AI Agent Integration (MCP Server)

Overview

Didit provides a Model Context Protocol (MCP) server that lets AI coding agents interact with the Didit identity verification platform directly. Agents can register accounts, create verification sessions, configure workflows, manage questionnaires, and handle billing — all through natural-language commands. Didit is built for the agentic era. While most verification platforms require manual console setup, Didit lets agents:

Self-register via programmatic API (no browser needed, no 2FA on the programmatic accounts the MCP creates).
Configure verification workflows via API (POST /v3/workflows/).
Create and manage sessions programmatically (POST /v3/session/, GET /v3/session/{sessionId}/decision/, PATCH /v3/session/{sessionId}/update-status/).
Monitor billing and top up credits via API (GET /v3/billing/balance/, POST /v3/billing/top-up/).
Build complete integrations end-to-end without human intervention — pair the MCP server with the one-prompt integration for hands-off setup.

Two ways to use Didit from an agent

	Integration Prompt	MCP Server
What it is	A ~5,500-token canonical prompt the agent reads once and follows step by step.	Long-lived tool surface the agent calls during a chat.
Best for	Generating an integration in a coding agent (Claude Code, Codex, Cursor, Copilot, Devin).	Running KYC, KYB, AML, and ops commands by natural language inside Cursor / Claude Desktop / any MCP host.
Auth	Agent registers your account programmatically and then uses `x-api-key` in code.	Agent calls `didit_register` / `didit_verify_email` once, then every tool authenticates with `DIDIT_API_KEY`.
Side effects	Writes files (backend route, webhook handler, schema migrations).	Mutates Didit resources (sessions, workflows, users, blocklist, billing).
See also	Integration Prompt	The catalogue below.

Both surfaces honour the V3 plural-array contract (id_verifications[], nfc_verifications[], liveness_checks[], face_matches[], aml_screenings[], poa_verifications[], phone_verifications[], email_verifications[], ip_analyses[], database_validations[], questionnaire_responses, reviews[], plus KYB-only registry_checks[], document_verifications[], key_people_checks[]). See Data models for the per-feature field reference.

Setup

1. Install the MCP server

Add to your MCP configuration (for example .cursor/mcp.json or claude_desktop_config.json):

{
  "mcpServers": {
    "didit": {
      "command": "npx",
      "args": ["@didit-protocol/mcp-server"],
      "env": {
        "DIDIT_API_KEY": "your_api_key_here"
      }
    }
  }
}

2. Get your API key

If you do not have an api_key yet, the agent can register for you in two tool calls:

Agent calls didit_register with your email and a password (≥8 chars, 1 uppercase, 1 lowercase, 1 digit, 1 special).
You receive a 6-character alphanumeric code via email (15-minute TTL).
Agent calls didit_verify_email with the code.
The response includes the organisation, a default application, and the application’s api_key.

Set this api_key as DIDIT_API_KEY in the MCP config and restart your MCP host. The same key authenticates every subsequent verification API call via the x-api-key: $DIDIT_API_KEY header. JWT access tokens (access_token, refresh_token) returned by the same response are only needed for the account-management endpoints on https://apx.didit.me/auth/v2. If you lose the key, run didit_login, then didit_list_organizations, then didit_get_application to recover it.

Available tools

The MCP server exposes 40+ tools. Each one calls a single REST endpoint and returns the JSON response verbatim — so anything documented in the verification API or auth API is reachable from an agent prompt.

Auth

Tool	REST endpoint	Description
`didit_register`	`POST /auth/v2/programmatic/register/`	Register a new account; emails a 6-character verification code.
`didit_verify_email`	`POST /auth/v2/programmatic/verify-email/`	Verify email with OTP code, returns `api_key` and JWT tokens.
`didit_login`	`POST /auth/v2/programmatic/login/`	Login to an existing programmatic account.
`didit_list_organizations`	`GET /auth/v2/organizations/me/`	List organisations the authenticated user belongs to.
`didit_get_application`	`GET /auth/v2/organizations/me/{org_id}/applications/{app_id}/`	Recover the application’s `api_key`.

Sessions

Tool	REST endpoint	Description
`didit_create_session`	`POST /v3/session/`	Create a verification session (KYC or KYB depending on workflow).
`didit_list_sessions`	`GET /v3/sessions`	List sessions with filters (status, workflow_id, vendor_data, date range, …).
`didit_get_session_decision`	`GET /v3/session/{sessionId}/decision/`	Return the full V3 decision (plural arrays).
`didit_update_session_status`	`PATCH /v3/session/{sessionId}/update-status/`	Manually approve, decline, or resubmit.
`didit_delete_session`	`DELETE /v3/session/{sessionId}/delete/`	Soft-delete a single session.
`didit_batch_delete_sessions`	`POST /v3/sessions/delete/`	Delete multiple sessions at once.
`didit_generate_session_pdf`	`GET /v3/session/{sessionId}/generate-pdf`	Generate a compliance PDF report.
`didit_list_session_reviews`	`GET /v3/sessions/{session_id}/reviews/`	List the manual-review audit trail.
`didit_add_session_review`	`POST /v3/sessions/{session_id}/reviews/`	Add a reviewer note.
`didit_share_session`	`POST /v3/session/{sessionId}/share/`	Mint a Reusable KYC share token.
`didit_import_shared_session`	`POST /v3/session/import-shared/`	Redeem a Reusable KYC share token.

Workflows

Tool	REST endpoint	Description
`didit_list_workflows`	`GET /v3/workflows/`	List verification workflows (newest first).
`didit_create_workflow`	`POST /v3/workflows/`	Create a workflow with UPPERCASE feature enums.
`didit_get_workflow`	`GET /v3/workflows/{settings_uuid}/`	Read a single workflow version.
`didit_update_workflow`	`PATCH /v3/workflows/{settings_uuid}/`	Update a draft workflow.
`didit_delete_workflow`	`DELETE /v3/workflows/{settings_uuid}/`	Delete a workflow version.

Questionnaires

Tool	REST endpoint	Description
`didit_list_questionnaires`	`GET /v3/questionnaires/`	List custom questionnaires.
`didit_create_questionnaire`	`POST /v3/questionnaires/`	Create a questionnaire.
`didit_get_questionnaire`	`GET /v3/questionnaires/{questionnaire_uuid}/`	Get questionnaire details.
`didit_update_questionnaire`	`PATCH /v3/questionnaires/{questionnaire_uuid}/`	Update a questionnaire.
`didit_delete_questionnaire`	`DELETE /v3/questionnaires/{questionnaire_uuid}/`	Delete a questionnaire.

Users & businesses

Tool	REST endpoint	Description
`didit_list_users`	`GET /v3/users/`	List verified users.
`didit_get_user`	`GET /v3/users/{vendor_data}/`	Get user by `vendor_data`.
`didit_update_user`	`PATCH /v3/users/{vendor_data}/`	Update user metadata.
`didit_delete_users`	`POST /v3/users/delete/`	Batch-delete users.
`didit_list_businesses`	`GET /v3/businesses/`	List verified businesses.
`didit_get_business`	`GET /v3/businesses/{vendor_data}/`	Get business by `vendor_data`.
`didit_update_business`	`PATCH /v3/businesses/{vendor_data}/`	Update business metadata.
`didit_delete_businesses`	`POST /v3/businesses/delete/`	Batch-delete businesses.

Billing

Tool	REST endpoint	Description
`didit_get_balance`	`GET /v3/billing/balance/`	Check credit balance.
`didit_top_up`	`POST /v3/billing/top-up/`	Create Stripe checkout to add credits.

Lists (blocklist / allowlist / custom)

Tool	REST endpoint	Description
`didit_list_lists`	`GET /v3/lists/`	List all blocklists, allowlists, and custom lists.
`didit_get_list`	`GET /v3/lists/{list_uuid}/`	Get a single list.
`didit_list_list_entries`	`GET /v3/lists/{list_uuid}/entries/`	List entries inside a list.
`didit_add_list_entry`	`POST /v3/lists/{list_uuid}/entries/`	Add an entry to a list (by `reference_session_id` or by value).
`didit_upload_face_to_list`	`POST /v3/lists/{list_uuid}/entries/face-upload/`	Upload a base64 face image to a face-type blocklist.
`didit_delete_list_entry`	`DELETE /v3/lists/{list_uuid}/entries/{entry_uuid}/`	Remove an entry.

Webhook destinations

Tool	REST endpoint	Description
`didit_list_webhook_destinations`	`GET /v3/webhook/destinations/`	List all destinations (returns `secret_shared_key` to keys with `read:webhooks`).
`didit_create_webhook_destination`	`POST /v3/webhook/destinations/`	Create a destination with `webhook_version: "v3"` and a `subscribed_events` array.
`didit_get_webhook_destination`	`GET /v3/webhook/destinations/{destination_uuid}/`	Read a single destination.
`didit_update_webhook_destination`	`PATCH /v3/webhook/destinations/{destination_uuid}/`	Update label, URL, version, or subscribed events.
`didit_delete_webhook_destination`	`DELETE /v3/webhook/destinations/{destination_uuid}/`	Delete a destination.

Transactions (Transaction Monitoring)

Tool	REST endpoint	Description
`didit_list_transactions`	`GET /v3/transactions/`	List transactions with filters.
`didit_create_transaction`	`POST /v3/transactions/`	Submit a transaction for rules + AML evaluation.
`didit_get_transaction`	`GET /v3/transactions/{transaction_id}/`	Read a single transaction (current verdict, hits, score).

Standalone APIs

Tool	REST endpoint	Description
`didit_id_verification`	`POST /v3/id-verification/`	OCR + authenticity on an ID document image.
`didit_poa_verification`	`POST /v3/poa/`	Proof of address verification.
`didit_database_validation`	`POST /v3/database-validation/`	Validate identity against authoritative databases.
`didit_passive_liveness`	`POST /v3/passive-liveness/`	Passive liveness detection from a single image.
`didit_face_match`	`POST /v3/face-match/`	Compare two faces (1:1 matching).
`didit_face_search`	`POST /v3/face-search/`	Search a face against a verified database (1:N).
`didit_age_estimation`	`POST /v3/age-estimation/`	Estimate age from a facial image.
`didit_aml_screening`	`POST /v3/aml/`	AML / sanctions / PEP screening.
`didit_email_send`	`POST /v3/email/send/`	Send email verification code.
`didit_email_check`	`POST /v3/email/check/`	Verify email OTP code.
`didit_phone_send`	`POST /v3/phone/send/`	Send phone verification code (SMS / WhatsApp / voice / RCS / Telegram).
`didit_phone_check`	`POST /v3/phone/check/`	Verify phone OTP code.

How responses are shaped

Every tool returns the verbatim JSON body of the underlying REST endpoint. Two patterns matter for agents: Synchronous tools (anything outside session creation — workflows, billing, standalone APIs, list management) return their final result inline. The agent can act on the response in the same turn. Session creation is asynchronous. didit_create_session returns a session_id, a session_token, and a hosted url — but the verification has not happened yet. The end user has to open url and walk through the flow. The final decision arrives via:

A status.updated webhook (recommended — see below), OR
didit_get_session_decision (polling, only as a fallback).

The webhook envelope and the GET /v3/session/{sessionId}/decision/ response share the same shape:

{
  "session_id": "uuid",
  "status": "Approved",
  "session_kind": "user",
  "id_verifications": [
    { "node_id": "first_id", "status": "Approved", "first_name": "Jane", "...": "..." }
  ],
  "liveness_checks":  [ { "node_id": "first_liveness",  "status": "Approved", "score": 95.4 } ],
  "face_matches":     [ { "node_id": "first_face_match","status": "Approved", "score": 96.1 } ],
  "aml_screenings":   [ { "node_id": "first_aml", "status": "Approved", "entity_type": "person", "total_hits": 0, "hits": [] } ],
  "reviews": []
}

The keys are always plural arrays with a node_id per entry. Never read singular V2 keys (id_verification, liveness, face_match) — they only ship when a destination is explicitly pinned to webhook_version = "V2". If status is "Resubmitted", expect resubmit_info: { nodes_to_resubmit, reasons } instead of decision. If status is "Abandoned", expect a partial decision.

Auth failures (agent-visible)

If an agent’s DIDIT_API_KEY is missing, malformed, or revoked, every /v3/... call returns:

HTTP 403
{ "detail": "You do not have permission to perform this action." }

There is no discriminator between “no header”, “expired key”, and “wrong application” — agents should treat 403 as a single failure mode and prompt the user to rotate the key (or re-run didit_login → didit_get_application).

Handling webhooks asynchronously

Once an agent has created a session, the recommended pattern is to let a webhook deliver the final decision to the user’s backend instead of polling the MCP from the agent.

The agent calls didit_create_webhook_destination once with the user’s public HTTPS endpoint, webhook_version: "v3", and a subscribed_events array (typically ["status.updated", "data.updated"]). The response includes a secret_shared_key — the agent should hand it to the user to store as DIDIT_WEBHOOK_SECRET.
The user’s backend verifies the canonical X-Signature-V2 header on every delivery: shortenFloats → sortKeys → JSON.stringify(unescaped unicode) → HMAC-SHA256 → timingSafeEqual against the header. Reject if abs(now - X-Timestamp) > 300 seconds.
The backend deduplicates on the event_id field (Didit guarantees a unique event_id per delivery attempt). Return 2xx within 5 seconds (Didit’s outbound timeout); move heavy processing to a queue.
Didit retries on 5xx and 404 up to 2 times (~1 min, then ~4 min). After that, the delivery is dropped — surface failed deliveries from the Deliveries tab in the console and replay them manually.

The agent does not need to listen for webhooks itself — its job is to wire the receiver. For the full webhook contract, see Webhooks.

Example conversation

You: “Set up Didit identity verification for my app with ID scan and liveness.” Agent: I will register a Didit account for you. What email should I use? You: “Use dev@company.com.” Agent: calls didit_register — Check your email for a 6-character code. You: “The code is A3K9F2.” Agent: calls didit_verify_email — Account ready. Saving the api_key as DIDIT_API_KEY. Now creating your workflow… calls didit_create_workflow with ID scan + passive liveness enabled. Your workflow "Standard KYC" is published, workflow_id = 6f2c…. Here is how to create a verification session in your code:
curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "6f2c...-stable-id",
    "vendor_data": "internal-user-id",
    "callback":    "https://myapp.com/done"
  }'
Then redirect the user to response.url. Want me to register the webhook destination and scaffold the receiver?

Going further

Use the one-prompt integration. If you want an agent to ship the full integration (backend route + frontend SDK + webhook handler + DB schema), give it the Integration Prompt and watch it walk through the seven steps. The MCP server complements that prompt: the agent reads the prompt, then calls MCP tools to create the workflow, the session, and the webhook destination live.
Pin the V3 contract. Every example in this page uses plural-array decision keys. Treat the singular V2 fields as deprecated — only enable them by creating a separate destination with webhook_version: "V2" if a downstream consumer cannot migrate.
Cross-reference. Pair this page with Data models (per-feature schema), Verification statuses (literal status strings), and Webhooks (signature verification and retry policy).

Documentation Index

​Overview

​Two ways to use Didit from an agent

​Setup

​1. Install the MCP server

​2. Get your API key

​Available tools

​Auth

​Sessions

​Workflows

​Questionnaires

​Users & businesses

​Billing

​Lists (blocklist / allowlist / custom)

​Webhook destinations

​Transactions (Transaction Monitoring)

​Standalone APIs

​How responses are shaped

​Auth failures (agent-visible)

​Handling webhooks asynchronously

​Example conversation

​Going further