免费
每月 $0。无需信用卡。
- 免费 KYC 套件(身份验证 + 被动活体检测 + 人脸匹配 + 设备与 IP 分析), 每月 500 次,永久有效
- 黑名单用户
- 重复检测
- 每次会话 200+ 欺诈信号
- Didit 网络中可重复使用的 KYC
- 案件管理平台
- 工作流构建器
- 公开文档、沙盒、SDK、MCP(模型上下文协议)服务器
- 社区支持


全球2,000多家组织信赖。

攻击者如何攻击
撞库、SIM 卡劫持和会话劫持攻击都能绕过密码和一次性验证码。 在操作发生时,用 Didit 升级验证取代它们, 每次调用 $0.10,2秒内出结果,每月免费500次。
选择您需要的检查项, 身份、活体、人脸比对、制裁名单、地址、年龄、电话、邮箱、自定义问题。在控制台中将它们拖入工作流,或通过我们的 API 发布相同的工作流。根据条件分支,运行 A/B 测试,无需代码。
通过我们的 Web、iOS、Android、React Native 或 Flutter SDK 进行原生嵌入。重定向到托管页面。或者直接通过电子邮件、短信、WhatsApp 等任何方式向您的用户发送链接。选择适合您技术栈的方式。
Didit 负责托管摄像头、灯光提示、移动设备切换和辅助功能。当用户在流程中时,我们实时评估200多个欺诈信号,并根据权威数据源验证每个字段。在两秒内出结果。
实时签名 Webhook 可在用户通过、拒绝或需要审核时,立即同步您的数据库。您可以按需轮询 API,或打开控制台检查每个会话、每个信号,并按您的方式管理案例。
Didit · 升级策略
Didit · 生物识别认证
步骤 2 / 2
请保持静止以进行检查
Didit · 人脸比对 1:1
注册
提升验证
Didit · 被动活体检测
Didit · 设备与 IP 分析
Didit · Webhook · X-Signature-V2
{
"session_id": "abc-…",
"vendor_data": "user-42",
"status": "Approved",
"liveness": { "status": "Approved" },
"face": { "status": "Approved",
"similarity_score": 0.94 }
}$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"workflow_id": "wf_ato_step_up",
"vendor_data": "user-42",
"metadata": { "trigger": "high_value_transfer" },
// base64 KYC enrolment selfie, ≤ 1MB
"portrait_image": "/9j/4AAQSkZJRgABAQE..."
}'{ "session_url": "verify.didit.me/..." }// X-Signature-V2 verified upstream
if (payload.status === "Approved") {
unblockAction(payload.vendor_data);
} else if (payload.status === "Declined") {
logWarnings(payload.liveness.warnings);
blockAndAlert(payload.vendor_data);
}状态:已批准 · 已拒绝 · 审核中 · 未完成You are integrating Didit account-takeover defence into an application that already has the user signed in. Your job: when a sensitive action fires (large transfer, password reset, payout to a new destination, new-device login, geo anomaly), gate it on a Didit biometric step-up. One API call. One signed webhook. Three branches.
WHY THIS SHAPE
- Credential stuffing, SIM-swap, and stolen-session-cookie attacks all walk past passwords and SMS one-time codes. A face check at the moment of the sensitive action does not.
- Didit runs Passive Liveness (the user is alive, present, not a deepfake) plus 1:1 Face Match against the portrait captured at sign-up. A stolen selfie cannot pass — the comparison target is locked to the original enrollment.
- $0.10 per step-up (Biometric Authentication module) + $0.03 IP pre-check (optional) = around $0.13 per event. Sub-two-second verdict on entry-level Android. 500 verifications free every month.
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60 seconds, no credit card).
- A webhook endpoint with HMAC SHA-256 verification of the X-Signature-V2 header using your webhook secret.
HMAC-SHA256 verification MUST run against the raw body bytes (the raw payload as Didit sent it) BEFORE any JSON parsing — re-serialising the parsed body changes whitespace and key order, which invalidates the signature. - A Workflow Builder workflow that bundles Passive Liveness + Face Match 1:1 (with the user's stored sign-up portrait as the comparison target). Optionally compose Device & IP Analysis ahead of the step-up to pre-gate the check.
- Persist the user's sign-up portrait — either base64 on your side, or rely on Didit's stored enrollment via vendor_data lookup.
STEP 1 — Decide WHEN to step up (your code, not Didit's)
Run your usual fraud signals. Common triggers worth a biometric step-up:
- Wire / crypto transfer above the user's daily limit
- Password / email reset on a session less than 24h old
- Payout to a bank account or wallet seen for the first time
- Login from a new device or new country
- Velocity anomaly — N actions of type T within window W
Cheap pre-check (optional, ~100ms, $0.03):
- Score the user's IP via Device & IP Analysis. If the IP is a residential trusted address with a low risk score AND the device fingerprint matches the user's trusted device, skip the step-up. Otherwise run Step 2.
STEP 2 — Create a biometric step-up session
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<wf id bundling Passive Liveness + Face Match 1:1>",
"vendor_data": "<your user id, max 256 chars>",
"callback": "https://<your-app>/ato/step-up/callback",
"metadata": {
"trigger": "high_value_transfer",
"action_id": "<your internal action reference>"
},
"portrait_image": "<base64 JPEG of the user's stored sign-up portrait, ≤ 1 MB — REQUIRED when the workflow has FACE_MATCH active; the step-up matches the new live selfie against this stored reference>"
}
Response: 201 Created with a hosted session URL. Redirect the user there inline (or open it in a webview / Didit mobile SDK). The action stays BLOCKED on your side until the signed webhook lands.
STEP 3 — Read the signed webhook on completion
Didit POSTs the decision to your callback. Verify X-Signature-V2 (HMAC SHA-256 of the raw request body using your webhook secret) BEFORE reading the JSON.
Payload (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your user id>",
"status": "Approved",
"liveness": { "status": "Approved" },
"face": { "status": "Approved", "similarity_score": 0.94 },
"ip_analysis": { "status": "Approved", "score": 11 }
}
Session status enum (exact case, Title Case With Spaces): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
STEP 4 — Branch the original action on status
Approved → unblock the sensitive action. Log session_id + similarity score on the audit trail.
In Review → hold the action, route to a human review queue.
Declined → block the action, log liveness warnings (mask / deepfake / replay / morph), alert the user.
Not Finished → invite the user to retry with a fresh session URL.
Expired → resend the link; the original session has timed out.
Abandoned → the user closed the flow before completing; resend the link.
STEP 5 — (Optional) Pull the full decision payload
GET https://verification.didit.me/v3/session/{session_id}/decision/
Headers:
x-api-key: <your api key>
Returns the same payload as the webhook plus the structured signals (liveness warnings, face-match similarity, IP / device flags). Use for analyst review.
WEBHOOK EVENT NAMES
- Sessions: standard session webhook (one endpoint, status field tells you where in the lifecycle).
- Verify X-Signature-V2 (HMAC SHA-256) on every payload.
CONSTRAINTS
- Session statuses use Title Case With Spaces (Approved, In Review). Never use UPPER_SNAKE_CASE for session verdicts — that's the Transactions API and lives in a different surface.
- 1:1 face match's comparison target is the user's STORED sign-up portrait, not a freshly captured one. A stolen selfie cannot pass.
- iBeta Level 1 Presentation Attack Detection (PAD) certified against the full ISO/IEC 30107-3 catalogue — print, replay, paper / silicone / latex mask, deepfake, morph.
- The Workflow Builder is where you choose the modules in the step-up — change them in the console without redeploying.
- 200+ fraud signals are surfaced on every session at no extra cost — read them off the decision payload, don't re-query.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/core-technology/biometric-auth/overview
- https://docs.didit.me/core-technology/ip-analysis/overview
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.每月 $0。无需信用卡。
按实际用量付费。25+模块。公开的模块定价,无每月最低费用。
定制MSA和SLA。适用于大批量和受监管项目。
免费开始 → 仅在检查运行时付费 → 解锁企业版以获取定制合约、SLA 或数据驻留。
Didit 是身份和欺诈基础设施, 一个我们自己构建产品时梦寐以求的平台:开放、灵活、对开发者友好,因此它能真正融入您的技术栈,而不是一个需要您围绕其进行集成的黑盒。
一个 API 涵盖了个人验证(KYC,了解您的客户)、企业验证(KYB,了解您的业务)、加密钱包筛选(KYT,了解您的交易)以及实时交易监控, 所有这些都建立在一个旨在实现以下目标的堆栈上:
底层支持:14,000 多种文档类型,支持 48 种以上语言,1,000 多个数据源,以及每次会话的 200 多个欺诈信号。Didit 基础设施从每次会话中动态学习,并日益完善。
账户盗用 (ATO) 发生在攻击者获得合法用户账户控制权时, 通常通过被盗凭据、被劫持的会话 cookie 或拦截一次性密码 (OTP) 的 SIM 卡交换。然后,他们会清空钱包、转移资金、更改支付详情,或重置电子邮件并将真实所有者锁定在外。
这种攻击绕过了密码,因为密码本身是正确的。它绕过了短信服务 (SMS) 验证码,因为攻击者控制了电话号码。防御措施是在行动发生时,用攻击者不具备的东西, 合法用户的面部, 来中断它。
因为 SIM 卡交换欺诈将短信服务 (SMS) 验证码送到了攻击者的手中。攻击者说服运营商将受害者的号码移植到新的用户识别模块 (SIM);从那时起,银行发送的每个验证码都会到达攻击者的手机上。
2026 年的钓鱼工具包也能实时代理验证码, 用户将其输入虚假页面,工具包将其转发到真实网站,会话随即开启。短信为每个渠道提供一个共享密钥;生物识别技术则为摄像头前的人提供与操作绑定的证明。
整个流程通常在 30 秒内完成, 拿起身份证件,拍摄证件,拍摄自拍,完成。这是市场上最快的速度。传统的 KYC 提供商完成相同流程通常需要超过 90 秒。
在后端,Didit 在p99 下两秒内返回结果,从用户完成自拍到您的 webhook 触发。移动端捕获针对慢速手机和慢速网络进行了优化:渐进式图像压缩、延迟 SDK 加载,以及如果用户从网页端开始,通过二维码一键从桌面端切换到手机端。
注册是首次捕获用户身份, 政府身份证件、光学字符识别 (OCR)、被动活体检测以及作为注册基线的肖像。这是一个一次性的、重量级的流程。
二次验证是轻量级、可重复的版本。相同的活体检测引擎在新自拍上运行;人脸比对 1:1 将新自拍与存储的注册肖像进行比较。无需身份证件,无需 OCR。两秒内完成,每次会话 $0.10。
每个会话都会落入七种明确状态之一,因此您的代码始终知道该怎么做:
Approved, 所有检查通过。让用户继续。Declined, 一个或多个检查失败。您可以允许用户重新提交特定的失败步骤(例如,重新拍摄自拍),而无需重新运行整个流程。In Review, 标记为合规审查。在控制台中打开案例,查看所有信号,决定批准或拒绝。In Progress, 用户正在进行中。Not Started, 链接已发送,用户尚未打开。如果长时间未打开,发送提醒。Abandoned, 用户打开了链接但未及时完成。重新激活或使其过期。Expired, 会话链接已过期。创建新会话。每次状态更改都会触发一个签名的 webhook,因此您的数据库始终保持同步。放弃和拒绝的会话是免费的。
生产数据默认在欧盟通过 Amazon Web Services 进行处理和存储。企业合同可以根据监管机构要求,申请其他区域。
无处不在的加密。 所有数据库、对象存储和备份中的静态数据均采用 AES-256 加密。所有 API 调用、webhook 和业务控制台会话中的传输数据均采用传输层安全协议 1.3。生物识别数据在单独的客户主密钥下加密。
保留期限由您控制。 默认保留期限为无限期(无限制),除非您配置更短的期限, 每个应用程序可在30 天到 10 年之间, 您可以随时从仪表板或 API 删除任何单个会话。
认证:SOC 2 Type 1(Type 2 审计进行中)、ISO/IEC 27001:2022、iBeta Level 1 PAD,以及来自西班牙 Tesoro / SEPBLAC / CNMV 的公开证明,表明 Didit 的远程身份验证比亲自验证更安全。完整报告请访问 /security-compliance。
Didit 默认符合对身份基础设施至关重要的监管机构要求:
详细备忘录、所有证书、所有监管机构函件:/security-compliance。
三种集成路径, 选择最适合您技术栈的:
相同的仪表板、相同的计费、相同的按成功付费价格适用于所有三种方式。分步指南请访问 docs.didit.me/integration/integration-prompt。
在二次验证之前进行设备和 IP 分析。每次检查 $0.03,耗时不到 100 毫秒,返回 0-100 的风险评分,以及虚拟专用网络 (VPN)、代理、洋葱路由 (Tor)、数据中心、国家和自治系统编号 (ASN) 标志。
如果网络看起来干净(住宅互联网服务提供商 (ISP)、受信任的设备指纹、无国家/地区切换),则跳过人脸识别。如果评分高或任何标志触发,则运行二次验证。这使得生物识别预算用于真正需要的事件。
两项费用:
每次经过全面筛选的敏感操作约 $0.13。每个账户每月前 500 次验证免费, 大多数团队发现他们的二次验证量在最初几周内都在此免费额度内。
无最低消费,无年度承诺,无按席位定价。
此方案适用于任何处理高价值操作的团队。常见的实时模式:
相同的 Workflow Builder,不同的触发器, 一次集成,一个定价方案。