> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# List Session Reviews

> Return the audit trail / activity feed for a User Verification (KYC) session, newest first, in a paginated envelope (`count` / `next` / `previous` / `results`, 50 entries per page by default).

Feed entries are written by every actor that touches the session: manual decisions made through `PATCH /v3/session/{session_id}/update-status/` (which records `previous_status` → `new_status`), Console reviewer activity (comments with `@email` mentions, KYC/POA data edits, file uploads/removals, tag changes, detail-page views), AML ongoing-monitoring matches, and notes appended via `POST` on this same path. Reading this feed is the API-side equivalent of the **Activity** panel in the Didit Console session view.

Only User Verification (KYC) sessions are addressable here; Business Verification (KYB) session IDs return `404`.

export const AgentPromptAccordion = ({prompt, title = "AI Agent Integration Prompt"}) => {
  const [copied, setCopied] = React.useState(false);
  const handleCopy = e => {
    e.stopPropagation();
    if (!prompt) return;
    navigator.clipboard.writeText(prompt.trim()).then(() => {
      setCopied(true);
      setTimeout(() => setCopied(false), 2000);
    });
  };
  const agents = ["Claude Code", "Codex", "Cursor", "Devin", "Windsurf", "GitHub Copilot"];
  return <div className="didit-agent-card">
      {}
      <div className="didit-agent-titlebar">
        <div className="didit-agent-dots" aria-hidden="true">
          <span className="didit-agent-dot didit-agent-dot-red"></span>
          <span className="didit-agent-dot didit-agent-dot-yellow"></span>
          <span className="didit-agent-dot didit-agent-dot-green"></span>
        </div>
        <span className="didit-agent-filename">{title}</span>
        <button type="button" className={`didit-agent-copy ${copied ? "didit-agent-copy-copied" : ""}`} onClick={handleCopy} title="Copy prompt to clipboard" aria-label={copied ? "Copied!" : "Copy prompt to clipboard"}>
          {copied ? <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <path d="M3 8.5l3.5 3.5L13 4" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" />
              </svg>
              <span>Copied</span>
            </> : <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <rect x="5" y="5" width="9" height="9" rx="1.5" stroke="currentColor" strokeWidth="1.5" />
                <path d="M11 5V3.5A1.5 1.5 0 0 0 9.5 2h-6A1.5 1.5 0 0 0 2 3.5v6A1.5 1.5 0 0 0 3.5 11H5" stroke="currentColor" strokeWidth="1.5" />
              </svg>
              <span>Copy</span>
            </>}
        </button>
      </div>

      {}
      <pre className="didit-agent-body"><code>{prompt.trim()}</code></pre>

      {}
      <div className="didit-agent-footer">
        <span className="didit-agent-footer-label">Paste into</span>
        <div className="didit-agent-chips">
          {agents.map(name => <span key={name} className="didit-agent-chip">{name}</span>)}
        </div>
      </div>
    </div>;
};

<AgentPromptAccordion
  title="List Session Reviews Prompt"
  prompt={`Goal: Fetch the full review/activity feed for a Didit verification session — manual comments, status changes, KYC/KYB edits, file uploads, AML events, tags. Mirrors the timeline shown on the Console session-detail page.

Endpoint: GET https://verification.didit.me/v3/sessions/{session_id}/reviews/
Auth header: x-api-key: YOUR_API_KEY

Path param:
- session_id (UUID, REQUIRED) — verification session UUID. Cross-application reads return 404.

curl:
curl -s 'https://verification.didit.me/v3/sessions/8c2f3a14-7e9b-4d23-9e83-3f7d5e8a1c6d/reviews/' \\
-H "x-api-key: $DIDIT_API_KEY"

Response 200: JSON ARRAY (no envelope, no pagination — feed is bounded). Newest first. Each entry (ReviewItem) has:
- uuid (UUID)
- activity_type: "COMMENT" | "STATUS_UPDATED" | "KYC_DATA_UPDATED" | "POA_DATA_UPDATED" | "FILE_ADDED" | "FILE_REMOVED" | "AML_ONGOING_MATCH" | "AML_STATUS_UPDATED" | "AML_HIT_STATUS_UPDATED" | "KYB_DATA_UPDATED" | "KYB_DOCUMENT_UPLOADED" | "TAG_ADDED" | "TAG_REMOVED"
- actor_email, actor_display, actor_type: "API_KEY" | "CONSOLE_USER" | "SYSTEM"
- new_status, previous_status — only populated for STATUS_UPDATED/AML_STATUS_UPDATED. Values from the SESSION status enum: "Not Started" | "In Progress" | "Awaiting User" | "In Review" | "Approved" | "Declined" | "Resubmitted" | "Expired" | "Kyc Expired" | "Abandoned".
- comment (string | null)
- mentioned_emails (string[]) — extracted @mentions, only for COMMENT activities
- previous_value, new_value, changed_fields — diff payload for *_DATA_UPDATED, FILE_*, TAG_* (opaque JSON, shape varies per activity_type)
- metadata (object | null)
- created_at (ISO 8601 UTC)
Empty array means the session has had no recorded activity yet.

When to use:
- Render an audit trail mirror on your own dashboard.
- Export the feed for compliance archives.
- Poll for manual-review decisions when you can't consume webhooks (filter activity_type === "STATUS_UPDATED"; inspect new_status). Webhooks are still preferred — see /integration/webhooks.

Failure modes (envelope {"detail": "..."}):
- 401 — missing/invalid \`x-api-key\` header. Re-fetch your application API key from the Auth API if needed.
- 403 — API key valid but the application is not allowed (revoked, expired, or wrong app).
- 404 — session UUID does not exist, is soft-deleted, or belongs to a different application.
- 429 — rate-limited. Inspect Retry-After.

For end-to-end Didit integration, paste in the full prompt at /integration/integration-prompt.`}
/>


## OpenAPI

````yaml GET /v3/sessions/{session_id}/reviews/
openapi: 3.0.0
info:
  version: 3.0.0
  title: Didit Verification API
  description: Identity verification API. Authenticate with x-api-key header.
servers:
  - url: https://verification.didit.me
security: []
tags: []
paths:
  /v3/sessions/{session_id}/reviews/:
    get:
      tags:
        - Sessions
      summary: List session reviews and activity log
      description: >-
        Return the audit trail / activity feed for a User Verification (KYC)
        session, newest first, in a paginated envelope (`count` / `next` /
        `previous` / `results`, 50 entries per page by default).


        Feed entries are written by every actor that touches the session: manual
        decisions made through `PATCH /v3/session/{session_id}/update-status/`
        (which records `previous_status` → `new_status`), Console reviewer
        activity (comments with `@email` mentions, KYC/POA data edits, file
        uploads/removals, tag changes, detail-page views), AML
        ongoing-monitoring matches, and notes appended via `POST` on this same
        path. Reading this feed is the API-side equivalent of the **Activity**
        panel in the Didit Console session view.


        Only User Verification (KYC) sessions are addressable here; Business
        Verification (KYB) session IDs return `404`.
      operationId: list_session_reviews
      parameters:
        - name: session_id
          in: path
          required: true
          description: >-
            UUID of the User Verification (KYC) session. Must belong to the same
            application as the API key — cross-application UUIDs, deleted
            sessions, and Business Verification (KYB) session IDs all return
            `404`.
          schema:
            type: string
            format: uuid
            example: 8c2f3a14-7e9b-4d23-9e83-3f7d5e8a1c6d
        - name: limit
          in: query
          required: false
          description: Page size. Defaults to `50`.
          schema:
            type: integer
            default: 50
            example: 50
        - name: offset
          in: query
          required: false
          description: >-
            Number of entries to skip from the start of the (ordered) feed.
            Defaults to `0`. The `next` / `previous` URLs in the response carry
            the right values for walking the feed.
          schema:
            type: integer
            default: 0
            example: 0
        - name: ordering
          in: query
          required: false
          description: >-
            Sort order. The feed defaults to newest first (`-created_at`); pass
            `created_at` to read it oldest first. Unknown values are silently
            ignored (default order is used); other serializer field names are
            also accepted.
          schema:
            type: string
            default: '-created_at'
            example: created_at
      responses:
        '200':
          description: >-
            Paginated activity feed, newest first by default. `count` is the
            total number of entries; `next` / `previous` are ready-made page
            URLs (`null` at the ends). A `count` of `0` with empty `results`
            means no activity has been recorded yet.
          content:
            application/json:
              schema:
                type: object
                properties:
                  count:
                    type: integer
                    description: >-
                      Total number of feed entries for this session (across all
                      pages).
                    example: 3
                  next:
                    type: string
                    nullable: true
                    description: URL of the next page, or `null` on the last page.
                    example: null
                  previous:
                    type: string
                    nullable: true
                    description: URL of the previous page, or `null` on the first page.
                    example: null
                  results:
                    type: array
                    items:
                      $ref: '#/components/schemas/ReviewItem'
                    description: Feed entries for this page.
              examples:
                DecisionTrail:
                  summary: Manual approval plus API-added notes
                  value:
                    count: 3
                    next: null
                    previous: null
                    results:
                      - uuid: de0561bc-5583-4409-9171-1a31a4c8a5f4
                        activity_type: STATUS_UPDATED
                        actor_display: API Client
                        actor_email: null
                        actor_type: API_KEY
                        new_status: Approved
                        previous_status: In Review
                        comment: Document re-checked manually; address matches.
                        mentioned_emails: []
                        previous_value:
                          status: In Review
                        new_value:
                          status: Approved
                        changed_fields:
                          - status
                        metadata: null
                        created_at: '2026-06-12T00:19:31.918735Z'
                      - uuid: 35370f58-5098-44ee-8a06-8c9af80b2455
                        activity_type: STATUS_UPDATED
                        actor_display: Unknown
                        actor_email: null
                        actor_type: CONSOLE_USER
                        new_status: null
                        previous_status: null
                        comment: Note without status.
                        mentioned_emails: []
                        previous_value: null
                        new_value: null
                        changed_fields: []
                        metadata: null
                        created_at: '2026-06-12T00:18:44.504157Z'
                      - uuid: 00338f82-f1c5-4f57-8614-c49bb258af1a
                        activity_type: STATUS_UPDATED
                        actor_display: Unknown
                        actor_email: null
                        actor_type: CONSOLE_USER
                        new_status: In Review
                        previous_status: null
                        comment: Flagging for manual document re-check.
                        mentioned_emails: []
                        previous_value: null
                        new_value: null
                        changed_fields: []
                        metadata: null
                        created_at: '2026-06-12T00:18:44.466537Z'
                PaginatedFirstPage:
                  summary: First page with limit=2 — next holds the follow-up URL
                  value:
                    count: 4
                    next: >-
                      https://verification.didit.me/v3/sessions/8c2f3a14-7e9b-4d23-9e83-3f7d5e8a1c6d/reviews/?limit=2&offset=2
                    previous: null
                    results:
                      - uuid: de0561bc-5583-4409-9171-1a31a4c8a5f4
                        activity_type: STATUS_UPDATED
                        actor_display: API Client
                        actor_email: null
                        actor_type: API_KEY
                        new_status: Approved
                        previous_status: In Review
                        comment: Document re-checked manually; address matches.
                        mentioned_emails: []
                        previous_value:
                          status: In Review
                        new_value:
                          status: Approved
                        changed_fields:
                          - status
                        metadata: null
                        created_at: '2026-06-12T00:19:31.918735Z'
                      - uuid: bd4e6227-bdd2-42b2-a726-1d12f785a457
                        activity_type: STATUS_UPDATED
                        actor_display: Unknown
                        actor_email: null
                        actor_type: CONSOLE_USER
                        new_status: null
                        previous_status: null
                        comment: null
                        mentioned_emails: []
                        previous_value: null
                        new_value: null
                        changed_fields: []
                        metadata: null
                        created_at: '2026-06-12T00:18:44.540238Z'
                Empty:
                  summary: Session with no recorded activity yet
                  value:
                    count: 0
                    next: null
                    previous: null
                    results: []
        '403':
          description: >-
            Missing, malformed, expired, or revoked `x-api-key`. Authentication
            is checked before the session lookup, so an invalid key returns
            `403` even when the session UUID does not exist.
          content:
            application/json:
              schema:
                type: object
                properties:
                  detail:
                    type: string
                    example: You do not have permission to perform this action.
              examples:
                InvalidKey:
                  summary: Missing or invalid x-api-key header
                  value:
                    detail: You do not have permission to perform this action.
        '404':
          description: >-
            No User Verification (KYC) session with this UUID is visible to your
            application: the UUID does not exist, the session was deleted, or it
            belongs to a different application. Business Verification (KYB)
            session IDs also return `404` here — the reviews feed is only
            addressable for KYC sessions.
          content:
            application/json:
              schema:
                type: object
                properties:
                  detail:
                    type: string
                    example: Session not found.
              examples:
                NotFound:
                  summary: Unknown, deleted, or cross-application session UUID
                  value:
                    detail: Session not found.
        '429':
          description: >-
            Rate limit exceeded. Inspect `Retry-After` and `X-RateLimit-*`
            response headers. See [Rate limiting](/integration/rate-limiting).
      security:
        - ApiKeyAuth: []
      x-codeSamples:
        - lang: curl
          label: curl
          source: >-
            curl -s
            'https://verification.didit.me/v3/sessions/8c2f3a14-7e9b-4d23-9e83-3f7d5e8a1c6d/reviews/?limit=50'
            \
              -H 'x-api-key: YOUR_API_KEY'
        - lang: Python
          label: Python (requests)
          source: >-
            import os, requests


            session_id = "8c2f3a14-7e9b-4d23-9e83-3f7d5e8a1c6d"

            url =
            f"https://verification.didit.me/v3/sessions/{session_id}/reviews/"


            while url:  # walk every page of the feed
                resp = requests.get(url, headers={"x-api-key": os.environ["DIDIT_API_KEY"]}, timeout=10)
                resp.raise_for_status()
                page = resp.json()
                for entry in page["results"]:
                    print(entry["created_at"], entry["activity_type"], entry["actor_display"], entry.get("new_status"))
                url = page["next"]
        - lang: JavaScript
          label: Node.js (fetch)
          source: |-
            const sessionId = "8c2f3a14-7e9b-4d23-9e83-3f7d5e8a1c6d";
            const res = await fetch(
              `https://verification.didit.me/v3/sessions/${sessionId}/reviews/`,
              { headers: { 'x-api-key': 'YOUR_API_KEY' } },
            );
            if (!res.ok) throw new Error(`Didit ${res.status}`);
            const { count, results } = await res.json();
            console.log(`${count} feed entries`);
            for (const entry of results) {
              console.log(entry.created_at, entry.activity_type, entry.actor_display, entry.new_status ?? "");
            }
components:
  schemas:
    ReviewItem:
      type: object
      description: >-
        One entry in a session's review / activity feed. Status changes carry
        `previous_status`, `new_status`, `previous_value`, `new_value`, and
        `changed_fields`; comments carry `comment` and (for Console comments)
        `mentioned_emails`; the remaining fields are `null` or empty when they
        do not apply to the activity type.
      properties:
        uuid:
          type: string
          format: uuid
          description: Unique identifier of this feed entry.
          example: de0561bc-5583-4409-9171-1a31a4c8a5f4
        activity_type:
          type: string
          enum:
            - COMMENT
            - STATUS_UPDATED
            - KYC_DATA_UPDATED
            - POA_DATA_UPDATED
            - FILE_ADDED
            - FILE_REMOVED
            - AML_ONGOING_MATCH
            - AML_STATUS_UPDATED
            - AML_HIT_STATUS_UPDATED
            - KYB_DATA_UPDATED
            - KYB_DOCUMENT_UPLOADED
            - TAG_ADDED
            - TAG_REMOVED
          description: >-
            What kind of activity this entry records. `STATUS_UPDATED` rows come
            from manual decisions (`PATCH
            /v3/session/{session_id}/update-status/`) and from entries added via
            `POST …/reviews/` (which default to this type even when no status is
            recorded). `COMMENT` rows come from Console reviewers; Console
            detail-page views are also stored as `COMMENT` rows flagged with
            `metadata.system_event = "DETAIL_VIEWED"`. The remaining types track
            data edits, file changes, tags, and AML monitoring activity.
            STATUS_UPDATED rows are also written by system actors (e.g. AML
            ongoing monitoring with actor_type SYSTEM, and automatic
            feature-status updates), not only by the update-status endpoint and
            manual review posts.
          example: STATUS_UPDATED
        actor_display:
          type: string
          description: >-
            Human-readable author label, resolved in order: actor's full name →
            Console account identifier → local part of `actor_email` → `"API
            Client"` (for `API_KEY` actors) → `"System"` (for `SYSTEM` actors) →
            `"Unknown"`. Entries created via `POST …/reviews/` always display
            `"Unknown"` because that endpoint records no actor attribution.
          example: API Client
        actor_email:
          type: string
          nullable: true
          description: >-
            Email of the Console user who performed the action. `null` for
            API-key and system actors.
          example: null
        actor_type:
          type: string
          enum:
            - API_KEY
            - CONSOLE_USER
            - SYSTEM
          description: >-
            Who performed the action: an API key, a Console user, or Didit
            itself (`SYSTEM`, e.g. AML ongoing monitoring). Entries created via
            `POST …/reviews/` carry the default `CONSOLE_USER` regardless of the
            caller.
          example: API_KEY
        new_status:
          type: string
          nullable: true
          enum:
            - Not Started
            - In Progress
            - Approved
            - Declined
            - In Review
            - Expired
            - Abandoned
            - Kyc Expired
            - Resubmitted
            - Awaiting User
          description: >-
            Session status recorded by this entry (for status updates). `null`
            for comments and data-change entries.
          example: Approved
        previous_status:
          type: string
          nullable: true
          enum:
            - Not Started
            - In Progress
            - Approved
            - Declined
            - In Review
            - Expired
            - Abandoned
            - Kyc Expired
            - Resubmitted
            - Awaiting User
          description: >-
            Status the session had before the change. Populated on
            `STATUS_UPDATED` entries written by the update-status endpoint;
            `null` on entries added via `POST …/reviews/`. Also populated on
            system-written STATUS_UPDATED rows.
          example: In Review
        comment:
          type: string
          nullable: true
          description: Free-text note attached to the entry, or `null`.
          example: Document re-checked manually; address matches.
        mentioned_emails:
          type: array
          items:
            type: string
            format: email
          description: >-
            Console users `@email`-mentioned in the comment. Always empty for
            entries created via this API — mention processing is a Console-only
            feature.
          example: []
        previous_value:
          type: object
          nullable: true
          description: >-
            Snapshot of the changed data before the action, e.g. `{"status": "In
            Review"}` on a status change. `null` when nothing was changed.
          example:
            status: In Review
        new_value:
          type: object
          nullable: true
          description: >-
            Snapshot of the changed data after the action, e.g. `{"status":
            "Approved"}`. `null` when nothing was changed.
          example:
            status: Approved
        changed_fields:
          type: array
          items:
            type: string
          description: >-
            Names of the fields modified by this activity (e.g. `["status"]`).
            Empty for comments and for entries added via `POST …/reviews/`.
          example:
            - status
        metadata:
          type: object
          nullable: true
          description: >-
            Extra context for system-generated entries. Console detail-page
            views carry `{"system_event": "DETAIL_VIEWED", "detail_type":
            "verification"}` so they can be filtered out of notification logic.
            `null` for ordinary entries.
          example: null
        created_at:
          type: string
          format: date-time
          description: When the entry was written, ISO 8601 UTC.
          example: '2026-06-12T00:19:31.918735Z'
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key

````