device, large-value transfer, settings change, account recovery — with a sub-2-second face match against the user's enrolled portrait. Cheaper than SMS. Phishing-resistant. SIM-swap-proof.
1. Enrol the user's portrait ONCE at sign-up via the standard Know Your Customer (KYC) session.
2. On every sensitive action, open a Biometric Authentication session that runs Passive Liveness + Face Match 1:1 against the stored portrait. Verdict in sub-2-seconds.
Pricing (public):
- Biometric Authentication: $0.10 per authentication (Sessions API)
- Standalone Face Match 1:1: $0.05 per match (server-to-server)
- First 500 verifications free every month, forever
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60s, no card).
- Webhook endpoint with Hash-based Message Authentication Code (HMAC) SHA-256 verification using the X-Signature-V2 header.
- The user has previously enrolled — either via a full KYC session (recommended; the portrait is stored automatically and never leaves Didit) or via a portrait you supply on each re-auth.
- A workflow_id from the Workflow Builder. The workflow MUST contain LIVENESS, and the session must be opened with workflow_type = "biometric_authentication" (or use a workflow that has FACE_MATCH and pass a portrait_image at session creation).
STEP 1 — Enrolment (one-time, at user sign-up)
Run a standard KYC session at sign-up. Didit stores the portrait (the face captured during the liveness step) as the user's enrolled template, bound to vendor_data.
POST https://verification.didit.me/v3/session/
Body:
{
"workflow_id": "<your KYC workflow>",
"vendor_data": "<your user id>"
}
No additional code — once the user passes KYC, their enrolled portrait is ready for every future re-auth.
STEP 2 — Re-authentication (on every sensitive action)
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<your biometric_authentication workflow>",
"workflow_type": "biometric_authentication",
"vendor_data": "<the same user id used at enrolment>",
"callback": "https://<your-app>/2fa/callback",
"metadata": {
"reason": "<login_new_device | high_value_txn | settings_change | account_recovery>",
"amount": "<optional, for large-value transfers>"
},
"portrait_image": "<base64 JPEG of the user's enrolment selfie, ≤ 1 MB — REQUIRED when the workflow has FACE_MATCH active; OMIT for liveness-only mode>"
}
Response: 201 Created with the hosted session_url. Redirect the user to it. The hosted UI:
- Opens the front camera
- Captures one passive frame
- Runs Liveness + Face Match 1:1 against the user's enrolled portrait
- Returns the verdict in sub-2-seconds
STEP 3 — Read the signed verdict on the webhook
Body (excerpted for a passing re-auth):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"liveness": { "status": "Approved", "method": "PASSIVE", "score": 96 },
"face": {
"status": "Approved",
"similarity_score": 0.96
}
}
Verify X-Signature-V2 BEFORE trusting the body — HMAC SHA-256 of the raw bytes with your webhook secret.
Session status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
Branch your application:
Approved → execute the action (sign in, release the transfer, save settings).
Declined → block the action, re-prompt with a higher-friction recovery path (support contact / KYC re-do).
In Review → hold; route to your operations queue.
Not Finished → user abandoned the capture; safe to re-prompt or fall back.
STEP 4 — Alternate path (server-to-server, when you already have the selfie)
If you already captured the selfie locally (native mobile SDK, in-app camera):
POST https://verification.didit.me/v3/face-match/
Headers:
x-api-key: <your api key>
Body (multipart/form-data):
image_a <the live selfie>
image_b <the enrolled portrait>
Response: similarity_score (0-1), status (Approved | Declined | In Review).
Use the standalone path only when you trust your client-side capture pipeline. For browser flows or any surface where the SDK is not embedded, always prefer the hosted session — Didit's liveness check is harder to defeat than a raw camera grab.
WEBHOOK EVENT NAMES
- Sessions: status changes flow through the standard session webhook.
- Always verify X-Signature-V2 on every payload.
CONSTRAINTS
- Base URL for /v3/* endpoints is verification.didit.me (NOT apx.didit.me).
- Feature enum is UPPERCASE: LIVENESS, FACE_MATCH, ID_VERIFICATION, AML, IP_ANALYSIS, AGE_ESTIMATION.
- Method enum is UPPERCASE: PASSIVE, FLASHING, ACTIVE_3D.
- Auth header is x-api-key (lowercase, hyphenated).
- Webhook signature header is X-Signature-V2 (NOT X-Signature).
- Status casing matches exactly: Approved, Declined, In Review, Expired, Not Finished, Resubmitted, Kyc Expired, Abandoned.
- The biometric template is irreversible (a one-way hash) and stored on Didit's infrastructure. You never receive the raw template. Standard data-subject-deletion rules apply.
PRO TIPS
- Pair Biometric 2FA with Device & IP Analysis (bundled into the 200+ fraud-signal stack). A re-auth that originates from a brand-new device + a brand-new IP should always step up to face.
- For the strongest possible surface, swap method PASSIVE for ACTIVE_3D — a short motion challenge — on transfers above your operational risk threshold.
Read the docs:
- https://docs.didit.me/core-technology/biometric-auth/overview
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.$0 / mwezi. Hakuna kadi ya mkopo inayohitajika.
Lipa tu kwa kile unachotumia. Moduli 25+. Bei ya umma kwa kila moduli, hakuna ada ya chini ya kila mwezi.
MSA & SLA maalum. Kwa idadi kubwa na programu zilizodhibitiwa.
Anza bure → lipa tu wakati ukaguzi unafanyika → fungua Biashara kwa mkataba maalum, SLA, au makazi ya data.
Didit ni miundombinu ya utambulisho na udanganyifu — jukwaa tulilotamani lingekuwepo tulipokuwa tukijenga bidhaa sisi wenyewe: wazi, rahisi, na rafiki kwa watengenezaji, ili lifanye kazi kama sehemu halisi ya stack yako badala ya sanduku jeusi unalounganisha.
API moja inashughulikia kuthibitisha watu (KYC, mjue mteja wako), kuthibitisha biashara (KYB, ijue biashara yako), kuchunguza pochi za crypto (KYT, ijue muamala wako), na kufuatilia miamala kwa wakati halisi — kwenye stack iliyojengwa kuwa:
Alama ya chini: aina 14,000+ za hati katika lugha 48+, vyanzo 1,000+ vya data, na ishara 200+ za udanganyifu kwenye kila kikao. Miundombinu ya Didit hujifunza kwa nguvu kutoka kwa kila kikao na inaboresha kila siku.
Uthibitishaji wa sababu ya pili kwa kutumia uso wa mtumiaji, si msimbo uliotumwa kupitia mtandao. Sababu ya kwanza ni kile mtumiaji anachojua (nenosiri, nenosiri la siri, kiungo cha uchawi). Sababu ya pili ni kile mtumiaji alicho — selfie hai inayolingana 1:1 na picha ambayo mtumiaji alijiandikisha hapo awali.
Inakaa mahali pale pale kama nenosiri la mara moja la SMS (OTP) katika mtiririko wa programu yako, lakini kwa gharama tofauti, usalama, na wasifu wa ubadilishaji.
Aina nne za mashambulizi zilizoelezwa vizuri huishinda. Shirika la Upelelezi la Shirikisho la Marekani (FBI) na Kituo cha Kitaifa cha Usalama wa Mtandao cha Uingereza (NCSC) vyote vimechapisha mwongozo unaoelekeza mashirika mbali na SMS kwa mtiririko nyeti.
Mtiririko kamili kwa kawaida huchukua chini ya sekunde 30 kuanzia mwanzo hadi mwisho — chukua kitambulisho, piga picha hati, piga picha selfie, umemaliza. Hiyo ndiyo kasi zaidi sokoni. Watoa huduma wa zamani wa KYC kwa kawaida huchukua zaidi ya sekunde 90 kwa mtiririko huo huo.
Kwa upande wa nyuma, Didit inarudisha matokeo katika chini ya sekunde mbili kwa p99, ikipimwa kutoka wakati mtumiaji anamaliza selfie hadi wakati webhook yako inapoanza. Kunasa kwa simu kumeundwa kwa simu za polepole na mitandao ya polepole: ukandamizaji wa picha unaoendelea, upakiaji wa polepole wa SDK, na uhamishaji wa kugusa mara moja kutoka kompyuta hadi simu kupitia msimbo wa QR ikiwa mtumiaji anaanza kwenye wavuti.
Timu nyingi hujiandikisha wakati wa kikao cha awali cha Know Your Customer (KYC) cha mtumiaji. Picha iliyonaswa na hatua ya uhai huhifadhiwa ikiwa imefungwa kwa vendor_data yako na kutumika kama kiolezo cha kila uthibitishaji unaofuata.
Ikiwa huendeshi KYC wakati wa kujisajili, unaweza kuendesha kikao cha usajili cha mara moja dhidi ya mtiririko wa kazi wa Didit ambao una LIVENESS + FACE_MATCH pekee. Njia yoyote inagharimu $0.10 mara moja, na kiolezo kinachotokana kinaweza kutumika tena kwa kila uthibitishaji wa baadaye.
Kila kikao kinatua kwenye mojawapo ya hali saba zilizo wazi, kwa hivyo msimbo wako unajua nini cha kufanya kila wakati:
Imeidhinishwa — kila ukaguzi umepita. Mpeleke mtumiaji mbele.Imekataliwa — ukaguzi mmoja au zaidi umeshindwa. Unaweza kumruhusu mtumiaji kutuma tena hatua maalum iliyoshindwa (kwa mfano, piga tena selfie) bila kurudia mtiririko mzima.Inapitiwa — imewekwa alama kwa ukaguzi wa kufuata. Fungua kesi kwenye koni, angalia kila ishara, amua kuidhinisha au kukataa.Inaendelea — mtumiaji yuko katikati ya mtiririko.Haijaanza — kiungo kimetumwa, mtumiaji bado hajafungua. Tuma ukumbusho ikiwa inakaa muda mrefu sana.Imetelekezwa — mtumiaji alifungua kiungo lakini hakumaliza kwa wakati. Rudisha ushiriki au muda umekwisha.Muda Umekwisha — kiungo cha kikao kimepitwa na wakati. Unda kikao kipya.Webhook iliyotiwa saini inawaka kwenye kila mabadiliko ya hali, kwa hivyo hifadhidata yako inabaki sawa kila wakati. Vikao vilivyotelekezwa na vilivyokataliwa ni bure.
Data ya uzalishaji inachakatwa na kuhifadhiwa katika Umoja wa Ulaya kwa chaguo-msingi, kwenye Huduma za Wavuti za Amazon. Mikataba ya biashara inaweza kuomba mikoa mbadala kwa mamlaka ambayo wadhibiti wao wanahitaji.
Usimbaji fiche kila mahali. AES-256 ikiwa imetulia kwenye kila hifadhidata, hifadhi ya vitu, na chelezo. Usalama wa Tabaka la Usafiri 1.3 ikiwa inasafiri kwenye kila simu ya API, webhook, na kikao cha Dashibodi ya Biashara. Data ya kibayometriki imesimbwa kwa kutumia Ufunguo Mkuu wa Mteja tofauti.
Uhifadhi ni wako kudhibiti. Uhifadhi wa chaguo-msingi ni usio na kikomo (usio na ukomo) isipokuwa ukisanidi mfupi zaidi — kati ya siku 30 na miaka 10 kwa kila programu — na unaweza kufuta kikao chochote cha kibinafsi wakati wowote kutoka kwenye dashibodi au API.
Vyeti: SOC 2 Aina ya 1 (ukaguzi wa Aina ya 2 unaendelea), ISO/IEC 27001:2022, iBeta Kiwango cha 1 PAD, na uthibitisho wa umma kutoka Tesoro / SEPBLAC / CNMV ya Uhispania kwamba uthibitishaji wa utambulisho wa mbali wa Didit ni salama zaidi kuliko kumthibitisha mtu ana kwa ana. Ripoti kamili katika /security-compliance.
Didit inatii sheria kwa chaguo-msingi kwa wadhibiti muhimu kwa miundombinu ya utambulisho:
Memo ya kina, kila cheti, kila barua ya mdhibiti: /security-compliance.
Njia tatu za ujumuishaji — chagua inayofaa stack yako:
Dashibodi sawa, bili sawa, bei sawa ya kulipa kwa mafanikio kwa zote tatu. Mwongozo wa hatua kwa hatua katika docs.didit.me/integration/integration-prompt.
Ni mbadala wa mkataba wako uliopo wa kupiga simu wa nenosiri la mara moja.
POST /v3/session/ na workflow_type: "biometric_authentication" na vendor_data ile ile uliyotumia wakati wa usajili.session_url iliyorudishwa.X-Signature-V2 kwenye webhook kabla ya kuamini mwili.status — Imeidhinishwa (tekeleza hatua), Imekataliwa (zuia), Inapitiwa (foleni), Haijamalizika (rudia kuuliza).Timu nyingi hubadilisha SMS kwa uso ndani ya wikendi. Kidokezo kamili kinachoweza kubandikwa na wakala kiko hapo juu; seva ya Model Context Protocol (MCP) inazungumza nyuso zote mbili.
Mechi ya Uso 1:1 ni imara kwa mabadiliko ya wastani ya kuonekana — nywele za usoni, miwani, rangi ya nywele, mwanga. Alama ya kufanana inayorudishwa kwa kila uthibitishaji inaonyesha jinsi mfumo unavyoamini.
Kwa watumiaji wanaotoka nje ya kizingiti cha kuidhinisha kiotomatiki (kesi ya kawaida: mabadiliko makubwa ya uzito, upasuaji, kuzeeka kwa miaka mingi), uamuzi unarudisha Inapitiwa na kuelekeza kwenye foleni yako ya shughuli. Njia ya kawaida ya kurejesha ni kikao cha usajili upya — simu moja ya KYC inaburudisha picha, na uthibitishaji unaofuata unatumia kiolezo kipya.
Ndio kwa kitengo cha urithi. Viwango vya Kiufundi vya Udhibiti wa Mamlaka ya Benki ya Ulaya kuhusu Uthibitishaji Thabiti wa Mteja vinatambua sifa za kibayometriki (kitu ulicho nacho) kama sababu halali ya pili inapounganishwa na mojawapo ya kategoria zingine mbili (maarifa au umiliki).
Kwa mtiririko kamili wa uthibitishaji thabiti wa mteja wa PSD2, unganisha biometric 2FA na nenosiri la mtumiaji (maarifa) au kikao kilichofungwa na kifaa (umiliki). Uamuzi uliotiwa saini wa Didit ni ushahidi wa kifurushi cha ukaguzi wa sababu ya urithi.
API moja kwa KYC, KYB, Ufuatiliaji wa Miamala, na Uchunguzi wa Wallet. Unganisha kwa dakika 5.