Skip to main content

Verification flow

Automatic verification is performed instantly by iDenfy’s AI and produces one webhook callback. Manual verification is a subsequent human review and produces a second webhook callback. If manual review is enabled for your account, you will receive up to two callbacks per verification: one automatic and one manual.
  • Automatic only: 1 callback after the AI finishes processing.
  • Automatic + manual review: 2 callbacks — first the automatic result, then the manual reviewer’s decision.
No. Manual reviewers can only modify OCR-extracted data (names, dates, document numbers). They cannot replace or alter the photos submitted by the user.
SUSPECTED means the system flagged potential issues but did not outright reject the verification. It is not a failure — treat it as a signal that requires your own business logic to decide whether to accept or decline the user.
AUTO_UNVERIFIABLE means the automatic system could not reach a definitive decision (for example, due to poor image quality). If manual review is enabled, a human reviewer will evaluate the submission next. If manual review is not enabled, you should prompt the user to retry.

Tokens and sessions

  • expiryTime — how long the verification token is valid before the user starts the session (e.g., 3600 seconds). After this period the token cannot be used.
  • sessionLength — how long the user has to complete the verification once they have opened the session (e.g., 600 seconds).
This means your account has exhausted its verification credits. It is not a rate-limit error. Contact your iDenfy account manager to purchase additional credits.

User management

iDenfy does not track or block repeat verifications on its own. If you want to prevent a user from verifying more than once, you must implement that logic on your side — for example, by checking the clientId before generating a new token.
maxAttemptCount limits how many times a single verification token can be used for submission attempts. Once the limit is reached, the token is invalidated and the user cannot retry with it. You would need to generate a new token if you want to allow further attempts.

Data and matching

Yes. iDenfy supports Unicode characters, so names in Cyrillic, Chinese, Arabic, and other scripts are handled correctly.
When you supply expected values at token creation, iDenfy can cross-match them against the extracted document data. The supported fields are:
  • DOCUMENT_NUMBER
  • PERSONAL_CODE
  • EXPIRY_DATE
  • DATE_OF_BIRTH
  • DATE_OF_ISSUE
You can configure the name-matching strategy when creating a token:
ModeBehavior
ANY_NAMEAt least one name (first or last) must match.
ONE_NAMEExactly one name field must match.
ALL_NAMESAll provided name fields must match.

Webhooks

Check the following:
  1. Your endpoint returns HTTP 200 promptly. iDenfy may consider other status codes a failure.
  2. The URL configured in the dashboard is publicly accessible (not localhost).
  3. No firewall or security group is blocking iDenfy’s IPs. See IP Whitelisting.
  4. If using callback signing, ensure you are reading the raw body for signature verification. See Callback Signing.

Front-end integration

Chrome blocks camera access in cross-origin iframes by default. Add the allow attribute to your iframe element:
<iframe
  src="https://ivs.idenfy.com/api/v2/redirect?authToken=YOUR_TOKEN"
  allow="camera"
></iframe>