# Idswyft

> Open-source identity verification platform. Verify government-issued IDs with OCR, cross-validation, liveness detection, and face matching.

> **Base URL:** `https://api.idswyft.app` (replace with your own domain for self-hosted deployments)

## Overview

Idswyft provides a REST API for identity verification. Developers integrate via API key (`X-API-Key: ik_...`) to run a 5-step pipeline: front document OCR, back document barcode/MRZ, cross-validation, liveness detection, and face matching. Additional layers include face age estimation, velocity fraud detection, IP geolocation risk, AML/sanctions screening, PEP screening, and optional voice authentication. All decisions are deterministic — no LLMs in the decision pipeline.

Self-hostable via Docker Compose (4 containers) or available as managed cloud at idswyft.app.

## Quick Links

- [Full API Documentation](https://idswyft.app/llms-full.txt): Complete API reference in markdown (llms-full.txt)
- [API Docs (Backend)](https://api.idswyft.app/api/docs/markdown): Machine-readable API docs served by the API
- [Developer Portal](https://idswyft.app/developer): Register, get API keys, manage webhooks
- [Live Demo](https://idswyft.app/demo): Try the verification flow in sandbox mode
- [Documentation](https://idswyft.app/docs): Interactive documentation
- [GitHub](https://github.com/team-idswyft/idswyft-community): Source code (MIT license)

## SDKs

- JavaScript/TypeScript: `npm install @idswyft/sdk`
- React Component: `npm install @idswyft/react`
- Python: `pip install idswyft`

## Verification Flow

```
POST /api/v2/verify/initialize          → Create session
POST /api/v2/verify/:id/front-document  → OCR extraction
POST /api/v2/verify/:id/back-document   → Barcode/MRZ + cross-validation
POST /api/v2/verify/:id/live-capture    → Liveness + face match
POST /api/v2/verify/:id/voice-challenge → Generate voice challenge digits (optional)
POST /api/v2/verify/:id/voice-capture   → Speaker verification (optional)
GET  /api/v2/verify/:id/status          → Poll for final result
```

All POST endpoints accept an `Idempotency-Key` header for safe retry on network failures. Same key replays the original response within 24 hours. See llms-full.txt § Idempotency.

## Verification Modes

| Mode | Steps | Use Case |
|------|-------|----------|
| `full` (default) | Front → Back → CrossVal → Live → FaceMatch | Full identity verification |
| `document_only` | Front → Back → CrossVal | Document checks, no biometric |
| `identity` | Front → Live → FaceMatch | Quick identity check, no back doc |
| `age_only` | Front (DOB check) | Age-gated content (18+/21+) |

Passports are single-sided — when detected, back-document and cross-validation steps are automatically skipped (even in `full` and `document_only` modes). The front-document response includes `requires_back: false`.

## Verifiable Credentials (W3C JWT-VC)

Issue W3C Verifiable Credentials for completed verifications. Credentials are signed with Ed25519 (EdDSA) and can be independently verified by any relying party using the issuer's DID document — no API key needed for verification.

```
GET  /api/v2/verify/:id/credential       → Issue JWT-VC (requires API key, vc_enabled)
POST /api/v2/verify/:id/credential/send  → Email credential with QR code (requires API key, vc_enabled)
GET  /api/v2/credentials/:jti/status     → Check revocation status (public, no auth)
POST /api/v2/credentials/:jti/revoke     → Revoke credential (requires API key)
GET  /.well-known/did.json               → Issuer DID document (public)
```

**Client-side verification:** Resolve `did:web:api.idswyft.app` → fetch `/.well-known/did.json` → extract Ed25519 public key → verify JWT signature. ~15KB with `@noble/ed25519`.

## Compliance Orchestration Engine

Developer-configurable rule engine. Rules auto-select verification mode, gates, and post-verification actions.

All endpoints accept **either** `X-API-Key` (developer automation/SDK) **or** an organization-admin reviewer session cookie (Admin Dashboard UI at `/admin/verifications`). Regular reviewers and platform admins are rejected.

```
POST   /api/v2/compliance/rulesets           → Create ruleset
GET    /api/v2/compliance/rulesets           → List rulesets
GET    /api/v2/compliance/rulesets/:id       → Get ruleset with rules
PUT    /api/v2/compliance/rulesets/:id       → Update ruleset
DELETE /api/v2/compliance/rulesets/:id       → Delete ruleset + rules (CASCADE)
POST   /api/v2/compliance/rulesets/:id/rules → Add rule to ruleset
PUT    /api/v2/compliance/rules/:id          → Update rule
DELETE /api/v2/compliance/rules/:id          → Delete rule
POST   /api/v2/compliance/evaluate           → Dry-run: test context against rules
```

Rules auto-apply at `POST /api/v2/verify/initialize`. Response includes `compliance_applied` when rules match.

## AML / Sanctions & PEP Screening

Automatic screening after face matching (Gate 6). Configurable via `AML_PROVIDER` env var (`opensanctions`, `pep`, `offline`, or comma-separated for multiple). PEP (Politically Exposed Persons) screens against heads of state, senior officials, and associates. Per-developer opt-out via `aml_enabled: false`. Results include `risk_level`, `match_count`, `matches[]` with `listed_name`, `score`, and `list_source`.

## Face Age Estimation

Cross-checks apparent face age (from both document photo and live capture) against declared DOB. Flags age discrepancies as a fraud signal. Appears in `age_estimation` object in live-capture and status responses.

## Velocity / Fraud Detection

Analyzes verification velocity during live capture: rapid IP reuse, bot-like step timing, burst activity, multi-IP abuse. Flags route sessions to manual review. Contributes to composite risk score. `velocity_analysis` object in responses with `flags[]` and `score`.

## IP Geolocation Risk

Detects country mismatches between document nationality and client IP, Tor exit nodes, datacenter/VPN IPs, and high-risk jurisdictions. `ip_geolocation` object in responses with `geo_risk_flags[]`.

## Voice Authentication (Optional)

Speaker verification step after face matching. Developer opt-in via `voice_auth_enabled` toggle. Random 6-digit challenge → user speaks digits → ASR transcription verification + 512D speaker embedding comparison (cosine similarity, fixed threshold). Anti-spoofing by design.

```
PUT  /api/developer/settings/voice-auth     → Enable/disable voice auth
POST /api/v2/verify/:id/voice-challenge     → Generate 6 random digits (120s expiry)
POST /api/v2/verify/:id/voice-capture       → Submit audio, verify digits + speaker match
```

## Identity Vault

Tokenized identity storage. Store verified identity data encrypted at rest (AES-256-GCM), reference it via opaque tokens.

```
POST /api/v2/vault/store             → Store verified identity, get vault token (requires API key, vault_enabled)
GET  /api/v2/vault/:token            → Retrieve full identity data (requires API key)
GET  /api/v2/vault/:token/attributes/:attr → Get single attribute e.g. age_over_21 (requires API key)
DELETE /api/v2/vault/:token          → GDPR hard delete (requires API key)
GET  /api/v2/vault                   → List vault tokens, paginated (requires API key)
POST /api/v2/vault/:token/share      → Create time-limited share link (requires API key)
GET  /api/v2/vault/share/:shareToken → Access shared attributes (public, no auth)
```

## Integration Options

1. **Redirect** — initialize server-side (`POST /api/v2/verify/initialize`), redirect user to the returned `verification_url` (session-token-based, no API key in browser). Append `&redirect_url=https://yourapp.com/done` to auto-redirect the user back with `verification_id`, `status`, and `user_id` query params. Works on both desktop and mobile devices. `redirect_url` must use `http:` or `https:` protocol.
2. **Iframe** — embed the hosted page with `allow="camera; microphone"`
3. **SDK** — `@idswyft/sdk` IdswyftEmbed (modal/inline) or `@idswyft/react` React component

## Base URLs

- Cloud API: `https://api.idswyft.app`
- Cloud Frontend: `https://idswyft.app`
- Self-hosted: configured via Docker Compose

## Version

v1.8.52 — April 2026
