Security
Protect your API credentials
- Store API Key and Secret in environment variables, never in code
- Never expose credentials in client-side JavaScript or mobile app bundles
- Rotate API keys periodically and immediately if compromised
Secure your webhooks
- Implement callback signing verification on every webhook
- Whitelist iDenfy IP addresses on your webhook endpoint
- Use HTTPS with a valid TLS certificate
- Respond to webhooks within 10 seconds
Token handling
- Generate verification tokens server-side only
- Tokens are single-use and short-lived — generate a new one for each session
- Never reuse or cache tokens
User experience
Reduce drop-off
- Explain what documents are accepted before starting verification
- Show progress indicators during verification
- Provide clear error messages when verification fails
- Allow re-verification with a single click
- Test on mobile — most verifications happen on phones
Camera & document tips
- Advise users to ensure good lighting
- Suggest removing document from plastic sleeves
- Recommend landscape orientation for document capture
- Test iFrame camera permissions across browsers
Compliance
Data handling
- Only collect data fields required by your compliance obligations
- Implement data retention policies aligned with regulatory requirements
- Provide customers access to their verification status
- Document your verification process for auditors
Record keeping
- Store
scanReffor each verification in your database - Download and archive verification PDFs for compliance records
- Log all webhook events with timestamps