Liveness Verification API
Hosted identity and liveness verification — active liveness, ID-document OCR, face-match
The Liveness Verification Service provides hosted identity/liveness verification:
active liveness challenges, ID-document OCR (KTP / Passport), and face-match-to-ID.
A merchant creates a verification session with a merchant API key and receives a
short-lived hosted-capture link. The end user completes the capture in the browser;
the verdict is delivered via webhook and is also readable at
GET /v1/verifications/{id}.
Base URLs
API management routes (/v1/verifications*) ride the REST aggregator:
| Environment | Hostname |
|---|---|
| Sandbox (505pay.link) | https://sandbox.505pay.link |
| Production (505pay.link) | https://api.505pay.link |
| Sandbox (straventa.com) | https://sandbox.straventa.com |
| Production (straventa.com) | https://api.straventa.com |
The hosted-capture route (/v1/capture/{token}) is served from the verify.*
product host:
| Environment | Hostname |
|---|---|
| Production (straventa.com) | https://verify.straventa.com |
| Production (505pay.link) | https://verify.505pay.link |
Authentication
- Merchant API key (
lk_live_*in production,lk_test_*in sandbox) — required for all management routes (/v1/verifications*). Present as aBearercredential. - Link token — the single-use path token in
/v1/capture/{token}IS the credential; no merchant API key is needed or accepted on that route.
Verification lifecycle
created (POST /v1/verifications)
→ pending (session URL returned; user redirected)
→ in_progress (user began the capture flow)
→ processing (capture submitted; server-side scoring enqueued)
→ completed (verdict available: approved | declined | review)
→ expired (TTL elapsed before capture)
→ canceled (merchant or system cancellation)Verdicts:
approved— liveness + (if requested) document checks passed.declined— liveness or document checks failed.review— result requires manual review.
Assurance level
Level 1 anti-fraud, web-only. Document authenticity is manual-review in v1. Not iBeta / ISO-30107 certified. Not a substitute for Dukcapil-backed KYC.
Right-to-erasure (PDPA / GDPR)
DELETE /v1/verifications/{id} purges stored biometric and ID artifact bytes and
tombstones their rows. Consent and verification metadata are retained as the
lawful-basis and erasure record. The operation is idempotent — a cross-tenant or
unknown id still returns 204.
Single-use capture link
The /v1/capture/{token} token is burned on successful submission. Replaying the
same token after a successful submit returns 410. Refreshing the page mid-flow
is safe — the peek (GET) does NOT consume the token.
Endpoint reference
Verification sessions
Create and read identity/liveness verification sessions. Authenticate with your merchant API key (lk_live_* or lk_test_*).
Hosted capture flow
Endpoints called by the 505pay hosted-capture page. The single-use link token in the path is the credential — no merchant API key is accepted on these routes.
Health & metadata
Liveness/readiness probes and the OpenAPI specification.
Was this page helpful?