AgeVerify logoAge Verify
Quickstart

15-minute happy path

Evaluate policy, create a session, run the in-browser check, submit result server-side, verify signature, and reconcile webhooks.

Get API Key

Prerequisites


  • Server endpoint to evaluate policy, create sessions, and submit results.
  • Secure storage for API keys (never expose on client).
  • Webhook endpoint with signature verification support.
  • UI path for retry/fallback messages.

Canonical flow

1) Evaluate policy (server)

POST /api/v1/policy/evaluate
{operatorId, action, route?, category?, geographyBasis?}
=> {verificationRequired, method}

2) Create session + model access (server)

POST /api/v1/verification-sessions
{operatorId, idempotencyKey}
=> {sessionId}

POST /api/v1/verification-sessions/{id}/model-access
=> {modelBasePath, modelAccessToken}

3) Run check (browser)

runDefaultBiometricCheck({ modelBasePath, modelAccessToken })
=> { passed, reason?, subjectId? }

// or checkbox companion UX where policy allows

4) Submit + enforce (server)

POST /api/v1/verification-sessions/{id}/biometric-result
// or /checkbox-result
=> { outcome, decisionToken? }

if outcome === 'inconclusive' -> POST /api/v1/fallback/initiate

Local dev checklist


  • Run policy evaluate, session create, and result submission against test keys.
  • Simulate token expiry and verify refresh behavior.
  • Replay webhook event payload to validate dedupe logic.
  • Test camera denied and low-light user messaging.

Common pitfalls


  • Token expiry: reject stale model access tokens and request fresh model access.
  • Double submit: enforce idempotency keys on session creation and result submission.
  • Webhook retries: store event IDs and process idempotently.
  • Client-only enforcement: always enforce from verified server outcome.

Troubleshooting framework



When issues occur, isolate the stage first: policy evaluate, session create/model access, browser run, result submit, or webhook delivery. This avoids broad debugging and keeps incident response focused.

  • If evaluate/create fails, validate key scope, billing state, and request payload shape.
  • If browser run fails, validate camera permission, lighting, and model access token freshness.
  • If submit fails, confirm idempotency key reuse and outcome payload integrity.
  • If webhook fails, verify signature parsing and dedupe persistence.

Ready to run your first check?

Create your account, generate an API key, and run the happy path end-to-end.

Get API Key