Skip to content
StraventaDocs
API Reference

Liveness Verification API

Hosted identity and liveness verification — active liveness, ID-document OCR, face-match

The Liveness Verification Service provides hosted identity/liveness verification: active liveness challenges, ID-document OCR (KTP / Passport), and face-match-to-ID. A merchant creates a verification session with a merchant API key and receives a short-lived hosted-capture link. The end user completes the capture in the browser; the verdict is delivered via webhook and is also readable at GET /v1/verifications/{id}.

Base URLs

API management routes (/v1/verifications*) ride the REST aggregator:

EnvironmentHostname
Sandbox (505pay.link)https://sandbox.505pay.link
Production (505pay.link)https://api.505pay.link
Sandbox (straventa.com)https://sandbox.straventa.com
Production (straventa.com)https://api.straventa.com

The hosted-capture route (/v1/capture/{token}) is served from the verify.* product host:

EnvironmentHostname
Production (straventa.com)https://verify.straventa.com
Production (505pay.link)https://verify.505pay.link

Authentication

  • Merchant API key (lk_live_* in production, lk_test_* in sandbox) — required for all management routes (/v1/verifications*). Present as a Bearer credential.
  • Link token — the single-use path token in /v1/capture/{token} IS the credential; no merchant API key is needed or accepted on that route.

Verification lifecycle

created (POST /v1/verifications)
  → pending      (session URL returned; user redirected)
  → in_progress  (user began the capture flow)
  → processing   (capture submitted; server-side scoring enqueued)
  → completed    (verdict available: approved | declined | review)
  → expired      (TTL elapsed before capture)
  → canceled     (merchant or system cancellation)

Verdicts:

  • approved — liveness + (if requested) document checks passed.
  • declined — liveness or document checks failed.
  • review — result requires manual review.

Assurance level

Level 1 anti-fraud, web-only. Document authenticity is manual-review in v1. Not iBeta / ISO-30107 certified. Not a substitute for Dukcapil-backed KYC.

Right-to-erasure (PDPA / GDPR)

DELETE /v1/verifications/{id} purges stored biometric and ID artifact bytes and tombstones their rows. Consent and verification metadata are retained as the lawful-basis and erasure record. The operation is idempotent — a cross-tenant or unknown id still returns 204.

Single-use capture link

The /v1/capture/{token} token is burned on successful submission. Replaying the same token after a successful submit returns 410. Refreshing the page mid-flow is safe — the peek (GET) does NOT consume the token.


Endpoint reference

Verification sessions

Create and read identity/liveness verification sessions. Authenticate with your merchant API key (lk_live_* or lk_test_*).

Hosted capture flow

Endpoints called by the 505pay hosted-capture page. The single-use link token in the path is the credential — no merchant API key is accepted on these routes.

Health & metadata

Liveness/readiness probes and the OpenAPI specification.

Was this page helpful?

On this page