人脸是门票。没有二维码。没有条形码。没有打印件。

You are integrating Didit&apos;s biometric event-ticketing into <my_stack>. The face IS the ticket — no QR code, no barcode, no printout. Two phases:

  1. Enrol the buyer ONCE at ticket purchase. A Sessions API call runs ID Verification + Passive Liveness and stores the buyer&apos;s portrait as the event-index template.
  2. At every gate scan, call the standalone Face Search 1:N endpoint with the camera frame. Sub-1-second match against the event index. Verdict returned inline.

Pricing (public):
  - Enrolment (one-time per buyer): $0.15 ID Verification + $0.10 Passive Liveness = $0.25
  - Face Search 1:N at the gate: free per scan
  - First 500 verifications free every month, forever

PRE-REQUISITES
  - Production API key from https://business.didit.me (sandbox key in 60s, no card).
  - Webhook endpoint with Hash-based Message Authentication Code (HMAC) SHA-256 verification using the X-Signature-V2 header.
 HMAC-SHA256 verification MUST run against the raw body bytes (the raw payload as Didit sent it) BEFORE any JSON parsing — re-serialising the parsed body changes whitespace and key order, which invalidates the signature.  - A workflow_id from the Workflow Builder. The workflow MUST contain ID_VERIFICATION + LIVENESS (and optionally Anti-Money Laundering (AML) if you sell age-restricted access).
  - One Didit account = one face index. Tag every enrolment with metadata.event_id so the gate-side search filters by the right event.

STEP 1 — Enrol at ticket purchase

  POST https://verification.didit.me/v3/session/
  Headers:
    x-api-key: <your api key>
    Content-Type: application/json
  Body:
    {
      "workflow_id": "<your enrolment workflow>",
      "vendor_data": "<your buyer id — must be unique per buyer>",
      "callback": "https://<your-app>/ticketing/enrol/callback",
      "metadata": {
        "order_id": "<your order reference>",
        "event_id": "<the event the buyer is entering>",
        "ticket_tier": "<GA | VIP | accessible | etc>"
      }
    }

  Response: 201 Created with the hosted session_url. Redirect the buyer. After the buyer completes ID Verification + Passive Liveness, the portrait is stored as their face template and bound to vendor_data.

STEP 2 — Read the signed verdict on enrolment completion

  Body (excerpted):
    {
      "session_id": "<uuid>",
      "vendor_data": "<your buyer id>",
      "status": "Approved",
      "id_verification": { "status": "Approved", "document_type": "Passport" },
      "liveness": { "status": "Approved", "method": "PASSIVE", "score": 94 }
    }

  Verify X-Signature-V2 BEFORE trusting the body. On Approved, mark the order as enrolled and bind the order to vendor_data in your application database.

  Session status enum (exact case): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.

STEP 3 — At every gate scan, match the face against the event index

  POST https://verification.didit.me/v3/face-search/
  Headers:
    x-api-key: <your api key>
  Body (multipart/form-data):
    image           <the camera frame captured at the gate>
    vendor_data     <optional — restrict the search to a specific buyer>
    metadata        <optional JSON — e.g. { "event_id": "<...>" } to filter>

  Response (excerpted):
    {
      "status": "Approved",
      "matches": [
        {
          "vendor_data": "<buyer id>",
          "similarity_score": 0.96
        }
      ]
    }

  Match outcomes the gate logic should handle:
    - Match found, ticket valid, no prior scan      → grant entry, mark scanned
    - Match found, already inside                    → apply re-entry policy
    - Match found, ticket expired or canceled        → route to staff
    - Match found, ticket resold to another buyer    → block, route to staff
    - No match (similarity below threshold)          → block, fall back to backup ticket flow

STEP 4 — Reusable across every event the same buyer attends

  Because the buyer&apos;s face template is bound to vendor_data, the SAME enrolment works for every future event the same buyer holds a ticket for. No re-enrolment, no re-payment. Reusable Credential semantics applied to the venue use case.

CONSTRAINTS
  - Base URL for /v3/* endpoints is verification.didit.me (NOT apx.didit.me).
  - Feature enum is UPPERCASE: ID_VERIFICATION, LIVENESS, FACE_MATCH, AML, IP_ANALYSIS.
  - Method enum is UPPERCASE: PASSIVE, FLASHING, ACTIVE_3D.
  - Auth header is x-api-key (lowercase, hyphenated).
  - Webhook signature header is X-Signature-V2 (NOT X-Signature).
  - Status casing matches exactly: Approved, Declined, In Review, Expired, Not Finished, Resubmitted, Kyc Expired, Abandoned.
  - The face template is irreversible (a one-way hash). End users can request deletion via the standard data-subject-request path.

ACCESS CONTROL CONSIDERATIONS
  - For minor-attended events, run AGE_ESTIMATION during enrolment to gate age-restricted areas. See /solutions/age-verification.
  - For high-value VIP areas, gate behind a Biometric Authentication step-up. See /solutions/biometric-2fa.
  - For accessibility lanes, surface the ticket-tier metadata on the verdict payload and route the gate UI accordingly.

DATA-PROTECTION NOTES
  - The enrolment selfie produces an irreversible face template; raw images are deleted unless retention is explicitly enabled.
  - The gate frame is processed in memory and not persisted by default.
  - Display the privacy notice (didit.me/terms/verification-privacy-notice) to the buyer before the enrolment selfie. EU GDPR Article 13 requires it.

Read the docs:
  - https://docs.didit.me/core-technology/face-search/overview
  - https://docs.didit.me/sessions-api/create-session
  - https://docs.didit.me/integration/webhooks

Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.