您的 AI 代理可以运行 KYC。只需一个命令。

You are installing the Didit Agent Skills into this project and wiring the first verification session against the live https://verification.didit.me/v3/ API. After this prompt, the project should pass identity verification — Know Your Customer (KYC), Anti-Money Laundering (AML) screening, document Optical Character Recognition (OCR) — through Didit.

Didit ships twelve open-source Agent Skills at https://github.com/didit-protocol/skills and follows the open standard at https://agentskills.io. The CLI auto-detects whether you are running inside Cursor, Claude Code, Codex, or OpenCode and drops the skills into the right folder.

PRE-REQUISITES
  - A Didit API key (DIDIT_API_KEY). Either issued from https://business.didit.me, or self-registered by the agent via POST /programmatic/register/ + POST /programmatic/verify-email/ (no browser needed).
  - A workflow_id from the Workflow Builder that bundles ID Verification + Passive Liveness + Face Match + IP Analysis + AML — or just use the didit-kyc-onboarding skill below to create one programmatically.
  - A webhook endpoint that verifies the X-Signature-V2 header with HMAC-SHA256 on the raw body bytes (do NOT re-serialise the parsed JSON; the signature will not match).

STEP 1 — Install the skills

Recommended:

  npx skills add didit-protocol/skills

This installs all twelve skills. To install only one:

  npx skills add didit-protocol/skills --skill didit-face-match

Or git clone the repo and copy what you need:

  git clone https://github.com/didit-protocol/skills.git
  cp -r skills/didit-kyc-onboarding .claude/skills/
  cp -r skills/didit-id-document-verification .claude/skills/

The twelve skills:
  - didit-verification-management   : the hub. Account, sessions, workflows, billing, blocklist, webhook config. 45+ endpoints
  - didit-kyc-onboarding            : full KYC recipe (ID + selfie + face match) in one call
  - didit-id-document-verification  : passports, ID cards, driver's licences. OCR, MRZ, NFC. 4,000+ documents, 220+ countries
  - didit-liveness-detection        : 99.9%-accurate liveness from a single selfie
  - didit-face-match                : compare two faces, get a 0–100 score
  - didit-face-search               : 1:N face search for deduplication and blocklists
  - didit-biometric-age-estimation  : estimate age from a selfie
  - didit-email-verification        : email OTP, detects breached / disposable / undeliverable
  - didit-phone-verification        : phone OTP via SMS, WhatsApp, or Telegram. Catches VoIP
  - didit-aml-screening             : 1,300+ sanctions, PEP, adverse-media lists. Dual-score risk
  - didit-proof-of-address          : utility bills, bank statements. OCR + geocoding
  - didit-database-validation       : government databases across 18 countries

STEP 2 — Set the environment

Every skill reads DIDIT_API_KEY. Session-based skills also expect DIDIT_WORKFLOW_ID. Signed-webhook handlers expect DIDIT_WEBHOOK_SECRET.

  export DIDIT_API_KEY="<your api key>"
  export DIDIT_WORKFLOW_ID="<your workflow id>"   # optional
  export DIDIT_WEBHOOK_SECRET="<your secret>"     # optional

Programmatic alternative (no browser):

  curl -X POST https://apx.didit.me/auth/v2/programmatic/register/ \
    -H "Content-Type: application/json" \
    -d '{"email": "dev@example.com", "password": "MyStr0ng!Pass"}'

  # check the email, get the 6-char code, then:
  curl -X POST https://apx.didit.me/auth/v2/programmatic/verify-email/ \
    -H "Content-Type: application/json" \
    -d '{"email": "dev@example.com", "code": "<code>"}'
  # response includes api_key — export it as DIDIT_API_KEY.

STEP 3 — Create a verification session

  POST https://verification.didit.me/v3/session/
  Headers:
    x-api-key: $DIDIT_API_KEY
    Content-Type: application/json
  Body:
    {
      "workflow_id": "$DIDIT_WORKFLOW_ID",
      "vendor_data": "<your user id, max 256 chars>",
      "callback_url": "https://<your-app>/kyc/callback",
      "metadata": { "source": "agent-skill" }
    }

  Response: 201 Created. The hosted session URL is on the `url` field. Redirect the user, or send them the link by email / SMS / WhatsApp. Sub-2-second p99 verdict on completion.

STEP 4 — Read the signed webhook

Didit POSTs to your callback. KYC session statuses are Title Case With Spaces.

  Body (excerpted):
    {
      "session_id": "<uuid>",
      "vendor_data": "<your user id>",
      "status": "Approved",
      "id_verification": { "status": "Approved" },
      "liveness": { "status": "Approved" },
      "face": { "status": "Approved", "similarity_score": 0.94 },
      "aml": { "status": "Approved", "hits": [] }
    }

  Full enum:
    Approved | Declined | In Review | In Progress | Not Started | Abandoned | Expired | Resubmitted | Awaiting User | Not Finished

  Verify X-Signature-V2 BEFORE parsing the body — HMAC-SHA256 of the raw bytes with your webhook secret. Re-serialising the parsed body changes whitespace and key order and the signature will not match.

STEP 5 — Read the decision on demand

  GET https://verification.didit.me/v3/session/{sessionId}/decision/
  Headers:
    x-api-key: $DIDIT_API_KEY

Returns the full decision payload — id_verification, liveness, face, ip_analysis, aml. Use this whenever the agent needs to confirm the user's status before allowing an action. Never trust client-supplied "I'm verified" flags.

STEP 6 — Branch on status

  Approved      → continue
  Declined      → block, surface decision_reason_code, allow resubmit of the failed step
  In Review     → wait for the analyst webhook; don't block forever
  Resubmitted   → user re-took a failed step; new verdict is coming
  Awaiting User → user hasn't completed the flow; nudge with a reminder
  Expired       → create a new session

Abandoned and Declined sessions are NOT billed.

STEP 7 — Optional: ongoing AML monitoring

If AML monitoring is enabled on the workflow ($0.07 per user per year), Didit fires status.updated whenever the user lands on a new sanctions / PEP / adverse-media list. No extra endpoint to call.

WEBHOOK EVENT NAMES
  - status.updated       : KYC or KYB session status changed
  - data.updated         : session data corrected after creation
  - user.status.updated  : User entity changed status (Active, Flagged, Blocked)
  - user.data.updated    : User entity counters, metadata, or aggregate fields changed
  - activity.created     : timeline activity recorded

Verify X-Signature-V2 on every payload. The webhook secret is per-environment — sandbox is separate from production.

CONSTRAINTS
  - KYC session statuses use Title Case With Spaces (Approved, In Review). Do NOT transform them to UPPER_SNAKE_CASE — that casing is for Know Your Business (KYB) sessions and Transaction Monitoring, not KYC.
  - HMAC verification runs against the RAW request body bytes. Never re-serialise the parsed JSON.
  - Bundle price is $0.30 (ID + Liveness + Face Match + IP Analysis). AML adds $0.20. 500 verifications free every month, forever.
  - Default record retention is unlimited unless you configure it shorter (30 days to 10 years per application).

Read the docs:
  - https://docs.didit.me/getting-started/agent-skills
  - https://docs.didit.me/sessions-api/create-session
  - https://docs.didit.me/sessions-api/retrieve-session
  - https://docs.didit.me/integration/webhooks

Skills repo:
  - https://github.com/didit-protocol/skills

Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.