Verihop Verify in one hop

For People

Get the app. Get verified. That's it.

Services can request specific verified fields. You'll always see exactly what to share and why before you approve.

Get the iOS Beta

How it works

After you've downloaded the app, sharing verified details only takes a few taps.

1

Tap Verify, or scan QR code

Verihop will open and show what it requests.

2

Verify on-device

If you wish to share your details, tap to share.

3

Bounce back verified

The information requested is shared, you can proceed.

TRY DEMO Open the live movie checkout flow. See the bounce-back verification flow and inspect the developer request trace.

For Devs

Build once. Verify everywhere.

Production-ready APIs for secure identity checks with minimal integration overhead.

Basics

Path: https://api.verihop.com

Authenticate partner requests from your backend only:

Authorization: Bearer <api_key>

Create a test account first to get an API key for integration. Test-account responses are redacted by design, and the same account can later be upgraded to active for production.

Create a test account

Quick Integration Steps

  1. Create a session via POST /v1/sessions with callback URL and requested fields.
  2. Open the returned deep_link in your app/client.
  3. Handle callback and capture session_id and result_token.
  4. Optional: poll GET /v1/sessions/{id} for status updates.
  5. Fetch verified data server-to-server via GET /v1/sessions/{id}/result.
View Integration Flow 
sequenceDiagram
  participant APP as Your App / Web
  participant BE as Your Backend
  participant VB as Verihop API
  APP->>BE: 1) Start verification
  BE->>VB: 2) POST /v1/sessions + API key
  VB-->>BE: 3) session id + deep link
  BE-->>APP: 4) Return deep link
  APP->>VB: 5) Open deep link
  VB-->>BE: 6) Callback with session id + result token
  BE->>VB: 7) GET session result
  VB-->>BE: 8) Verified result payload

Postman collection

Import the Verihop API collection.

Set your API key and callback URL, create a session, then paste the callback result token to fetch the verified result.

Download Postman Collection

POST /v1/sessions

Create a verification session and get deep link + signed session token.

Headers

Authorization: Bearer <api_key>
Content-Type: application/json
Idempotency-Key: <uuid>  // recommended

Body

{
  "app": "RideNow",
  "header": "Age check",
  "fields": ["legalName", "over18", "document"],
  "callback": "ridenow://verified"
}
Body element guide
  • app: Partner app display name shown inside Verihop (max 80 chars).
  • header: Short verification title shown to the user (max 120 chars).
  • fields: Requested field tokens; if omitted/empty, fallback is legalName and over18.
  • callback: Base return URL sent in POST /v1/sessions. Verihop opens it after completion and appends session_id, result_token (success path), and optional callback_jwt; required and allowlist-validated in your production policy.
Header element guide
  • Authorization: Partner API key in bearer format.
  • Content-Type: Use application/json for request body parsing.
  • Idempotency-Key: Retry key for create-session dedupe; send UUID v4/v7 and reuse only for same payload retries.
Success 201 response 
{
  "session_id": "sess_123",
  "expires_at": 1730000000,
  "jwt": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ...",
  "deep_link": "verifybox://share?session=eyJ..."
}
Response element guide
  • session_id: Unique session identifier for tracking and result retrieval.
  • expires_at: Session expiry (Unix epoch seconds).
  • jwt: Signed session token consumed by Verihop app via deep_link; partner clients normally do not validate this token directly.
  • deep_link: URL to open Verihop directly (use this as QR content for desktop-start flows).
Common errors
  • 401 missing_bearer_token, 401 invalid_api_key
  • 403 customer_inactive
  • 400 missing_callback_url, invalid_callback_url, callback_host_not_allowed
  • 400 field_not_allowed, invalid_field_token, request_too_large
  • 409 idempotency_key_conflict, idempotency_key_in_progress
  • 429 rate_limit_exceeded, daily_quota_exceeded

GET /v1/sessions/{id}

Non-PII session status endpoint for desktop orchestration and monitoring.

Authorization: Bearer <api_key>
Success 200 response 
{
  "session_id": "sess_123",
  "status": "issued",
  "issued_at": 1730000000,
  "expires_at": 1730000300,
  "last_status": null,
  "last_status_at": null,
  "result_available": false,
  "result_token_expires_at": null
}

GET /.well-known/jwks.json

Public signing keyset endpoint for verifying callback_jwt on partner backends.

Success 200 response 
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "kid_2025_01",
      "alg": "RS256",
      "use": "sig",
      "n": "...",
      "e": "AQAB"
    }
  ]
}

GET /v1/sessions/{id}/result

Fetch verified result payload server-to-server using one-time result token.

Authorization: Bearer <api_key>
X-Result-Token: <result_token>
Success 200 response 
{
  "session_id": "sess_123",
  "status": "success",
  "result": {
    "legalName": "Jane Doe",
    "over18": "yes"
  }
}
Common errors
  • 401 missing_bearer_token, invalid_api_key, missing_result_token
  • 403 customer_mismatch, invalid_result_token
  • 410 result_token_expired
  • 409 result_token_used
  • 404 result_not_available, session_not_found

Field Catalog

Request field tokens (fields)

legalName, dateOfBirth, over18, over21, document, passport, residencePermit, bankAccount, residence, business

Response result fields

legalName, dateOfBirth, over18, over21, documentType, documentNumber, documentExpiry, documentCountry, documentNationality, documentResidence, bankHolder, bankIdentifier, bankIdentifierLabel, bankInstitution, bankCountry, bankCurrency, bankAccountName, bankAccountType, residenceAddress, residencePostalCode, residenceCity, residenceCountry, nationality, residence

Frequently Asked Questions

Can the flow start from a desktop website with a QR code?

Yes. Your backend creates a session using POST /v1/sessions, then renders the returned deep_link inside a QR shown on the desktop page. The user scans that QR with their phone and opens Verihop.

Should the QR open a website first, or open Verihop directly?

Best UX is direct launch: encode verifybox://share?session=... in the QR. A landing web page with a big "Open Verihop" button can be used as a fallback for devices that do not open app links directly.

Is the deep link the same for iOS and Android?

Yes. Verihop uses the same launch URL on both platforms: verifybox://share?session=<jwt>. Android opens it with an ACTION_VIEW intent, and iOS opens it with the registered Verihop URL scheme. Your callback shape is also the same: Verihop appends session_id, success-path result_token, and optional callback_jwt.

What should Android partner apps register for callbacks?

If you use a custom callback such as ridenow://verified, the Android partner app must declare an intent filter for that scheme and host. If you use an https:// callback for desktop or web-started flows, treat it as a backend endpoint unless your Android app owns that domain with verified App Links.

For desktop/web-initiated flows, what callback should I use?

Use an https:// callback endpoint on your backend. After Verihop completes, your server receives session_id and result_token, then fetches GET /v1/sessions/{id}/result server-to-server.

Do partner clients need to verify the jwt from POST /v1/sessions?

No. That token is for Verihop app consumption. Partners should treat it as opaque transport data and use deep_link to launch Verihop.

Why does callback only include session_id and result_token?

Callback query parameters are transport metadata only. Verified personal data is intentionally not sent in callback URLs. Your backend must exchange the one-time result_token to fetch the result payload securely. If enabled, callback_jwt can be verified via JWKS for callback authenticity.

Should partners verify callback_jwt, and where?

Yes, on partner backend when present. Verify signature and claims using Verihop JWKS at GET /.well-known/jwks.json. Validate issuer/audience/expiry and ensure JWT claims match callback query values.

Can my frontend call GET /v1/sessions/{id}/result directly?

No. Keep API keys server-side and fetch results from your backend only. The frontend/web client should only handle UI and pass state to your backend session.

How should we handle expiration and retries?

Create a new session when a session expires or the user abandons the flow. result_token is short-lived and single-use; if consumed or expired, restart with a new POST /v1/sessions.

What if Verihop is not installed on the phone?

Provide a fallback page behind your QR flow that can explain how to install/open Verihop and then continue. After install, create a new session and show a fresh QR (do not reuse stale sessions).

How does idempotency work, and is misuse protected?

POST /v1/sessions supports Idempotency-Key for retry-safe create-session calls: same key + same payload replays the original response, while same key + different payload returns 409 idempotency_key_conflict. Misuse is further mitigated with API-key auth, callback allowlist policy, field allowlist checks, per-customer rate limits/quota, short session TTL, and one-time result_token.

Example

Open Movie Age-Check Demo

For Companies

Fast verification with stronger trust architecture.

Verihop replaces upload-heavy verification with an app rebound model: your user completes verification in the app, then returns with tokenized results while your backend requests only approved data.

Request Demo
Verihop flow overview on device Verihop flow step for document and profile checks

How it works for your business

1

Make a test account

Get a test account and a test API key to test the implementation. Data returned in test mode stays redacted.

2

Apply to go live

From your portal, apply to go live and submit the production information. Verihop reviews the account before activation.

3

Get verified details

Once the account is Live, your live API key returns verified details. Usage and billing remain visible in the portal.

TRY DEMO See the API-backed rebound flow in action. Launch the movie demo to watch session creation, callback handoff, and result exchange from one place.

Company Benefits

What you gain by keeping verification out of your own stack.

Low-friction onboarding

Reduce drop-off with a guided rebound flow that feels faster and clearer than upload-heavy verification.

No KYC ops burden

Skip maintaining MRZ, NFC, liveness, document parsing, and the long tail of integration-heavy edge cases.

Data minimization by design

Receive only the approved verified fields you asked for, not raw scans and photo archives you must protect forever.

High assurance checks

Document authenticity, secure chip-backed checks, and biometric liveness happen in one trusted on-device flow.

Instant rebound to your product

Users finish verification and bounce straight back to your app or site with clean callback metadata.

Less repetition for returning users

Trusted checks stay ready, so repeat verification moments feel smoother for both your team and your users.

Versatile by design

Launch the same trusted verification flow from a button, a QR code, or even a customer-success chat without changing the handoff model.

No more typo loops

Verified details come from MRZ reads and secure chip data, reducing manual entry mistakes and the confusion they create downstream.