Security
Protect Your API Credentials
- Store API Key and Secret in environment variables, never in code
- Never expose credentials in client-side JavaScript or mobile app bundles
- Rotate API keys periodically and immediately if compromised
Secure Your Webhooks
- Implement callback signing verification on every webhook
- Whitelist iDenfy IP addresses on your webhook endpoint
- Use HTTPS with a valid TLS certificate
- Respond to webhooks within 10 seconds
Session Creation
- Create verification sessions server-side only
- Sessions are single-use and short-lived — create a new one for each verification
- Never reuse or cache tokens
User Experience
Reduce Drop-Off
- Explain what documents are accepted before starting verification
- Show progress indicators during verification
- Provide clear error messages when verification fails
- Allow re-verification with a single click
- Test on mobile — most verifications happen on phones
Camera & Document Tips
- Advise users to ensure good lighting
- Suggest removing document from plastic sleeves
- Recommend landscape orientation for document capture
- Test iFrame camera permissions across browsers
Compliance
Data Handling
- Only collect data fields required by your compliance obligations
- Implement data retention policies aligned with regulatory requirements
- Provide customers access to their verification status
- Document your verification process for auditors
Record Keeping
- Store
scanReffor each verification in your database - Download and archive verification PDFs for compliance records
- Log all webhook events with timestamps