免费
每月 $0。无需信用卡。
- 免费 KYC 套件(身份验证 + 被动活体检测 + 人脸匹配 + 设备与 IP 分析), 每月 500 次,永久有效
- 黑名单用户
- 重复检测
- 每次会话 200+ 欺诈信号
- Didit 网络中可重复使用的 KYC
- 案件管理平台
- 工作流构建器
- 公开文档、沙盒、SDK、MCP(模型上下文协议)服务器
- 社区支持


全球2,000多家组织信赖。

为什么 CAPTCHA 不再有效
商业 CAPTCHA 破解农场只需几美分就能破解 hCaptcha 和 reCAPTCHA Enterprise。被动活体检测需要脚本无法拥有的东西, 一个真实的人站在真实的摄像头前。每次网关检测 $0.10,2 秒内出结果,每月免费 500 次。
选择您需要的检查项, 身份、活体、人脸比对、制裁名单、地址、年龄、电话、邮箱、自定义问题。在仪表盘中将它们拖入工作流,或通过我们的 API 发布相同的工作流。根据条件进行分支,运行 A/B 测试,无需代码。
使用我们的 Web、iOS、Android、React Native 或 Flutter SDK 进行原生嵌入。重定向到托管页面。或者直接通过电子邮件、短信、WhatsApp 等任何方式向用户发送链接。选择适合您技术栈的方式。
Didit 负责托管摄像头、灯光提示、移动端切换和辅助功能。在用户进行流程时,我们实时评估 200 多个欺诈信号,并根据权威数据源验证每个字段。两秒内出结果。
实时签名 Webhook 可确保用户批准、拒绝或发送审核后,您的数据库立即同步。按需轮询 API。或者打开控制台检查每个会话、每个信号,并按您的方式管理案例。
Didit · 表面图
Didit · 被动活体检测
请保持不动 · 1/1
请看镜头
Didit · 机器人向量防御
Didit · 设备与 IP 分析
Didit · 可复用 KYC
首次通过
重放
Didit · Webhook · X-Signature-V2
{
"session_id": "abc-…",
"vendor_data": "signup-918",
"status": "Approved",
"liveness": { "status": "Approved" }
}$ curl -X POST https://verification.didit.me/v3/session/ \
-H "x-api-key: $DIDIT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"workflow_id": "wf_bot_gate",
"vendor_data": "signup-918",
"metadata": { "surface": "signup_form" }
}'{ "session_url": "verify.didit.me/..." }// X-Signature-V2 verified upstream
if (payload.status === "Approved") {
allowSignup(payload.vendor_data);
} else if (payload.status === "已拒绝") {
throttleIP(payload.ip_analysis.ip);
blockAndLog(payload.vendor_data);
}状态:已批准 · 已拒绝 · 审核中 · 未完成You are integrating Didit Passive Liveness as a bot-gate on a high-value action — sign-up, leaderboard submission, airdrop / token claim, referral payout, comment, or ticket queue. Bots cannot pass Passive Liveness because they have no face to present to the camera. One API call. One signed webhook. One decision.
WHY THIS SHAPE
- Bots scale because they cost nothing per attempt. CAPTCHA stops the dumbest ones but commercial solver farms beat hCaptcha and reCAPTCHA Enterprise at fractions of a cent per solve.
- Passive Liveness asks for something a script does not have: a live human face in front of a real camera. The model decides on one frame, in under two seconds, with no user interaction beyond "hold still".
- $0.10 per check (Passive Liveness module). 500 verifications free every month. Combine with $0.03 IP / device pre-screen to keep the camera off the obvious bots and the budget on real candidates.
PRE-REQUISITES
- Production API key from https://business.didit.me (sandbox key in 60 seconds, no credit card).
- A webhook endpoint with HMAC SHA-256 verification of the X-Signature-V2 header using your webhook secret.
- A Workflow Builder workflow containing the Passive Liveness module — optionally Device & IP Analysis pre-step.
- The high-value action wrapped in a server-side gate that defaults to BLOCK and only unblocks on a verified webhook with status: Approved.
STEP 1 — (Optional) Cheap IP / device pre-screen
Before opening a camera, score the network with Device & IP Analysis ($0.03 / call, under 100ms).
If the score is low and no datacenter / VPN / scripted-user-agent flags fire, run Step 2.
If the score is high or any of those flags fire, skip the liveness call and decline up-front — this saves the camera budget for plausible humans.
STEP 2 — Open a Passive Liveness session
POST https://verification.didit.me/v3/session/
Headers:
x-api-key: <your api key>
Content-Type: application/json
Body:
{
"workflow_id": "<wf id with the Passive Liveness module>",
"vendor_data": "<your action / user id, max 256 chars>",
"callback": "https://<your-app>/bot-gate/callback",
"metadata": {
"surface": "signup_form",
"action_id": "<your internal reference>"
}
}
Response: 201 Created with a hosted session URL. Redirect inline (web) or open in a Software Development Kit (SDK) webview (mobile). The action stays BLOCKED on your side until the signed webhook lands.
STEP 3 — Read the signed webhook
Didit POSTs the verdict. Verify X-Signature-V2 (HMAC SHA-256 of the raw body using your webhook secret) BEFORE reading the JSON.
Payload (excerpted):
{
"session_id": "<uuid>",
"vendor_data": "<your action / user id>",
"status": "Approved",
"liveness": { "status": "Approved" }
}
Session status enum (exact case, Title Case With Spaces): Approved | Declined | In Review | Resubmitted | Expired | Not Finished | Kyc Expired | Abandoned.
STEP 4 — Branch the action
Approved → allow the sign-up / claim / submission.
Declined → block the action. Log liveness warnings (image-only / virtual-cam / replay / deepfake) and throttle the source IP.
Not Finished → invite the user to retry with a fresh session URL.
Expired → session timed out. Resend the link.
Abandoned → the user closed the flow before completing. Resend the link.
STEP 5 — (Optional) Replay Reusable Know Your Customer (KYC) for known humans
If a user has previously completed a Didit-verified session, a fresh liveness check is not required for re-entry — they can replay their verified credential at no cost via Didit Reusable KYC. Use the user's existing session_id to confirm enrollment and skip Step 2. Free forever.
WEBHOOK EVENT NAMES
- Sessions: standard session webhook. One endpoint, status field tells you where in the lifecycle.
- Verify X-Signature-V2 (HMAC SHA-256) on every payload.
WHAT GETS BLOCKED
- Headless Chrome with scripted form submission
- Browser-automation farms (Puppeteer, Playwright, Selenium)
- Image-only submissions (no camera attached)
- Virtual-camera AI face injectors
- Pre-recorded screen replays
- Print or paper attacks
- Silicone / latex masks
- AI-generated deepfake faces
All independently tested at iBeta and certified at Level 1 Presentation Attack Detection (PAD) against the full ISO/IEC 30107-3 catalogue. Re-tested every year.
CONSTRAINTS
- Session statuses use Title Case With Spaces. Never use UPPER_SNAKE_CASE for session verdicts — that's the Transactions API.
- Default to BLOCK on the server. Only unblock when the verified webhook says Approved.
- 200+ fraud signals are evaluated on every session at no extra cost — read them off the decision payload, don't re-query.
Read the docs:
- https://docs.didit.me/sessions-api/create-session
- https://docs.didit.me/core-technology/liveness/overview
- https://docs.didit.me/core-technology/ip-analysis/overview
- https://docs.didit.me/core-technology/reusable-kyc/overview
- https://docs.didit.me/integration/webhooks
Start free at https://business.didit.me — sandbox key in 60 seconds, 500 verifications free every month, no credit card.每月 $0。无需信用卡。
按实际用量付费。25+模块。公开的模块定价,无每月最低费用。
定制MSA和SLA。适用于大批量和受监管项目。
免费开始 → 仅在检查运行时付费 → 解锁企业版以获取定制合约、SLA 或数据驻留。
Didit 是身份和欺诈基础设施, 一个我们自己在构建产品时就希望能有的平台:开放、灵活、对开发者友好,能真正融入您的技术栈,而不是一个需要您围绕其进行集成的黑盒。
一个 API 即可覆盖个人验证(KYC,了解您的客户)、企业验证(KYB,了解您的业务)、加密钱包筛选(KYT,了解您的交易)以及实时交易监控。该技术栈旨在实现:
底层支持:14,000 多种文档类型,支持 48 种以上语言,1,000 多个数据源,每次会话提供 200 多个欺诈信号。Didit 基础设施通过每次会话动态学习,并日益完善。
任何在没有人为干预的情况下提交表单、领取报酬、发布评论或购买门票的行为。常见形式包括:
其共同特征是:没有人正在查看屏幕,因此摄像头前没有人。
CAPTCHA 破解农场以每解决一次几美分的成本击败了 hCaptcha 和 reCAPTCHA Enterprise。经济效益在几年前就发生了逆转, 一次 1,000 个账户的攻击,攻击者花费的成本甚至低于您每月为 CAPTCHA 本身支付的 Software-as-a-Service (SaaS) 账单。
更深层的问题是,CAPTCHA 测试的是机器现在比人类做得更好的技能(图像识别、字符识别、点击模式)。机器人门禁必须测试机器不具备的东西。一个真实摄像头前的活生生的人脸正是如此。
整个流程通常在 30 秒内完成, 拿起身份证件,拍下证件照,再拍一张自拍照,搞定。这是市场上最快的速度。传统的 KYC 服务商完成同样流程通常需要超过 90 秒。
在后端,Didit 在用户完成自拍到您的 webhook 触发之间,p99 响应时间低于两秒。移动端捕获针对慢速手机和慢速网络进行了优化:渐进式图像压缩、延迟加载 SDK,以及如果用户从网页端开始,可通过二维码一键从桌面端切换到手机端。
所有常见的机器人攻击:
所有这些都在被动活体检测层被捕获。机器人无从下手。
每个会话都会落入七种明确状态之一,因此您的代码始终知道如何处理:
Approved, 所有检查通过。让用户继续。Declined, 一项或多项检查失败。您可以允许用户重新提交特定的失败步骤(例如,重新拍摄自拍),而无需重新运行整个流程。In Review, 标记为合规审查。在控制台中打开案例,查看所有信号,决定批准或拒绝。In Progress, 用户正在进行中。Not Started, 链接已发送,用户尚未打开。如果长时间未打开,发送提醒。Abandoned, 用户打开了链接但未及时完成。重新激活或使其过期。Expired, 会话链接已过期。创建新会话。每次状态更改都会触发一个带签名的 webhook,因此您的数据库始终保持同步。放弃和拒绝的会话是免费的。
生产数据默认在欧盟的 Amazon Web Services 上处理和存储。企业合同可根据监管机构要求,申请在其他区域存储。
全程加密。 所有数据库、对象存储和备份均采用 AES-256 静态加密。所有 API 调用、webhook 和业务控制台会话均采用传输层安全协议 1.3 (TLS 1.3) 进行传输加密。生物识别数据使用单独的客户主密钥加密。
保留期限由您控制。 默认保留期限为无限期(无限制),除非您配置更短的期限, 每个应用程序可在30 天到 10 年之间设置, 您可以随时通过仪表板或 API 删除任何单个会话。
认证:SOC 2 Type 1(Type 2 审计进行中)、ISO/IEC 27001:2022、iBeta Level 1 PAD,以及西班牙 Tesoro / SEPBLAC / CNMV 的公开证明,表明 Didit 的远程身份验证比现场验证更安全。完整报告请访问 /security-compliance。
Didit 默认符合对身份基础设施至关重要的监管机构要求:
详细备忘录、所有证书、所有监管机构函件:/security-compliance。
三种集成路径, 选择最适合您技术栈的:
所有三种方式都使用相同的仪表板、相同的计费、相同的按成功付费价格。分步指南请访问 docs.didit.me/integration/integration-prompt。
不需要。已通过 Didit 验证会话的用户可以通过可复用 KYC 免费重放凭证, 永久免费。查找用户之前的 session_id;如果凭证有效,则跳过实时验证。
这降低了您从未接触过的流量的摩擦(和成本)。回访用户可即时通过。
两项费用:
每个账户每月免费 500 次验证, 大多数团队在几周内都处于免费层级。通过可复用 KYC 的回访用户永久免费。无最低消费,无年度承诺,无按席位定价。
任何单个机器人提交会给团队带来金钱或声誉损失的场景:
一个工作流,适用于所有场景。