Veriff Watchlist Screening API

Queries the AML watchlist-screening result for a session - Politically Exposed Persons (PEP), sanctions, and adverse-media matches with hit details.

OpenAPI Specification

veriff-com-openapi.yml Raw ↑
openapi: 3.0.3
info:
  title: Veriff Public API
  description: >-
    The Veriff Public API powers online identity verification: creating
    verification sessions, submitting and retrieving media, and reading the
    resulting decision, person, watchlist-screening, and attempt data.


    ## Base URL


    Requests are made against your integration base URL, retrieved from the
    Veriff Customer Portal (API Keys page). The common production base URL is
    `https://stationapi.veriff.com/v1`.


    ## Authentication


    Every request carries two headers:

    - `X-AUTH-CLIENT` - your integration's public API key, identifying the
      request sender.

    - `X-HMAC-SIGNATURE` - a hex-encoded HMAC-SHA256 signature proving payload
      authenticity, computed with your integration's shared secret key.


    What is signed depends on the method:

    - `POST` / `PATCH`: sign the exact raw request payload body.

    - `GET` / `DELETE`: sign the resource identifier used in the path
      (for example the session ID).

    - `POST /sessions` is the one exception and does not require
      `X-HMAC-SIGNATURE`, only `X-AUTH-CLIENT`.


    Veriff signs its responses and webhooks the same way, returning
    `vrf-auth-client`, `vrf-hmac-signature`, and `vrf-integration-id` headers
    so callers can verify authenticity.
  termsOfService: https://www.veriff.com/terms
  contact:
    name: Veriff Support
    url: https://www.veriff.com/support
  version: '1.0'
servers:
  - url: https://stationapi.veriff.com/v1
    description: Veriff Public API (retrieve your exact base URL from the Customer Portal)
security:
  - AuthClient: []
    HmacSignature: []
tags:
  - name: Sessions
    description: Create, update, and delete verification sessions.
  - name: Media
    description: Upload and retrieve document, face, and NFC media.
  - name: Decisions
    description: Retrieve verification decisions and registry results.
  - name: Person
    description: Retrieve verified person data.
  - name: Watchlist Screening
    description: Retrieve AML PEP, sanctions, and adverse-media screening results.
  - name: Attempts
    description: List verification attempts within a session.
paths:
  /sessions:
    post:
      operationId: createSession
      tags:
        - Sessions
      summary: Create a verification session
      description: >-
        Starts a new verification session and returns a session ID plus a hosted
        verification URL. Does not require X-HMAC-SIGNATURE, only X-AUTH-CLIENT.
      security:
        - AuthClient: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateSessionRequest'
      responses:
        '201':
          description: Session created.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CreateSessionResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /sessions/{sessionId}:
    patch:
      operationId: updateSession
      tags:
        - Sessions
      summary: Update session status
      description: >-
        Updates a session, typically to set its status to "submitted" once the
        end-user has provided all required media and data. The signed payload is
        the raw request body.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdateSessionRequest'
      responses:
        '200':
          description: Session updated.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StatusResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
    delete:
      operationId: deleteSession
      tags:
        - Sessions
      summary: Delete a session
      description: >-
        Deletes a session and its data. Not enabled by default; must be
        requested from Veriff. The signed value is the session ID.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      responses:
        '200':
          description: Session deleted.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StatusResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /sessions/{sessionId}/media:
    post:
      operationId: uploadMedia
      tags:
        - Media
      summary: Upload media to a session
      description: >-
        Uploads a document, face, or NFC image into a session for
        server-to-server integrations. Images are provided as base64-encoded
        content with a context describing what the image represents.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UploadMediaRequest'
      responses:
        '201':
          description: Media stored.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UploadMediaResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
    get:
      operationId: getSessionMedia
      tags:
        - Media
      summary: List media for a session
      description: Returns metadata for the images and videos captured in a session.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      responses:
        '200':
          description: Media list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MediaListResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /sessions/{sessionId}/collected-data:
    post:
      operationId: uploadCollectedData
      tags:
        - Sessions
      summary: Upload collected end-user data
      description: Submits structured end-user data collected during verification.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '201':
          description: Data stored.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StatusResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /sessions/{sessionId}/decision:
    get:
      operationId: getSessionDecision
      tags:
        - Decisions
      summary: Retrieve a verification decision
      description: >-
        Returns the decision for a session including status, code, extracted
        document and person data, insights, and risk labels. The signed value
        is the session ID.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      responses:
        '200':
          description: Verification decision.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DecisionResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /sessions/{sessionId}/person:
    get:
      operationId: getSessionPerson
      tags:
        - Person
      summary: Retrieve verified person data
      description: Returns the verified person object extracted from a session.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      responses:
        '200':
          description: Person data.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PersonResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /sessions/{sessionId}/watchlist-screening:
    get:
      operationId: getWatchlistScreening
      tags:
        - Watchlist Screening
      summary: Retrieve AML watchlist screening
      description: >-
        Returns Politically Exposed Persons (PEP), sanctions, and adverse-media
        screening results for a session, including hit details.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      responses:
        '200':
          description: Watchlist screening result.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WatchlistScreeningResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /sessions/{sessionId}/attempts:
    get:
      operationId: getSessionAttempts
      tags:
        - Attempts
      summary: List attempts in a session
      description: Returns the list of verification attempts made within a session.
      parameters:
        - $ref: '#/components/parameters/SessionId'
      responses:
        '200':
          description: Attempts list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AttemptsResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /attempts/{attemptId}/media:
    get:
      operationId: getAttemptMedia
      tags:
        - Media
      summary: List media for an attempt
      description: Returns metadata for media captured during a specific attempt.
      parameters:
        - name: attemptId
          in: path
          required: true
          description: The attempt UUID.
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Media list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MediaListResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /media/{mediaId}:
    get:
      operationId: getMediaFile
      tags:
        - Media
      summary: Retrieve a media file
      description: >-
        Returns a specific image file by media ID. The signed value is the
        media ID.
      parameters:
        - name: mediaId
          in: path
          required: true
          description: The media UUID.
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Binary image.
          content:
            image/jpeg:
              schema:
                type: string
                format: binary
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
components:
  securitySchemes:
    AuthClient:
      type: apiKey
      in: header
      name: X-AUTH-CLIENT
      description: Your integration's public API key.
    HmacSignature:
      type: apiKey
      in: header
      name: X-HMAC-SIGNATURE
      description: >-
        Hex-encoded HMAC-SHA256 signature of the payload (POST/PATCH) or the
        resource ID (GET/DELETE), keyed with your integration's shared secret.
  parameters:
    SessionId:
      name: sessionId
      in: path
      required: true
      description: The verification session UUID.
      schema:
        type: string
        format: uuid
  responses:
    BadRequest:
      description: Malformed request.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: Missing or invalid X-AUTH-CLIENT / X-HMAC-SIGNATURE.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Resource not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  schemas:
    CreateSessionRequest:
      type: object
      required:
        - verification
      properties:
        verification:
          type: object
          properties:
            callback:
              type: string
              format: uri
              description: URL the end-user is redirected to after verification.
            person:
              type: object
              properties:
                firstName:
                  type: string
                lastName:
                  type: string
                idNumber:
                  type: string
            document:
              type: object
              properties:
                number:
                  type: string
                type:
                  type: string
                  description: e.g. PASSPORT, ID_CARD, DRIVERS_LICENSE, RESIDENCE_PERMIT.
                country:
                  type: string
                  description: ISO 3166-1 alpha-2 country code.
            vendorData:
              type: string
              description: Your own identifier for correlating decisions to a user.
            endUserId:
              type: string
              description: Optional end-user identifier for correlation.
            timestamp:
              type: string
              format: date-time
    CreateSessionResponse:
      type: object
      properties:
        status:
          type: string
          example: success
        verification:
          type: object
          properties:
            id:
              type: string
              format: uuid
            url:
              type: string
              format: uri
              description: Hosted verification URL for the end-user.
            sessionToken:
              type: string
            baseUrl:
              type: string
              format: uri
    UpdateSessionRequest:
      type: object
      required:
        - verification
      properties:
        verification:
          type: object
          properties:
            status:
              type: string
              enum:
                - submitted
    UploadMediaRequest:
      type: object
      required:
        - image
      properties:
        image:
          type: object
          properties:
            context:
              type: string
              description: What the image is, e.g. document-front, document-back, face.
            content:
              type: string
              description: Base64-encoded image content (data URI).
    UploadMediaResponse:
      type: object
      properties:
        status:
          type: string
        image:
          $ref: '#/components/schemas/Media'
    MediaListResponse:
      type: object
      properties:
        status:
          type: string
        images:
          type: array
          items:
            $ref: '#/components/schemas/Media'
        videos:
          type: array
          items:
            $ref: '#/components/schemas/Media'
    Media:
      type: object
      properties:
        id:
          type: string
          format: uuid
        name:
          type: string
        timestamp:
          type: string
          format: date-time
        context:
          type: string
        url:
          type: string
          format: uri
        mimetype:
          type: string
        size:
          type: integer
    DecisionResponse:
      type: object
      properties:
        status:
          type: string
          example: success
        verification:
          type: object
          properties:
            id:
              type: string
              format: uuid
            status:
              type: string
              enum:
                - approved
                - declined
                - resubmission_requested
                - expired
                - abandoned
                - review
            code:
              type: integer
              description: Numeric verification code accompanying the status.
            reason:
              type: string
              nullable: true
            reasonCode:
              type: integer
              nullable: true
            person:
              $ref: '#/components/schemas/Person'
            document:
              $ref: '#/components/schemas/Document'
            insights:
              type: array
              items:
                type: object
                properties:
                  label:
                    type: string
                  result:
                    type: string
                  category:
                    type: string
            riskLabels:
              type: array
              items:
                type: object
                properties:
                  label:
                    type: string
                  category:
                    type: string
                  sessionIds:
                    type: array
                    items:
                      type: string
            acceptanceTime:
              type: string
              format: date-time
            decisionTime:
              type: string
              format: date-time
            vendorData:
              type: string
              nullable: true
    PersonResponse:
      type: object
      properties:
        status:
          type: string
        person:
          $ref: '#/components/schemas/Person'
    Person:
      type: object
      properties:
        firstName:
          type: string
          nullable: true
        lastName:
          type: string
          nullable: true
        dateOfBirth:
          type: string
          format: date
          nullable: true
        gender:
          type: string
          nullable: true
        nationality:
          type: string
          nullable: true
        citizenship:
          type: string
          nullable: true
        idNumber:
          type: string
          nullable: true
        address:
          type: string
          nullable: true
    Document:
      type: object
      properties:
        type:
          type: string
          nullable: true
        number:
          type: string
          nullable: true
        country:
          type: string
          nullable: true
        validFrom:
          type: string
          format: date
          nullable: true
        validUntil:
          type: string
          format: date
          nullable: true
    WatchlistScreeningResponse:
      type: object
      properties:
        status:
          type: string
        watchlistScreening:
          type: object
          properties:
            searchResult:
              type: string
              description: e.g. NO_MATCH, POSSIBLE_MATCH, MATCH.
            matchStatus:
              type: string
            totalHitCount:
              type: integer
            searchTerm:
              type: string
            hits:
              type: array
              items:
                type: object
                properties:
                  matchTypes:
                    type: array
                    items:
                      type: string
                  name:
                    type: string
                  categories:
                    type: array
                    items:
                      type: string
                    description: e.g. sanction, pep, adverse-media.
    AttemptsResponse:
      type: object
      properties:
        status:
          type: string
        verifications:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: uuid
              status:
                type: string
              code:
                type: integer
    StatusResponse:
      type: object
      properties:
        status:
          type: string
          example: success
    Error:
      type: object
      properties:
        status:
          type: string
          example: fail
        code:
          type: integer
        message:
          type: string