SDKs

Xident provides SDKs for every layer of your stack. The browser SDK triggers the verification flow, server SDKs create sessions, verify results, and handle webhooks, and mobile SDKs integrate verification into your apps.

Public Key vs Secret Key

Xident uses a two-key model (similar to Stripe). You'll find both keys in your dashboard:

Public key (pk_live_ / pk_test_)

Used by the JavaScript browser SDK that runs on the user's device. Safe to embed in HTML. Can only trigger verification flows -- cannot read results or create sessions.

Secret key (sk_live_ / sk_test_)

Used by server-side SDKs (Go, Node.js, Python, PHP, Kotlin, Swift) running on your backend. Required for creating init tokens, reading verification results, and verifying webhooks. Never expose in frontend or mobile app code.

Security: Never use your secret key (sk_live_) in client-side code, mobile apps, or anywhere users can inspect it. It grants full API access to your account. Use the public key (pk_live_) for the browser JS SDK.

Which SDK Should I Use?

Browser frontend?

Use the JavaScript SDK with your public key. It loads the verification widget and handles the redirect.

Node.js / Deno / Bun backend?

Use the Node.js SDK with your secret key. TypeScript-first, works everywhere.

Go backend?

Use the Go SDK with your secret key. Zero dependencies, context-aware, functional options.

Python backend?

Use the Python SDK with your secret key. Async-ready, Python 3.9+.

PHP backend?

Use the PHP SDK with your secret key. PHP 8.1+, zero dependencies.

Android app?

Use the Android (Kotlin) SDK on your backend server with your secret key. The mobile app opens the verification URL in a Chrome Custom Tab.

iOS app?

Use the iOS (Swift) SDK on your backend server with your secret key. The mobile app opens the verification URL in SFSafariViewController or ASWebAuthenticationSession.

SDK Comparison

SDK Package Install Command Key Type Minimum Version
JavaScript @xident/browser npm i @xident/browser Public (pk_) ES2020+
Node.js @xident/node npm i @xident/node Secret (sk_) Node 18+
Go github.com/xident-io/go-sdk go get github.com/xident-io/go-sdk Secret (sk_) Go 1.21+
Python xident pip install xident Secret (sk_) Python 3.9+
PHP xident-io/xident-php composer require xident-io/xident-php Secret (sk_) PHP 8.1+
Android (Kotlin) io.xident:sdk implementation("io.xident:sdk:1.0.0") Secret (sk_) Kotlin 1.9+
iOS (Swift) XidentSDK SPM: .package(url: "...xident-swift", from: "1.0.0") Secret (sk_) Swift 5.9+ / iOS 15+

Which Key Does Each SDK Use?

SDK Key Type Auth Header Environment
JavaScript pk_live_ (public) Embedded in data-api-key Browser
Node.js sk_live_ (secret) X-API-Key: sk_live_... Server
Go sk_live_ (secret) X-API-Key: sk_live_... Server
Python sk_live_ (secret) X-API-Key: sk_live_... Server
PHP sk_live_ (secret) X-API-Key: sk_live_... Server
Android (Kotlin) sk_live_ (secret) X-API-Key: sk_live_... Server (JVM)
iOS (Swift) sk_live_ (secret) X-API-Key: sk_live_... Server (Swift)
REST API sk_live_ (secret) X-API-Key: sk_live_... Any

Verification Flow

  1. 1. Backend: Create session -- Your server uses a server SDK (secret key) to call Verification.Init(). You receive a token and verifyURL.
  2. 2. Frontend: Redirect user -- Redirect the user to verifyURL or pass the token to the JS SDK. The verification widget handles liveness, age check, and/or document capture.
  3. 3. Webhook: Receive result -- Xident sends a webhook to your callbackURL with a signed X-Xident-Signature header when verification completes or fails.
  4. 4. Backend: Verify result -- Your server calls Verification.GetResult(token) to re-verify the result server-side. Never trust URL parameters alone.

API Surface Comparison

All server-side SDKs expose the same two core operations plus webhook verification:

Operation Go Kotlin Swift
Create session client.Verification.Init(ctx, params) xident.verification.init(callbackUrl, ...) xident.verification.initialize(callbackURL:)
Get result client.Verification.GetResult(ctx, token) xident.verification.getResult(token) xident.verification.getResult(token:)
Verify webhook client.Webhooks.ConstructEvent(...) xident.webhooks.constructEvent(...) xident.webhooks.constructEvent(...)
Check verified session.IsVerified() session.isVerified() session.isVerified
Get age bracket session.AgeBracket() session.ageBracket() session.ageBracket

Client SDKs

Client SDKs run in the user's browser. They handle triggering the verification flow and receiving the callback.

SDK Package Status Description
JavaScript @xident/browser Available Browser SDK -- script tag or npm. ~4KB minified.

Server SDKs

Server SDKs wrap the Xident REST API for creating sessions, verifying results, and validating webhook signatures. Use these on your backend.

SDK Package Status Description
Node.js @xident/node Available TypeScript-first SDK for Node.js, Deno, and Bun.
Go github.com/xident-io/go-sdk Available Zero-dependency Go client. Context-aware, functional options.
Python xident Available Async-ready SDK for Python 3.9+.
PHP xident-io/xident-php Available PHP 8.1+ SDK. Zero dependencies, native cURL.
Android (Kotlin) io.xident:sdk Available Kotlin coroutine-based SDK. DSL builder, sealed class results.
iOS (Swift) XidentSDK Available Swift async/await SDK. CryptoKit, Sendable-safe. iOS 15+.

Don't See Your Language?

All Xident functionality is available through the REST API. Create a session and verify results with two HTTP calls from any language using the X-API-Key header with your secret key:

Create a Verification Session

curl -X POST https://api.xident.io/verify/v1/init \
  -H "X-API-Key: sk_live_your_secret_key" \
  -H "Content-Type: application/json" \
  -d '{"callback_url": "https://yoursite.com/webhook", "min_age": 18}'

Check Verification Result

curl https://api.xident.io/verify/v1/status/xit_abc123 \
  -H "X-API-Key: sk_live_your_secret_key"

Next Steps