Quickstart — VEREID Identity
Create a hosted verification session, redirect the end user, and receive a signed result via webhook.
Last updated 2026-05-20
VEREID Identity is a hosted verification API competing with Persona, Veriff, and Onfido. The flow is identical to those services: you create a session server-side, redirect the end user to a hosted URL, and receive a webhook when the result is in. The difference is the honesty of our tier labels — see Verification tiers.
1. Create a session
A session bundles the tiers you want checked. T1 is included in every session; everything above is opt-in and additively priced.
curl -sS -X POST https://api.vereid.com/v1/verify/sessions \
-H "Authorization: Bearer $VEREID_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tiers": ["T1", "T2"],
"reference": "user_42",
"redirect_url": "https://yourapp.com/verify/complete"
}'import { Vereid } from "@vereid/js";
const vereid = new Vereid({ apiKey: process.env.VEREID_API_KEY });
const session = await vereid.verify.sessions.create({
tiers: ["T1", "T2"],
reference: "user_42",
redirect_url: "https://yourapp.com/verify/complete",
});
res.redirect(session.hosted_url);from vereid import Vereid
client = Vereid(api_key=os.environ["VEREID_API_KEY"])
session = client.verify.sessions.create(
tiers=["T1", "T2"],
reference="user_42",
redirect_url="https://yourapp.com/verify/complete",
)session, err := client.Verify.Sessions.Create(ctx, &vereid.CreateSessionInput{
Tiers: []string{"T1", "T2"},
Reference: "user_42",
RedirectURL: "https://yourapp.com/verify/complete",
})Response:
{
"id": "vs_01HZ3K8R4D9NPCRVF7G6Y0WMBQ",
"status": "pending",
"hosted_url": "https://id.vereid.com/s/01HZ3K8R...",
"tiers": ["T1", "T2"],
"expires_at": "2026-05-20T16:00:00Z",
"reference": "user_42"
}2. Redirect the user
hosted_url is mobile-optimised, brandable per tenant, and supports both same-tab redirect and <iframe> embed. Pass it directly to res.redirect() or open it in a popup.
window.location.href = session.hosted_url;The hosted flow runs the user through document upload, selfie capture, and (if T2 was requested) a randomised liveness challenge. T5 — passport chip — additionally requires the mobile SDK, since web browsers do not have NFC.
3. Receive the webhook
Register a webhook endpoint that subscribes to verification.completed. Each request carries a vereid-signature header:
vereid-signature: v1,t=1716220800,sig=8a7d…f0c2Verify the signature before parsing the body. The full HMAC scheme is documented in Verifying webhook signatures.
app.post("/webhooks/vereid", express.raw({ type: "*/*" }), (req, res) => {
if (!verify(req.body, req.header("vereid-signature"), SECRET)) {
return res.status(400).end();
}
const event = JSON.parse(req.body);
if (event.type === "verification.completed") {
db.users.update(event.data.reference, {
verification_tier: event.data.tier,
verification_badges: event.data.badges,
});
}
res.status(204).end();
});@app.post("/webhooks/vereid")
async def webhook(request: Request):
raw = await request.body()
if not verify(raw, request.headers.get("vereid-signature"), SECRET):
raise HTTPException(400)
event = json.loads(raw)
...4. Poll as a fallback
Webhooks should always be your primary path, but if you want a fallback for development you can poll the session by id:
curl -sS https://api.vereid.com/v1/verify/sessions/$ID \
-H "Authorization: Bearer $VEREID_API_KEY"Test-mode sessions resolve deterministically after 10 seconds, so you can drive an end-to-end flow without ever capturing a real document.
5. Read the result
{
"id": "vs_01HZ3K8R...",
"status": "completed",
"decision": "approved",
"tier": "T2",
"badges": ["photo", "liveness"],
"confidence": 0.94,
"signals": [
{ "source": "rekognition_compare_faces", "score": 0.97 },
{ "source": "liveness_challenge", "score": 0.92 }
],
"completed_at": "2026-05-20T15:42:11Z"
}If you requested T3 (sanctions), the response will also include sanctions_hits[] with match reasons. If you requested T5, it will include the chip block with the Passive Authentication result — note carefully: this proves the document is genuine per ICAO 9303 Passive Authentication; it does not verify the holder against any government database.
What to read next
- Verification tiers — what each badge proves, what it does not.
- Biometric retention — when we purge the template (30 days) versus the document image (7 years).
- EU compliance — the geo-block on
/v1/verifyfor EU IPs until counsel sign-off. - Migrating from Persona — Inquiry template → session mapping.