Veriff Media API
Uploads document, face, and NFC media into a session and retrieves media metadata and individual image files by session, attempt, or media ID for server-to-server integrations.
Uploads document, face, and NFC media into a session and retrieves media metadata and individual image files by session, attempt, or media ID for server-to-server integrations.
openapi: 3.0.3
info:
title: Veriff Public API
description: >-
The Veriff Public API powers online identity verification: creating
verification sessions, submitting and retrieving media, and reading the
resulting decision, person, watchlist-screening, and attempt data.
## Base URL
Requests are made against your integration base URL, retrieved from the
Veriff Customer Portal (API Keys page). The common production base URL is
`https://stationapi.veriff.com/v1`.
## Authentication
Every request carries two headers:
- `X-AUTH-CLIENT` - your integration's public API key, identifying the
request sender.
- `X-HMAC-SIGNATURE` - a hex-encoded HMAC-SHA256 signature proving payload
authenticity, computed with your integration's shared secret key.
What is signed depends on the method:
- `POST` / `PATCH`: sign the exact raw request payload body.
- `GET` / `DELETE`: sign the resource identifier used in the path
(for example the session ID).
- `POST /sessions` is the one exception and does not require
`X-HMAC-SIGNATURE`, only `X-AUTH-CLIENT`.
Veriff signs its responses and webhooks the same way, returning
`vrf-auth-client`, `vrf-hmac-signature`, and `vrf-integration-id` headers
so callers can verify authenticity.
termsOfService: https://www.veriff.com/terms
contact:
name: Veriff Support
url: https://www.veriff.com/support
version: '1.0'
servers:
- url: https://stationapi.veriff.com/v1
description: Veriff Public API (retrieve your exact base URL from the Customer Portal)
security:
- AuthClient: []
HmacSignature: []
tags:
- name: Sessions
description: Create, update, and delete verification sessions.
- name: Media
description: Upload and retrieve document, face, and NFC media.
- name: Decisions
description: Retrieve verification decisions and registry results.
- name: Person
description: Retrieve verified person data.
- name: Watchlist Screening
description: Retrieve AML PEP, sanctions, and adverse-media screening results.
- name: Attempts
description: List verification attempts within a session.
paths:
/sessions:
post:
operationId: createSession
tags:
- Sessions
summary: Create a verification session
description: >-
Starts a new verification session and returns a session ID plus a hosted
verification URL. Does not require X-HMAC-SIGNATURE, only X-AUTH-CLIENT.
security:
- AuthClient: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSessionRequest'
responses:
'201':
description: Session created.
content:
application/json:
schema:
$ref: '#/components/schemas/CreateSessionResponse'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
/sessions/{sessionId}:
patch:
operationId: updateSession
tags:
- Sessions
summary: Update session status
description: >-
Updates a session, typically to set its status to "submitted" once the
end-user has provided all required media and data. The signed payload is
the raw request body.
parameters:
- $ref: '#/components/parameters/SessionId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateSessionRequest'
responses:
'200':
description: Session updated.
content:
application/json:
schema:
$ref: '#/components/schemas/StatusResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
delete:
operationId: deleteSession
tags:
- Sessions
summary: Delete a session
description: >-
Deletes a session and its data. Not enabled by default; must be
requested from Veriff. The signed value is the session ID.
parameters:
- $ref: '#/components/parameters/SessionId'
responses:
'200':
description: Session deleted.
content:
application/json:
schema:
$ref: '#/components/schemas/StatusResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/sessions/{sessionId}/media:
post:
operationId: uploadMedia
tags:
- Media
summary: Upload media to a session
description: >-
Uploads a document, face, or NFC image into a session for
server-to-server integrations. Images are provided as base64-encoded
content with a context describing what the image represents.
parameters:
- $ref: '#/components/parameters/SessionId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UploadMediaRequest'
responses:
'201':
description: Media stored.
content:
application/json:
schema:
$ref: '#/components/schemas/UploadMediaResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
get:
operationId: getSessionMedia
tags:
- Media
summary: List media for a session
description: Returns metadata for the images and videos captured in a session.
parameters:
- $ref: '#/components/parameters/SessionId'
responses:
'200':
description: Media list.
content:
application/json:
schema:
$ref: '#/components/schemas/MediaListResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/sessions/{sessionId}/collected-data:
post:
operationId: uploadCollectedData
tags:
- Sessions
summary: Upload collected end-user data
description: Submits structured end-user data collected during verification.
parameters:
- $ref: '#/components/parameters/SessionId'
requestBody:
required: true
content:
application/json:
schema:
type: object
additionalProperties: true
responses:
'201':
description: Data stored.
content:
application/json:
schema:
$ref: '#/components/schemas/StatusResponse'
'401':
$ref: '#/components/responses/Unauthorized'
/sessions/{sessionId}/decision:
get:
operationId: getSessionDecision
tags:
- Decisions
summary: Retrieve a verification decision
description: >-
Returns the decision for a session including status, code, extracted
document and person data, insights, and risk labels. The signed value
is the session ID.
parameters:
- $ref: '#/components/parameters/SessionId'
responses:
'200':
description: Verification decision.
content:
application/json:
schema:
$ref: '#/components/schemas/DecisionResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/sessions/{sessionId}/person:
get:
operationId: getSessionPerson
tags:
- Person
summary: Retrieve verified person data
description: Returns the verified person object extracted from a session.
parameters:
- $ref: '#/components/parameters/SessionId'
responses:
'200':
description: Person data.
content:
application/json:
schema:
$ref: '#/components/schemas/PersonResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/sessions/{sessionId}/watchlist-screening:
get:
operationId: getWatchlistScreening
tags:
- Watchlist Screening
summary: Retrieve AML watchlist screening
description: >-
Returns Politically Exposed Persons (PEP), sanctions, and adverse-media
screening results for a session, including hit details.
parameters:
- $ref: '#/components/parameters/SessionId'
responses:
'200':
description: Watchlist screening result.
content:
application/json:
schema:
$ref: '#/components/schemas/WatchlistScreeningResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/sessions/{sessionId}/attempts:
get:
operationId: getSessionAttempts
tags:
- Attempts
summary: List attempts in a session
description: Returns the list of verification attempts made within a session.
parameters:
- $ref: '#/components/parameters/SessionId'
responses:
'200':
description: Attempts list.
content:
application/json:
schema:
$ref: '#/components/schemas/AttemptsResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/attempts/{attemptId}/media:
get:
operationId: getAttemptMedia
tags:
- Media
summary: List media for an attempt
description: Returns metadata for media captured during a specific attempt.
parameters:
- name: attemptId
in: path
required: true
description: The attempt UUID.
schema:
type: string
format: uuid
responses:
'200':
description: Media list.
content:
application/json:
schema:
$ref: '#/components/schemas/MediaListResponse'
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
/media/{mediaId}:
get:
operationId: getMediaFile
tags:
- Media
summary: Retrieve a media file
description: >-
Returns a specific image file by media ID. The signed value is the
media ID.
parameters:
- name: mediaId
in: path
required: true
description: The media UUID.
schema:
type: string
format: uuid
responses:
'200':
description: Binary image.
content:
image/jpeg:
schema:
type: string
format: binary
'401':
$ref: '#/components/responses/Unauthorized'
'404':
$ref: '#/components/responses/NotFound'
components:
securitySchemes:
AuthClient:
type: apiKey
in: header
name: X-AUTH-CLIENT
description: Your integration's public API key.
HmacSignature:
type: apiKey
in: header
name: X-HMAC-SIGNATURE
description: >-
Hex-encoded HMAC-SHA256 signature of the payload (POST/PATCH) or the
resource ID (GET/DELETE), keyed with your integration's shared secret.
parameters:
SessionId:
name: sessionId
in: path
required: true
description: The verification session UUID.
schema:
type: string
format: uuid
responses:
BadRequest:
description: Malformed request.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
Unauthorized:
description: Missing or invalid X-AUTH-CLIENT / X-HMAC-SIGNATURE.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
NotFound:
description: Resource not found.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
schemas:
CreateSessionRequest:
type: object
required:
- verification
properties:
verification:
type: object
properties:
callback:
type: string
format: uri
description: URL the end-user is redirected to after verification.
person:
type: object
properties:
firstName:
type: string
lastName:
type: string
idNumber:
type: string
document:
type: object
properties:
number:
type: string
type:
type: string
description: e.g. PASSPORT, ID_CARD, DRIVERS_LICENSE, RESIDENCE_PERMIT.
country:
type: string
description: ISO 3166-1 alpha-2 country code.
vendorData:
type: string
description: Your own identifier for correlating decisions to a user.
endUserId:
type: string
description: Optional end-user identifier for correlation.
timestamp:
type: string
format: date-time
CreateSessionResponse:
type: object
properties:
status:
type: string
example: success
verification:
type: object
properties:
id:
type: string
format: uuid
url:
type: string
format: uri
description: Hosted verification URL for the end-user.
sessionToken:
type: string
baseUrl:
type: string
format: uri
UpdateSessionRequest:
type: object
required:
- verification
properties:
verification:
type: object
properties:
status:
type: string
enum:
- submitted
UploadMediaRequest:
type: object
required:
- image
properties:
image:
type: object
properties:
context:
type: string
description: What the image is, e.g. document-front, document-back, face.
content:
type: string
description: Base64-encoded image content (data URI).
UploadMediaResponse:
type: object
properties:
status:
type: string
image:
$ref: '#/components/schemas/Media'
MediaListResponse:
type: object
properties:
status:
type: string
images:
type: array
items:
$ref: '#/components/schemas/Media'
videos:
type: array
items:
$ref: '#/components/schemas/Media'
Media:
type: object
properties:
id:
type: string
format: uuid
name:
type: string
timestamp:
type: string
format: date-time
context:
type: string
url:
type: string
format: uri
mimetype:
type: string
size:
type: integer
DecisionResponse:
type: object
properties:
status:
type: string
example: success
verification:
type: object
properties:
id:
type: string
format: uuid
status:
type: string
enum:
- approved
- declined
- resubmission_requested
- expired
- abandoned
- review
code:
type: integer
description: Numeric verification code accompanying the status.
reason:
type: string
nullable: true
reasonCode:
type: integer
nullable: true
person:
$ref: '#/components/schemas/Person'
document:
$ref: '#/components/schemas/Document'
insights:
type: array
items:
type: object
properties:
label:
type: string
result:
type: string
category:
type: string
riskLabels:
type: array
items:
type: object
properties:
label:
type: string
category:
type: string
sessionIds:
type: array
items:
type: string
acceptanceTime:
type: string
format: date-time
decisionTime:
type: string
format: date-time
vendorData:
type: string
nullable: true
PersonResponse:
type: object
properties:
status:
type: string
person:
$ref: '#/components/schemas/Person'
Person:
type: object
properties:
firstName:
type: string
nullable: true
lastName:
type: string
nullable: true
dateOfBirth:
type: string
format: date
nullable: true
gender:
type: string
nullable: true
nationality:
type: string
nullable: true
citizenship:
type: string
nullable: true
idNumber:
type: string
nullable: true
address:
type: string
nullable: true
Document:
type: object
properties:
type:
type: string
nullable: true
number:
type: string
nullable: true
country:
type: string
nullable: true
validFrom:
type: string
format: date
nullable: true
validUntil:
type: string
format: date
nullable: true
WatchlistScreeningResponse:
type: object
properties:
status:
type: string
watchlistScreening:
type: object
properties:
searchResult:
type: string
description: e.g. NO_MATCH, POSSIBLE_MATCH, MATCH.
matchStatus:
type: string
totalHitCount:
type: integer
searchTerm:
type: string
hits:
type: array
items:
type: object
properties:
matchTypes:
type: array
items:
type: string
name:
type: string
categories:
type: array
items:
type: string
description: e.g. sanction, pep, adverse-media.
AttemptsResponse:
type: object
properties:
status:
type: string
verifications:
type: array
items:
type: object
properties:
id:
type: string
format: uuid
status:
type: string
code:
type: integer
StatusResponse:
type: object
properties:
status:
type: string
example: success
Error:
type: object
properties:
status:
type: string
example: fail
code:
type: integer
message:
type: string