Get Started
Integrate / SDKs
User Verification
Business Verification
Transaction Monitoring
ChangelogCreate Session
Create a User Verification (KYC) or Business Verification (KYB) session and receive a hosted verification url plus a session_token to redirect or embed for your end user. The workflow_id selects which verification steps run and whether the session is KYC or KYB.
Call this from your backend (never the browser — the API key is a secret) whenever a user or business needs to be verified: at signup, before a sensitive action, or when re-verification is required. Prerequisites: a published workflow (created in the Console Workflows page) and an application API key with available credits. Sandbox applications bypass the credit check.
Idempotency: when vendor_data is provided and an unfinished session (Not Started, In Progress, Resubmitted, or Awaiting User) with the same vendor_data already exists on the workflow’s current latest published version (and that session already has a hosted verification URL), the existing session is returned (still 201) instead of creating a duplicate — with its callback and metadata updated to the newly provided values. An unfinished session created on an older version of the workflow (one that has since been republished) is not reused; a new session pinned to the latest published version is created instead. Sessions in Approved, Declined, In Review, Expired, Abandoned, or Kyc Expired are never reused.
Side effects: the hosted verification URL is generated and stored; if contact_details.send_notification_emails is true and an email is provided, a verification invite email is sent. The session expires after the workflow’s configured session expiration time. For KYB workflows, contact_details.phone and expected_details are ignored.
Session kind
A single endpoint creates both User Verification and Business Verification sessions. The workflow’s type determines which kind:- Pass a KYC workflow
workflow_id→ a User Verification (KYC) session is created. Responsesession_kind: "user". - Pass a KYB workflow
workflow_id→ a Business Verification (KYB) session is created. Responsesession_kind: "business".
Examples
- User Verification (KYC)
- Business Verification (KYB)
vendor_data binds the session to an entity
- For KYC workflows: binds to a User entity. If the user doesn’t exist, it’s auto-created.
- For KYB workflows: binds to a Business entity. Auto-created if new.
Important: disclosure and consent still happen in your product
Create Session generates a verification URL and session token. It does not by itself prove that you showed the user the disclosures or obtained the consent required for your specific use case.
If you start a Didit session from your own application, website, SDK wrapper, or white-label flow, you should handle the legal layer in your own UX before the user starts capture.
Recommended pre-verification checklist
- Tell the user that your company is requesting the verification and that Didit is the verification provider / processor powering the flow.
- Link to your privacy notice and any controller-side legal terms that apply to the journey.
- Link to Didit’s Verification Privacy Notice and End User Terms for Identity Verification.
- If your workflow includes document capture, selfie capture, liveness, or biometrics, collect explicit affirmative consent wherever the applicable law or your legal position requires it.
- If you use a custom UI, custom domain, or API-only journey, render these disclosures in your own product before sending the user into the Didit flow.
- Keep your own record of notice / consent text, timestamp, and related metadata if your legal team requires an audit trail.
Authorizations
Body
Stable identifier of the workflow that defines which verification steps the session will run. Workflows are created and managed in the Workflows page of the Console. The workflow_id also implicitly selects whether the session is KYC or KYB.
"11111111-2222-3333-4444-555555555555"
A unique identifier for the user being verified, such as a UUID, email, or internal user ID. This field is used for: (1) User grouping — sessions with the same vendor_data are linked to the same user profile in the Users tab. (2) Cross-session duplicate detection — when checking for duplicated faces, documents, phone numbers, emails, IP addresses, or device fingerprints, sessions with the same vendor_data are treated as the same user and excluded from matches. Without vendor_data, every session is treated as a unique user and all potential duplicates are surfaced. We strongly recommend always providing a vendor_data to reduce noise in duplicate detection.
"user-123"
URL to redirect the user to after verification completes. Didit automatically appends verificationSessionId and status (Approved, Declined, In Review) as query parameters. Custom URL schemes (e.g. myapp://) are supported for mobile callbacks. If omitted, the workflow's default callback_url is used.
"https://example.com/verification/callback"
Determines which device should handle the redirect to the provided callback URL. Use initiator to redirect only the device that started the flow, completer for the device that finishes it, or both to allow either device to trigger the callback. If you ever notice the callback not triggering reliably, we recommend setting this value to both.
initiator, completer, both "both"
Arbitrary JSON stored with the session and echoed back in the response and webhooks. Any JSON value is accepted (object, string, number, array), but a JSON object of key/value pairs is recommended. Not shown to the end user. Use it to pass your own correlation ids, A/B variants, or business context.
{
"user_type": "premium",
"account_id": "ABC123"
}Language code (ISO 639-1) for the verification process interface. Controls the language displayed to the end user during verification. If not provided, the browser's language will be automatically detected and used. Check all the supported languages here.
en, ar, bg, bn, bs, ca, cnr, cs, da, de, el, es, et, fa, fi, fr, he, hi, hr, hu, hy, id, it, ja, ka, kk, ko, ky, lt, lv, mk, mn, ms, nl, no, pl, pt-BR, pt, ro, ru, sk, sl, so, sq, sr, sv, th, tr, uk, uz, vi, zh-CN, zh-TW, zh "en"
User contact information that can be used for notifications, prefilling verification forms, and phone verification. This includes email address, preferred language for communications, and phone number.
{
"email": "john.doe@example.com",
"send_notification_emails": true,
"email_lang": "en",
"phone": "+14155552671"
}Expected user details used to cross-validate against the data extracted from the user's ID document, Proof of Address, and other verification steps. Mismatches are surfaced as warnings on the decision; some fields (e.g. id_country, expected_document_types) also alter the user-facing flow. Ignored for Business Verification (KYB) workflows.
{
"first_name": "John",
"last_name": "Doe",
"date_of_birth": "1990-05-15",
"nationality": "USA",
"id_country": "USA",
"expected_document_types": ["P", "ID"]
}Base64-encoded portrait image of the end user's face (max 2MB; JPEG, PNG, WebP, or TIFF). Required when the workflow is a Biometric Authentication workflow with Face Match enabled, or any graph workflow where Face Match runs before ID Verification (OCR). Used as the reference image to match against the liveness capture. Ignored for other workflow types.
"iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII="
Response
Session created (or returned, if an unfinished session with the same vendor_data already exists on the workflow's latest published version). The response is the serialized session, including the hosted verification url to redirect the user to.
Unique identifier of the verification session. Use this id when calling GET /v3/session/{sessionId}/decision/.
"11111111-2222-3333-4444-555555555555"
Sequential, human-friendly number assigned to the session inside your application. Useful for support and dashboards.
43762
12-character URL-safe token that authorizes the end user to access the hosted verification flow at url. Valid until the session expires. Treat it as a secret — anyone holding it can open the verification flow for this session.
"3FaJ9wLqX2Mz"
Hosted verification URL to redirect the end user to. The URL embeds the session_token and, if configured, uses your white-label domain. When the request includes language, the URL contains a language path segment — https://verify.didit.me/{language}/session/{session_token} (e.g. /es/session/...); without language, the segment is omitted.
"https://verify.didit.me/session/3FaJ9wLqX2Mz"
Identifier you passed in the request to link the session to a user or business in your own system. Echoed back verbatim. Null when not provided.
"user-123"
Arbitrary JSON payload you stored with the session at creation time. Echoed back verbatim — whatever JSON value you sent (object, string, number, array) is returned as-is, though a JSON object is recommended. Not shown to the end user. Always present in responses; null when not provided at creation time.
{
"user_type": "premium",
"account_id": "ABC123"
}Current status of the session. Newly created sessions return Not Started. If a non-finished session already existed for the same vendor_data on the workflow's latest published version, the returned status reflects that existing session.
Not Started, In Progress, Approved, Declined, In Review, Expired, Abandoned, Kyc Expired, Resubmitted, Awaiting User "Not Started"
Final redirect URL the user is sent to after completing the flow. Didit appends ?verificationSessionId={session_id}&status={status} to this URL. Falls back to the workflow's configured callback URL when not provided in the request; null when neither is set.
"https://example.com/verification/callback"
Stable identifier of the workflow this session runs on. Always the workflow's stable group identifier — even if you referenced a specific workflow version UUID in the request (backward-compatible lookup), the response carries the stable workflow_id. Use it to correlate the session with the workflow you configured in the Console.
"11111111-2222-3333-4444-555555555555"
Version number of the published workflow version the session was pinned to at creation. Didit resolves workflow_id to the workflow's latest published version when the session is created, and the session keeps running that version even if the workflow is republished later.
3