Uthibitishaji wa Kibayometriki ($0.10) pamoja na Uchambuzi wa Kifaa na IP ($0.03) hutoa vipengele viwili vya SCA vya daraja la PSD3 katika kidokezo kimoja. Kinachostahimili hadaa. Mbadala wa moja kwa moja wa nenosiri la mara moja la SMS.
Inaaminika na mashirika 2,000+ duniani kote.
Kwa nini SMS OTP inastaafu
PSD3 inaondoa nenosiri la mara moja la SMS kama kipengele cha Uthibitishaji Imara wa Mteja. SCA ya kibayometriki inayofungamana na kifaa ya Didit inazuia ubadilishaji wa SIM, hadaa ya wakati halisi, na kukatiza kwa SS7 — kwa $0.13 kwa uthibitishaji, uamuzi wa chini ya sekunde mbili, tayari kwa kuunganisha kwa nguvu. Uthibitishaji 500 bila malipo kila mwezi.
Chagua ukaguzi unaotaka — kitambulisho, uhai, ulinganifu wa uso, vikwazo, anwani, umri, simu, barua pepe, maswali maalum. Ziburute kwenye mtiririko katika dashibodi, au chapisha mtiririko huo huo kwenye API yetu. Tawi kwenye masharti, endesha majaribio ya A/B, hakuna msimbo unaohitajika.
Pachika kiasili na SDK yetu ya Wavuti, iOS, Android, React Native, au Flutter. Elekeza upya kwenye ukurasa uliopangishwa. Au tuma tu kiungo kwa mtumiaji wako — kwa barua pepe, SMS, WhatsApp, popote. Chagua kinachofaa mrundikano wako.
Didit huandaa kamera, vidokezo vya mwanga, uhamishaji wa simu, na ufikiaji. Wakati mtumiaji yuko kwenye mtiririko, tunapata alama za ishara 200+ za ulaghai kwa wakati halisi na kuthibitisha kila sehemu dhidi ya vyanzo vya data vya mamlaka. Matokeo chini ya sekunde mbili.
Webhooks zilizosainiwa za wakati halisi huweka hifadhidata yako ikisawazishwa mara tu mtumiaji anapoidhinishwa, kukataliwa, au kutumwa kwa ukaguzi. Uliza API inapohitajika. Au fungua koni ili kukagua kila kipindi, kila ishara, na kudhibiti kesi kwa njia yako.
Didit · Vipengele vya SCA
Maarifa
Nenosiri · PIN
Si lazima
Umiliki
Kifaa kilichofungwa
Didit ✓
Uasili
Uso · uhai
Didit ✓
Didit · Kuunganisha kwa Nguvu
Didit · Matrixi ya mashambulizi
Didit · Injini ya msamaha
Didit · Uchambuzi wa Kifaa na IP
Didit · Gharama kwa kila uthibitisho
$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-d '{
"workflow_id": "wf_sca_biometric",
"vendor_data": "user-42",
"metadata": { "purpose": "login" },
// base64 KYC enrolment selfie, ≤ 1MB
"portrait_image": "/9j/4AAQSkZJRgABAQE..."
}'portrait_image. Hakuna usajili upya.nyaraka →$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-d '{
"workflow_id": "wf_sca_biometric",
"vendor_data": "user-42",
"metadata": { "amount": "247.50", "payee_account": "ES91…1332" },
// base64 KYC enrolment selfie, ≤ 1MB
"portrait_image": "/9j/4AAQSkZJRgABAQE..."
}'Kuunganisha kwa nguvu.nyaraka →You are integrating Didit's Strong Customer Authentication into a payment service provider, bank, EMI, or wallet to satisfy PSD3 / the Payment Services Regulation (PSR). Two factors in one prompt:
1. Inherence — Biometric Authentication: Passive Liveness + Face Match 1:1 against the user's previously-enrolled KYC selfie.
2. Possession — Device & IP Analysis: 200+ real-time fraud signals binding the auth to the user's known device.
Pricing (verified live 2026-05-16):
- Biometric Authentication: $0.10 per auth
- Device & IP Analysis: $0.03 per auth
- Total: $0.13 per Strong Customer Authentication
- First 500 verifications free every month, forever
- Re-uses the enrolled selfie from the original KYC — no re-enrolment
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60 seconds, no credit card).
- Webhook endpoint with HMAC SHA-256 verification of the X-Signature-V2 header.
- A workflow_id from the no-code Workflow Builder configured as a Biometric Authentication workflow (Passive Liveness + Face Match 1:1 + Device & IP Analysis).
- The user has previously completed a Didit KYC (the same enrolled selfie backs every subsequent auth).
STEP 1 — Open an authentication session
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body (for login auth):
{
"workflow_id": "<wf id for SCA biometric auth>",
"vendor_data": "<your user id>",
"callback": "https://<your-app>/auth/callback",
"metadata": {
"purpose": "login",
"session_id": "<your front-end session id>"
},
"portrait_image": "<base64 JPEG of the user's KYC enrolment selfie, ≤ 1 MB — REQUIRED for SCA's inherence factor; OMIT only if the workflow is liveness-only>"
}
Body (for payment with dynamic linking):
{
"workflow_id": "<wf id for SCA biometric auth>",
"vendor_data": "<your user id>",
"callback": "https://<your-app>/payment/callback",
"metadata": {
"purpose": "payment",
"amount": "247.50",
"currency": "EUR",
"payee_account": "ES9121000418450200051332",
"payee_name": "<merchant or recipient>",
"transaction_reference": "<your internal transaction id>"
},
"portrait_image": "<base64 JPEG of the user's KYC enrolment selfie, ≤ 1 MB — REQUIRED for SCA's inherence factor>"
}
Response: 201 Created with the hosted session URL. Push the URL to the user via deep-link / push notification / in-app sheet.
STEP 2 — User completes the biometric auth
The user sees one prompt on their phone (or via the Didit SDK in your native app). Three things happen on the same screen:
1. The amount + payee are displayed (dynamic linking — the user explicitly approves THIS amount to THIS payee for payments).
2. Passive Liveness defeats screen replay, printed photo, mask, deepfake.
3. Face Match 1:1 matches the new selfie against the enrolled KYC selfie.
Device & IP Analysis runs server-side on the session. Sub-2-second median verdict.
STEP 3 — Read the signed webhook on the auth verdict
Didit POSTs to your callback. Session statuses (Title Case With Spaces):
Body (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 },
"ip_analysis": { "status": "Approved", "vpn_detected": false, "datacenter_ip": false },
"metadata_echo": {
"amount": "247.50",
"payee_account": "ES9121000418450200051332"
}
}
Status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
Verify the X-Signature-V2 header BEFORE reading the body — HMAC SHA-256 of the raw bytes with your webhook secret.
For payments, verify that metadata_echo.amount and metadata_echo.payee_account match the values you passed in. If they do not, REJECT the payment — it's a dynamic-linking violation.
STEP 4 — Branch on verdict
Approved → unlock the action (login, payment, account change).
In Review → hold the action, route to manual review queue.
Declined → block, log the attempt, surface a friendly "try again" to the user.
Resubmitted → the user re-submitted after a soft fail (poor lighting, occlusion); proceed if the latest status is Approved.
STEP 5 — Retrieve the full decision later
GET https://verification.didit.me/v3/session/{sessionId}/decision/
Headers:
x-api-key: <your api key>
Returns the full payload: liveness verdict (iBeta Level 1 anti-spoof certified), Face Match similarity score, device fingerprint, IP geolocation, VPN / proxy / datacenter flags, 200+ fraud-signal score, dynamic-linking echo, HMAC signature.
Use this for the audit-trail surface a regulator examines on Strong Customer Authentication coverage.
STEP 6 — Step up on risk
When Device & IP Analysis surfaces a high-risk signal (new device + high-value payment, VPN/proxy on a login, geolocation jump), your workflow can step up to:
- A separate hardware-key challenge (FIDO2 / WebAuthn)
- A trusted-beneficiary whitelist confirmation
- A manual-review hold
Encode the step-up policy in the no-code Workflow Builder — no redeploy required.
WEBHOOK EVENT NAMES
- Sessions: status changes flow through the standard session webhook.
Verify X-Signature-V2 on every payload.
CONSTRAINTS
- Session statuses use Title Case With Spaces. Never UPPER_SNAKE_CASE on a session.
- Dynamic linking is REQUIRED for payments — pass amount + payee in metadata, verify the echo on the webhook.
- The enrolled selfie that backs every SCA is the one captured during the user's original KYC — no separate enrolment step.
- PSD3 / PSR exemptions (low-value remote < EUR 30, contactless point-of-sale < EUR 50, recurring identical, trusted beneficiary, Transaction Risk Analysis tiers) are configured per workflow in the Business Console.
- Default record retention is 5 years per the EU AML and payments rules.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/sessions-api/retrieve-session
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.$0 / mwezi. Hakuna kadi ya mkopo inayohitajika.
Lipa tu kwa kile unachotumia. Moduli 25+. Bei ya umma kwa kila moduli, hakuna ada ya chini ya kila mwezi.
MSA & SLA maalum. Kwa idadi kubwa na programu zilizodhibitiwa.
Anza bure → lipa tu wakati ukaguzi unafanyika → fungua Biashara kwa mkataba maalum, SLA, au makazi ya data.
API moja kwa KYC, KYB, Ufuatiliaji wa Miamala, na Uchunguzi wa Wallet. Unganisha kwa dakika 5.