Integration Guide
Xident is a backend-first integration. Your server creates a verification session with its secret key, redirects the user to the Xident widget, and reads the result back. This guide covers the full flow and the options at each step. For a minimal walkthrough, start with the Quick Start.
The flow
- Create a session — your backend calls
POST /verify/v1/init(secret key) →verify_url. - Redirect the user's browser to
verify_url. - Callback — Xident redirects the user back to your
callback_urlwith?status&token&user_id. - Read the result — your backend calls
GET /verify/v1/result/{token}(secret key).
Security: Keep your secret key (sk_live_…) server-side only. Never trust the callback URL's status for authorization — always read the result server-side with GET /verify/v1/result/{token}.
Prerequisites
- A secret key (
sk_live_…) from your dashboard - A callback URL on your domain (HTTPS in production;
http://localhostallowed in development) - A backend route to create the session and another to handle the callback
Step 1: Create a verification session
Call POST /verify/v1/init from your backend:
curl https://api.xident.io/verify/v1/init \
-X POST \
-H "X-API-Key: sk_live_your_secret_key" \
-H "Content-Type: application/json" \
-d '{
"callback_url": "https://yoursite.com/verified",
"min_age": 18,
"purpose": "age_verification",
"user_id": "your-user-123",
"theme": "system",
"locale": "en"
}'
The response gives you a one-time init token and the URL to send the user to:
{
"success": true,
"data": {
"token": "xit_9f8e7d6c5b4a...",
"verify_url": "https://verify.xident.io?t=xit_9f8e7d6c5b4a..."
}
}
Init options
| Field | Required | Description |
|---|---|---|
callback_url | Yes | Where Xident redirects the user afterward. HTTPS, or http://localhost in dev. |
min_age | Yes* | Age threshold to check: 1–99 (0–99 when purpose is id_verification). *Required for age verification. |
purpose | No | age_verification (default) or id_verification |
success_url / failed_url | No | Optional explicit redirect targets instead of a single callback_url |
user_id | No | Your user identifier — echoed back on the callback as user_id |
theme | No | light, dark, or system |
locale | No | en, es, fr, de, pt, ar, zh, ja, hi, nl |
metadata | No | Opaque string echoed back to you unchanged |
Step 2: Redirect the user
Redirect the user's browser to the verify_url from Step 1 (for example, an HTTP 302 from your backend route). The widget runs on verify.xident.io and handles liveness, age estimation, and document capture as required. The one-time init token (xit_…) is carried in the URL as ?t= and expires in 10 minutes.
Step 3: Handle the callback
When verification finishes, Xident redirects the user to your callback_url:
https://yoursite.com/verified?status=success&token=xtk_abc123&user_id=your-user-123
| Parameter | Description |
|---|---|
status | success, failed, or cancelled |
token | Result token (xtk_…) — pass to the result endpoint |
user_id | Your user_id if you supplied one at init |
Step 4: Read the result (server-side)
Fetch the authoritative result with your secret key:
curl https://api.xident.io/verify/v1/result/xtk_abc123 \
-H "X-API-Key: sk_live_your_secret_key"
data.status is the authoritative outcome (completed = passed, failed, canceled). See the API Reference for the full response schema.
Language SDKs
Server SDKs wrap these two calls (plus optional webhook verification). Use the one for your stack:
- Node.js
- Python
- Go
- PHP
- Mobile apps (Android / iOS) — the app opens
verify_url; init and result stay on your backend
Security Best Practices
- Use HTTPS — callback URLs must be HTTPS (except
http://localhostin development). - Read results server-side — never trust the callback
statusalone; always callGET /verify/v1/result/{token}with your secret key. - Keep the secret key server-side — never ship
sk_live_…to a browser or mobile app. A publishablepk_live_…exists for optional client-side widget embedding only. - Use
X-API-Key— Xident authenticates with theX-API-Keyheader, notAuthorization: Bearer. - Token expiration — the init token (
xit_…) expires in 10 minutes and is single-use.
Testing
- Use your test secret key (
sk_test_…) for sandbox mode. http://localhost:*callback URLs are allowed (no HTTPS required).
Advanced: client-side embedding
If you prefer to trigger verification from the browser instead of redirecting from your backend, a publishable key (pk_live_…) can call POST /verify/v1/init client-side. This is optional and not required for the standard backend flow; results must still be read server-side with your secret key.
Next Steps
- Quick Start — minimal end-to-end example
- Core Concepts — the two-token model and verification paths
- API Reference — full generated API documentation