Introduction
The EnemoVerify API is a REST API for identity verification (KYC), business verification (KYB), background checks, and AML screening. All requests are made to https://api.enemoverify.com over HTTPS.
All responses are JSON. Successful responses return HTTP 200 (or 202 for async operations). Errors follow a consistent envelope format documented below.
Authentication
Authenticate every request with a Bearer token. Keys are prefixed with ev_live_ for production and ev_test_ for sandbox.
Authorization: Bearer ev_live_XXXXXXXXXXXXXXXXXXXXXXXXXX
Generate keys in the API Keys section of your dashboard. Keys are shown once at creation — store them securely. Rotate by creating a new key and revoking the old one.
Errors
All errors follow this envelope:
{
"error": {
"code": "invalid_parameter",
"param": "redirect_url",
"message": "redirect_url must be a valid HTTPS URL",
"doc_url": "https://docs.enemoverify.com/errors#invalid_parameter"
}
}| Code | HTTP | Meaning |
|---|---|---|
| unauthorized | 401 | Missing or invalid API key |
| forbidden | 403 | Key lacks scope for this operation |
| not_found | 404 | Resource does not exist |
| invalid_parameter | 400 | Request body validation failed |
| duplicate_reference | 409 | A verification with this reference_id exists |
| kyc_required | 422 | Background check requires approved KYC first |
| rate_limit_exceeded | 429 | Plan limit or API rate limit reached |
| internal_error | 500 | Unexpected server error |
KYC — Identity verification
/v1/kyc/createInitiates an identity verification for an individual.
Request body
| Param | Type | Description |
|---|---|---|
| reference_id | string | Your identifier for this person. Must be unique per environment. |
| flow | enum | standard | enhanced | lite |
| checks | string[] | Optional override. Defaults depend on flow. |
| redirect_url | string | HTTPS URL to return the user to after verification. |
| webhook_url | string | Optional. Overrides org default. |
| country | string | ISO 3166-1 alpha-2. Used for provider routing. |
| locale | string | BCP 47. Defaults to en-US. |
| expires_in | number | Seconds (300–86400). Default 3600. |
| metadata | object | Key-value pairs attached to the session. |
curl https://api.enemoverify.com/v1/kyc/create \
-H "Authorization: Bearer ev_live_..." \
-H "Content-Type: application/json" \
-d '{
"reference_id": "user_38291",
"flow": "enhanced",
"redirect_url": "https://yoursite.com/verification-done",
"country": "US"
}'/v1/kyc/:idRetrieves a KYC session. Append ?expand=checks to include events.
KYB — Business verification
/v1/kyb/createVerifies a business against the appropriate corporate registry.
| Param | Type | Description |
|---|---|---|
| reference_id | string | Your identifier. Unique per environment. |
| legal_name | string | Legal registered name. |
| country | string | ISO 3166-1 alpha-2. Determines registry. |
| registration_number | string | Optional. Speeds up lookup. |
| entity_type | string | Optional. LLC, Corporation, etc. |
| beneficial_owners | array | Optional UBO list: [{name, ownership_percentage, role}] |
| ownership_threshold | number | Default 25. |
/v1/kyb/:id/v1/kyb/:id/ownersReturns the full beneficial ownership structure.
Background checks
/v1/background/createRequires an approved KYC verification first. Pass the KYCverification_id in kyc_verification_id.
| Param | Type | Description |
|---|---|---|
| reference_id | string | Your identifier. |
| kyc_verification_id | string | Must reference a verification with status APPROVED. |
| package | enum | basic | standard | enhanced | driver | custom |
| custom_checks | string[] | Required if package=custom. |
/v1/background/:idAML screening
/v1/aml/screenSynchronous sanctions, PEP, and adverse media screen. Returns results immediately.
| Param | Type | Description |
|---|---|---|
| reference_id | string | Your identifier. |
| name | string | Full name to screen. |
| dob | string | YYYY-MM-DD. Improves accuracy. |
| country | string | ISO 3166-1 alpha-2. |
| kyc_verification_id | string | Optional. Links this screen to a KYC record. |
| continuous_monitoring | boolean | Re-screens this subject on list updates. |
/v1/aml/monitorToggles continuous monitoring on an existing AML verification.
Verifications
/v1/verificationsLists all verifications with cursor pagination. Supports filtering:
| Param | Type | Description |
|---|---|---|
| type | enum | kyc | kyb | background | aml |
| status | enum | pending | processing | approved | declined | review | expired | cancelled |
| limit | number | Max 100. Default 25. |
| starting_after | string | Cursor (previous last verification_id). |
/v1/verifications/:idGDPR right-to-erasure. Permanently deletes the verification and all associated events. Cannot be undone.
Webhooks
/v1/webhooksRegisters a new webhook endpoint. The signing secret is returned once.
| Param | Type | Description |
|---|---|---|
| url | string | HTTPS endpoint that will receive events. |
| events | string[] | Array of event types, or ["*"] for all. |
| environment | enum | LIVE | SANDBOX. Defaults to the key's env. |
Verifying signatures
Every delivery includes a signature header:
EnemoVerify-Signature: t=1744660800,v1=7e8a...
Compute HMAC-SHA256 over ${timestamp}.${payload} with your signing secret:
import { createHmac, timingSafeEqual } from "crypto";
function verify(payload: string, header: string, secret: string) {
const [t, v1] = header.split(",").map(p => p.split("=")[1]);
const expected = createHmac("sha256", secret)
.update(`${t}.${payload}`)
.digest("hex");
return timingSafeEqual(Buffer.from(v1), Buffer.from(expected));
}/v1/webhooks/:id/v1/webhooks/:idEvent types
- kyc.verification.approved
- kyc.verification.declined
- kyc.verification.review
- kyc.session.expired
- kyb.verification.approved
- kyb.verification.declined
- kyb.verification.review
- background.check.completed
- background.check.declined
- aml.screen.clear
- aml.screen.flagged
Sandbox magic reference IDs
In sandbox (ev_test_ keys), pass one of these reference IDs to get deterministic results without completing any flows.
| Reference ID | Type | Result |
|---|---|---|
| ev_test_approve_kyc | KYC | APPROVED |
| ev_test_decline_doc | KYC | DECLINED (document tamper) |
| ev_test_decline_liveness | KYC | DECLINED (liveness fail) |
| ev_test_review_low_conf | KYC | REVIEW (low confidence) |
| ev_test_watchlist_hit | KYC | REVIEW (watchlist hit) |
| ev_test_approve_kyb | KYB | APPROVED |
| ev_test_decline_kyb | KYB | DECLINED |
| ev_test_kyb_not_found | KYB | DECLINED (not in registry) |
| ev_test_approve_bgc | Background | APPROVED |
| ev_test_decline_bgc | Background | DECLINED |
| ev_test_aml_clear | AML | Clear |
| ev_test_aml_ofac_hit | AML | Flagged (OFAC) |
Rate limits
Every API key is rate-limited to 100 requests per minute. Plan-based monthly verification limits apply in addition.
Every response includes:
X-RateLimit-Limit: 100 X-RateLimit-Remaining: 87 X-RateLimit-Reset: 1744660860