Skip to main content
POST
/
v3
/
session
/
{sessionId}
/
share
/
curl
curl -X POST \
  https://verification.didit.me/v3/session/11111111-2222-3333-4444-555555555555/share/ \
  -H 'x-api-key: YOUR_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "for_application_id": "a5f3bca2-46e2-411e-90ef-a580900a57ee",
    "ttl_in_seconds": 7200
  }'
{
  "share_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2lkIjoiMjBiYjNjM2ItNjE0Ni00MzlmLTg0YTQtYmQzMGQwMGFjNmEyIiwiZnJvbV9hcHBsaWNhdGlvbl9pZCI6ImRiZDIwZTM0LTQyZTktNGYyYy1iYTkxLWNmMDc2MjAxNmY2NCIsImZvcl9hcHBsaWNhdGlvbl9pZCI6ImE1ZjNiY2EyLTQ2ZTItNDExZS05MGVmLWE1ODA5MDBhNTdlZSIsImlhdCI6MTc1MzYzMDY2NiwiZXhwIjoxNzUzNjM0MjY2fQ.JJ9pNE_hqZsOtbR0XYZIWw4JzidjdEl279iUrsIkhGE",
  "for_application_id": "a5f3bca2-46e2-411e-90ef-a580900a57ee",
  "session_kind": "user"
}

Session kind

Works for both User Verification (KYC) and Business Verification (KYB) sessions. Didit looks up the session_id in both tables and generates a JWT share token that includes: 
{
  "session_id": "...",
  "session_kind": "user" | "business",
  "from_application_id": "...",
  "for_application_id": "...",
  "iat": ...,
  "exp": ...
}
When the receiving partner imports the token, Didit clones the corresponding kind of session (KYC or KYB) with its relations.

Requirements

  • Session must be in a finished status (APPROVED, DECLINED, IN_REVIEW).
  • You must have the write:sessions privilege.
  • The for_application_id must be a valid Didit application (usually a partner’s application).

Examples

curl -X POST https://verification.didit.me/v3/session/4c5c7f3a-.../share/ \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "for_application_id": "partner-app-uuid",
    "ttl_in_seconds": 3600
  }'
Response:
{
  "share_token": "eyJhbGciOiJIUzI1NiJ9...",
  "for_application_id": "partner-app-uuid",
  "session_kind": "user"
}

TTL bounds

ParameterMinMaxDefault
ttl_in_seconds60864003600

Authorizations

x-api-key
string
header
required

Path Parameters

sessionId
string<uuid>
required

UUID of the source verification session to mint a token for.

Example:

"11111111-2222-3333-4444-555555555555"

Body

application/json
for_application_id
string<uuid>
required

UUID of the Didit application that will redeem the token. Must exist, must not be soft-deleted, and must differ from the calling application. Find it in the Business Console under Settings → Application.

Example:

"a5f3bca2-46e2-411e-90ef-a580900a57ee"

ttl_in_seconds
integer
default:3600

Token lifetime, in seconds. Minimum 60, maximum 86400 (24 h). Defaults to 3600 (1 h).

Required range: 60 <= x <= 86400
Example:

3600

Response

Share token minted.

share_token
string

HS256-signed JWT. Pass this verbatim as share_token to POST /v3/session/import-shared/ on the target application.

Example:

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

for_application_id
string<uuid>

Echoes the target application UUID that the token is bound to.

Example:

"a5f3bca2-46e2-411e-90ef-a580900a57ee"

session_kind
enum<string>

Whether the source session is a User Verification (KYC) or Business Verification (KYB) session.

Available options:
user,
business