Skip to main content
title: ‘Development’ description: ‘KYC integration details: hosts, auth, environment, lifecycle’
Prerequisites:
  • Node.js version 19 or higher
  • A docs repository with a docs.json file
  • A VerisecID public API key (e.g., pb-xxxxx)

Authentication

Pass your public key as a Bearer token. Public keys map to workspaces in Firestore under workspaces.apiPublicKey. 
Authorization: Bearer pb-YourPublicKey

Hosts and CORS

API requests are served only when the Host header matches an allowlist. Default allowed hosts:
  • api.verisecid.com, localhost, 127.0.0.1
Override with env var: 
API_ALLOWED_HOSTS=api.verisecid.com,localhost,127.0.0.1
When a host is not allowed, handlers return 404 with { "error": "invalid_host" }.

Endpoints

  • Create session: POST /v1/kyc/sessions
  • Get session: GET /v1/kyc/sessions/{sessionId}

Access control

  • 401 { "error": "missing_authorization" } when header is absent
  • 401 { "error": "invalid_credentials" } when public key is invalid
  • 403 { "error": "forbidden" } when the user does not own the session/workspace

Environment variables

  • API_ALLOWED_HOSTS (optional) — comma-separated hostnames allowed for /api/*.
  • Firebase client (for app UI) requires standard NEXT_PUBLIC_FIREBASE_* variables.
  • Server-side verification actions may require AI provider keys (e.g., OPENAI_API_KEY).

Session lifecycle

  • Initial: not_started
  • Typical progression: not_startedprocessingcompleted (or failed)
  • Verify UI prevents reuse when status === "completed".

Operational notes

  • Base host: https://api.verisecid.com
  • Allowed hosts: api.verisecid.com, localhost, 127.0.0.1
  • Override with env var: API_ALLOWED_HOSTS=api.verisecid.com,localhost,127.0.0.1
  • Disallowed hosts return 404 with { "error": "invalid_host" }

Session lifecycle

  • Initial: not_started
  • Typical progression: not_startedprocessingcompleted (or failed)
  • Verify UI prevents reuse when status === "completed".