This is separate from reading
kyc_verified on OAuth userinfo. Userinfo tells you whether an existing DHMAD user is verified. Identity Verifications let you start verification for users who do not have an account yet.When to use this
- Sellers must be verified before listing, but many do not have a DHMAD account yet
- You want KYC done once in your onboarding, then honored on DHMAD for payouts and escrows
- You need webhook notifications when verification completes or when the user joins DHMAD
How it works
- Your backend calls
POST /api/v1/identity-verificationswith the user’s email. - DHMAD sends a verification email to that address with a Didit link. The Didit URL is never returned to your API.
- The user completes Didit from the email. DHMAD stores the result.
- When the user later registers on DHMAD with the same email and verifies their email (OTP), approved KYC is linked to their account.
- You receive webhooks at each step; OAuth
userinfoexposeskyc_verified: trueafter linking.
Prerequisites
- Approved developer account and API key (
sk_sandbox_*orsk_live_*) - Allowed redirect URLs in the Developer Dashboard if you pass
redirect_url - Webhook endpoint subscribed to
identity.verification.updatedandidentity.verification.linked(recommended)
Step 1: Collect the user’s email
During onboarding, collect the email the user will use on DHMAD later. The addresses must match for KYC to link when they register.Step 2: Create a verification session
From your backend:Step 3: User completes KYC from email
The user opens the DHMAD email and completes Didit. If you passedredirect_url, they are sent to your URL after verification completes. That URL must be listed under allowed redirect URLs in developer settings — same rule as checkout sessions.
Step 4: Handle webhooks
Subscribe to both events in the Developer Dashboard or via the Webhooks API:GET /identity-verifications/:id only as a fallback.
See the Webhooks guide for payload examples.
Step 5: User joins DHMAD
When the user registers on dhmad.tn with the same email and completes email verification, DHMAD attaches the approved KYC to their account. They can request payouts and accept escrows without repeating Didit.Sandbox vs production
Admin review
If Didit returns an ambiguous or pending result, DHMAD admins review the case. No webhook is sent until they approve or reject. When approved, you receiveidentity.verification.updated with status_source: "admin_review".
Tips
| Situation | What to do |
|---|---|
409 with user_exists: true | Email already has approved KYC on DHMAD — skip verification |
verification_email_sent: false | Retry POST /identity-verifications with the same email while status is pending |
| User did not receive email | Check spam; confirm email matches their future DHMAD account |
| Need status in dashboard | View sessions in Developer Dashboard → Identity verifications |
Compliance
- Tell users that identity verification is performed by DHMAD via Didit and that they will receive an email from DHMAD
- Collect consent before starting verification
- Store only
external_user_idand status in your systems — DHMAD does not expose document images via the API
Related
- Identity Verifications overview
- OAuth userinfo —
kyc_verifiedafter the user links their account - Webhooks — event payloads and signature verification