Core Concepts
Understanding Xident's key concepts will help you build the best verification experience for your users.
Xident ID
A Xident ID is a unique identifier issued to users who complete verification. It enables the "Verify Once, Access Everywhere" model.
How It Works
- User visits Site A and completes full verification
- User receives a Xident ID (stored in their browser)
- User visits Site B (also using Xident)
- Site B detects the Xident ID
- Instant verification — no camera, no documents
- Site B pays the lower Xident ID rate ($0.015 vs $0.04)
Cost Comparison
| Full Verification | Xident ID | |
|---|---|---|
| User Experience | 30-60 seconds | Instant |
| Cost (Starter) | $0.04 | $0.015 |
| Cost (Growth) | $0.025 | $0.005 |
| Cost (Scale) | $0.01 | $0.002 |
| Requires Camera | Yes | No |
User Control
Users can:
- View which sites have verified them
- Revoke access for specific sites
- Delete their Xident ID entirely
Verification Types
Full Verification
First-time verification with ML processing:
- Liveness Detection: Ensures a real person is present (not a photo/video)
- Age Estimation: ML model estimates age from facial features
- Document Verification: OCR extraction from ID documents
Token Verification
Returning user verification using Xident ID:
- Instant, no UI required
- 60-80% cheaper than full verification
- Same trust level as full verification
Face 2FA
Per-site facial authentication:
- Users enroll their face for a specific site
- Subsequent logins verified via face match
- Separate from Xident ID (site-specific)
Blacklist Check
Fraud detection via face similarity:
- Check if a face matches any in your blacklist
- Prevent banned users from creating new accounts
- Privacy-preserving (no PII shared)
Tokens
Tokens are one-time-use credentials returned after verification.
Token Lifecycle
Verification Complete
│
▼
┌─────────────────┐
│ Token Generated │ ─── Expires in 5 minutes
└────────┬────────┘
│
▼
┌─────────────────┐
│ Backend Verifies│ ─── Token consumed
└────────┬────────┘
│
▼
┌─────────────────┐
│ Token Invalidated│ ─── Cannot be reused
└─────────────────┘Token Properties
- One-time use: Tokens are invalidated after verification
- Short-lived: 5-minute expiration
- Tamper-proof: Cryptographically signed
Verification Flow States
| Status | Description |
|---|---|
success | Verification completed successfully |
cancelled | User closed the verification window |
expired | Session timed out |
failed | Verification could not be completed |
API Keys
You have two types of API keys:
Public Key (pk_*)
- Used in frontend/SDK
- Safe to expose in client-side code
- Starts with
pk_live_(production) orpk_test_(sandbox)
Secret Key (sk_*)
- Used in backend only
- Never expose in client-side code
- Required for token verification
- Starts with
sk_live_(production) orsk_test_(sandbox)
Environments
Production
- API Key prefix:
pk_live_,sk_live_ - Real verifications, real billing
- Requires HTTPS callback URLs
Sandbox (Testing)
- API Key prefix:
pk_test_,sk_test_ - No real verification, simulated responses
- Allows localhost callback URLs
- No charges
Webhooks
Receive real-time notifications for verification events:
| Event | Description |
|---|---|
verification.completed | User completed verification |
verification.failed | Verification failed |
token.verified | Token was verified by your backend |
Configure webhooks in your Dashboard.
Rate Limits
| Endpoint | Limit |
|---|---|
| Token verification | 100 req/min |
| SDK initialization | 1000 req/min |
| Webhook delivery | 3 retries over 24h |
Next Steps
- Integration Guide - Detailed SDK usage
- Dashboard Guide - Managing your account
- API Reference - Full API documentation