> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.idenfy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Verification Session

> Create an identity verification session by generating an authentication token via the iDenfy API with minimal or advanced parameters.

```
POST https://ivs.idenfy.com/api/v2/token
Authorization: Basic {API_KEY}:{API_SECRET}
Content-Type: application/json
```

***

## Common Examples

Start with these, then customize using the [full parameter reference](#all-parameters) below.

<Tabs>
  <Tab title="Minimal">
    The only required field is `clientId`:

    ```json theme={"system"}
    {
      "clientId": "user-123"
    }
    ```

    Everything else uses your Dashboard defaults.
  </Tab>

  <Tab title="With data matching">
    Provide user data to cross-check against the document. Mismatches trigger `SUSPECTED` status:

    ```json theme={"system"}
    {
      "clientId": "user-123",
      "firstName": "John",
      "lastName": "Doe",
      "dateOfBirth": "1990-05-15"
    }
    ```
  </Tab>

  <Tab title="Restricted countries + docs">
    Lock verification to specific countries and document types:

    ```json theme={"system"}
    {
      "clientId": "user-123",
      "firstName": "John",
      "lastName": "Doe",
      "country": ["US", "GB", "DE"],
      "documents": ["PASSPORT", "ID_CARD"]
    }
    ```
  </Tab>

  <Tab title="Full example">
    All commonly used fields:

    ```json theme={"system"}
    {
      "clientId": "user-123",
      "firstName": "John",
      "lastName": "Doe",
      "dateOfBirth": "1990-05-15",
      "country": "US",
      "documents": ["PASSPORT", "ID_CARD"],
      "locale": "en",
      "expiryTime": 3600,
      "sessionLength": 600,
      "successUrl": "https://yourapp.com/verified",
      "errorUrl": "https://yourapp.com/failed",
      "callbackUrl": "https://yourapp.com/webhook"
    }
    ```
  </Tab>
</Tabs>

### Code Examples

<CodeGroup>
  ```bash cURL theme={"system"}
  curl -X POST https://ivs.idenfy.com/api/v2/token \
    -u "YOUR_API_KEY:YOUR_API_SECRET" \
    -H "Content-Type: application/json" \
    -d '{"clientId": "user-123", "firstName": "John", "lastName": "Doe"}'
  ```

  ```python Python theme={"system"}
  import requests

  response = requests.post(
      "https://ivs.idenfy.com/api/v2/token",
      auth=("YOUR_API_KEY", "YOUR_API_SECRET"),
      json={"clientId": "user-123", "firstName": "John", "lastName": "Doe"}
  )
  token = response.json()
  # token["authToken"] → pass to frontend
  # token["redirectUrl"] → or redirect user here
  ```

  ```javascript Node.js theme={"system"}
  const response = await fetch("https://ivs.idenfy.com/api/v2/token", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: "Basic " + btoa("YOUR_API_KEY:YOUR_API_SECRET"),
    },
    body: JSON.stringify({ clientId: "user-123", firstName: "John", lastName: "Doe" }),
  });
  const token = await response.json();
  // token.authToken → pass to frontend
  // token.redirectUrl → or redirect user here
  ```

  ```php PHP theme={"system"}
  $ch = curl_init("https://ivs.idenfy.com/api/v2/token");
  curl_setopt($ch, CURLOPT_POST, true);
  curl_setopt($ch, CURLOPT_USERPWD, "YOUR_API_KEY:YOUR_API_SECRET");
  curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
  curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
      "clientId" => "user-123", "firstName" => "John", "lastName" => "Doe"
  ]));
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  $token = json_decode(curl_exec($ch), true);
  ```

  ```ruby Ruby theme={"system"}
  require "net/http"
  require "json"

  uri = URI("https://ivs.idenfy.com/api/v2/token")
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true

  request = Net::HTTP::Post.new(uri)
  request.basic_auth("YOUR_API_KEY", "YOUR_API_SECRET")
  request.content_type = "application/json"
  request.body = { clientId: "user-123", firstName: "John", lastName: "Doe" }.to_json

  token = JSON.parse(http.request(request).body)
  ```
</CodeGroup>

***

## Response

```json theme={"system"}
{
  "message": "Token created successfully",
  "authToken": "pgYQX0z2T8mtcpNj9I20uWVCLKNuG0vgr12f0wAC",
  "scanRef": "ec6a7108-8c26-11e9-9758-309c231b1bac",
  "clientId": "user-123",
  "firstName": "JOHN",
  "lastName": "DOE",
  "redirectUrl": "https://ivs.idenfy.com/api/v2/redirect?authToken=pgYQX0z2T8...",
  "digitString": null,
  "expiryTime": 3600,
  "sessionLength": 600
}
```

**Key response fields:**

| Field         | Use it for                                                        |
| ------------- | ----------------------------------------------------------------- |
| `authToken`   | Pass to iFrame, SDK, or redirect URL                              |
| `redirectUrl` | Redirect user here for hosted verification                        |
| `scanRef`     | Unique verification ID — store this in your database              |
| `digitString` | 8-digit code for mobile app (only if `generateDigitString: true`) |

***

## What to Do Next

After generating the token, send your user to verification:

| Method          | Code                                                                                       | When to use                                                          |
| --------------- | ------------------------------------------------------------------------------------------ | -------------------------------------------------------------------- |
| **Redirect**    | `window.location.href = token.redirectUrl`                                                 | Simplest. User leaves your site.                                     |
| **iFrame**      | `<iframe src="https://ui.idenfy.com/?authToken=TOKEN" allow="fullscreen" allowFullScreen>` | Embedded. User stays on your site. [Details →](/kyc/iframe-redirect) |
| **Android SDK** | `IdenfyController.startIdentification(activity, token.authToken)`                          | Native Android. [Details →](/sdks/android/quickstart)                |
| **iOS SDK**     | `IdenfyController.shared.startIdentification(authToken: token.authToken)`                  | Native iOS. [Details →](/sdks/ios/quickstart)                        |

Then [set up webhooks](/kyc/webhooks) to receive the result.

***

## All Parameters

<Info>
  Most of these can be **set as defaults** in your [Dashboard](https://admin.idenfy.com). Only pass parameters via API when you need per-session customization.
</Info>

### Personal Data `optional`

| Parameter     | Type                  | Description                                             |
| ------------- | --------------------- | ------------------------------------------------------- |
| `clientId`    | `string` **required** | Unique client identifier. ASCII, max 100 chars.         |
| `firstName`   | `string`              | Client name. Letters only, max 100, auto-uppercased.    |
| `lastName`    | `string`              | Client surname. Letters only, max 100, auto-uppercased. |
| `dateOfBirth` | `string`              | Format: `YYYY-MM-DD`.                                   |
| `sex`         | `string`              | `M` or `F`.                                             |
| `nationality` | `string`              | ISO 3166-1 alpha-2 (e.g., `US`, `DE`).                  |
| `address`     | `string`              | Max 255 chars. Used for Proof of Address verification.  |
| `externalRef` | `string`              | Your internal reference. ASCII, max 40 chars.           |

### Document Data `optional`

| Parameter        | Type                   | Description                                                                                |
| ---------------- | ---------------------- | ------------------------------------------------------------------------------------------ |
| `country`        | `string` or `string[]` | ISO alpha-2. Restricts accepted countries. Default: all.                                   |
| `documents`      | `string[]`             | Accepted document types: `PASSPORT`, `ID_CARD`, `DRIVER_LICENSE`, `RESIDENCE_PERMIT`, etc. |
| `documentNumber` | `string`               | Expected document number. Triggers mismatch check.                                         |
| `personalNumber` | `string`               | Expected personal/national code.                                                           |
| `dateOfExpiry`   | `string`               | Format: `YYYY-MM-DD`.                                                                      |
| `dateOfIssue`    | `string`               | Format: `YYYY-MM-DD`.                                                                      |

<Note>
  The `country` parameter sets the expected document country but does not limit the document selection options shown to your user. To restrict which document types and countries are available for selection, adjust the allowed documents settings — see [Document Configuration](/guides/dashboard/settings/document-identity-verification#1-document-configuration).

  If you need an option to deny users based on country, contact [tech support](https://idenfy-ivs.atlassian.net/servicedesk/customer/portal/1) via the portal.
</Note>

### Session Settings `optional`

| Parameter             | Type      | Default           | Description                                             |
| --------------------- | --------- | ----------------- | ------------------------------------------------------- |
| `successUrl`          | `string`  | Dashboard setting | Redirect after approval. HTTPS, max 2048.               |
| `errorUrl`            | `string`  | Dashboard setting | Redirect after denial.                                  |
| `unverifiedUrl`       | `string`  | Dashboard setting | Redirect if user cancels.                               |
| `callbackUrl`         | `string`  | —                 | Override webhook URL for this session.                  |
| `locale`              | `string`  | `en`              | UI language. ISO alpha-2.                               |
| `expiryTime`          | `integer` | `86400`           | Token validity (seconds). Max: 2,592,000 (30 days).     |
| `sessionLength`       | `integer` | `1800`            | Time to complete once started (seconds). Max: 3,600.    |
| `tokenType`           | `string`  | `IDENTIFICATION`  | `IDENTIFICATION` = doc + selfie. `DOCUMENT` = doc only. |
| `showInstructions`    | `boolean` | Dashboard         | Show instruction screens before capture.                |
| `generateDigitString` | `boolean` | `false`           | Generate 8-digit mobile code.                           |

### Verification Features `optional`

| Parameter           | Type      | Description                                |
| ------------------- | --------- | ------------------------------------------ |
| `verifyEmail`       | `boolean` | Add email verification step.               |
| `verifyPhone`       | `boolean` | Add phone verification step (SMS).         |
| `verifyAddress`     | `boolean` | Enable address/PoA verification.           |
| `verifyBank`        | `boolean` | Enable bank verification.                  |
| `nfcRequired`       | `boolean` | Require NFC chip reading (high assurance). |
| `nfcOptional`       | `boolean` | Optional NFC scan.                         |
| `ageLimit`          | `integer` | Minimum age. Below = `SUSPECTED`.          |
| `ageMax`            | `integer` | Maximum age. Above = `SUSPECTED`.          |
| `driverLicenseBack` | `boolean` | Require both sides of driver's license.    |

### Security & Fraud Detection `optional`

| Parameter                    | Type      | Description                                       |
| ---------------------------- | --------- | ------------------------------------------------- |
| `checkLiveness`              | `boolean` | Active 3D liveness (head movement).               |
| `idLiveFaceValidation`       | `boolean` | Passive face liveness (detects screens/photos).   |
| `idLiveDocumentValidation`   | `boolean` | Passive document liveness (detects copies).       |
| `checkAml`                   | `boolean` | Auto-add to AML monitoring.                       |
| `checkIpProxy`               | `boolean` | Detect VPN/proxy usage.                           |
| `checkFaceBlacklist`         | `boolean` | Check selfie against blacklist.                   |
| `checkDocFaceBlacklist`      | `boolean` | Check document face against blacklist.            |
| `checkDuplicateFaces`        | `boolean` | Detect same face in previous verifications.       |
| `checkDuplicateDocFaces`     | `boolean` | Detect same document face.                        |
| `checkDuplicatePersonalData` | `boolean` | Detect same personal data.                        |
| `checkBlurAndGlare`          | `boolean` | Image quality checks.                             |
| `autoFaceMatching`           | `boolean` | Disabling this turns off all face-related checks. |

### Customization `optional`

| Parameter               | Type      | Description                                                              |
| ----------------------- | --------- | ------------------------------------------------------------------------ |
| `additionalSteps`       | `object`  | Request extra documents. [See Additional Steps →](/kyc/additional-steps) |
| `additionalData`        | `object`  | Data for COMPARE-type additional steps.                                  |
| `utilityBill`           | `boolean` | Enable utility bill verification.                                        |
| `questionnaire`         | `string`  | Questionnaire key. `null` to disable.                                    |
| `riskAssessmentProfile` | `integer` | Risk Assessment profile ID.                                              |
| `reviewFailed`          | `boolean` | Trigger manual review for failed sessions.                               |
| `reviewSuccessful`      | `boolean` | Trigger manual review for successful sessions.                           |

***

<Warning>
  **Don't waste credits.** Don't create new sessions for the same `clientId` until you receive the final webhook result. Each session consumes a verification credit.
</Warning>