> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.idenfy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Best Practices

> Security, UX, and compliance best practices for your iDenfy integration covering API credentials, webhook security, and session management.

## Security

### Protect Your API Credentials

* Store API Key and Secret in environment variables, never in code
* Never expose credentials in client-side JavaScript or mobile app bundles
* Rotate API keys periodically and immediately if compromised

### Secure Your Webhooks

* Implement [callback signing](/security/callback-signing) verification on every webhook
* [Whitelist iDenfy IP addresses](/security/ip-whitelisting) on your webhook endpoint
* Use HTTPS with a valid TLS certificate
* Respond to webhooks within 10 seconds

### Session Creation

* Create verification sessions server-side only
* Sessions are single-use and short-lived — create a new one for each verification
* Never reuse or cache tokens

## User Experience

### Reduce Drop-Off

* Explain what documents are accepted before starting verification
* Show progress indicators during verification
* Provide clear error messages when verification fails
* Allow re-verification with a single click
* Test on mobile — most verifications happen on phones

### Camera & Document Tips

* Advise users to ensure good lighting
* Suggest removing document from plastic sleeves
* Recommend landscape orientation for document capture
* Test iFrame camera permissions across browsers

## Compliance

### Data Handling

* Only collect data fields required by your compliance obligations
* Implement data retention policies aligned with regulatory requirements
* Provide customers access to their verification status
* Document your verification process for auditors

### Record Keeping

* Store `scanRef` for each verification in your database
* Download and archive [verification PDFs](/kyc/pdf-generation) for compliance records
* Log all webhook events with timestamps