Didit.me (KYC)

Integrate WPsigner with Didit.me to require identity verification (KYC) before signers can access a document. Signers verify their identity by uploading a government-issued ID, taking a selfie, and passing a liveness check — all before they see the first signature field.

Features

Feature	Description
ID Document Verification	Supports passports, national IDs, and driver’s licenses
Selfie Matching	Compares a live selfie to the photo on the ID document
Liveness Detection	Prevents spoofing with passive liveness checks
Webhook Callbacks	Real-time verification status updates via webhooks
Per-Signer Tracking	KYC status stored per signer (Pending, Approved, Declined)
Automatic Language	Verification UI adapts to the signer’s WordPress locale
Encrypted Credentials	API key and webhook secret encrypted with AES-256-GCM

Prerequisites

WPsigner 2.3.0+
A Didit.me Business account
A configured verification Workflow in the Didit console
An API Key and Webhook Secret from the Didit console

Step 1: Create a Didit Workflow

Go to the Didit Business Console
Navigate to Workflows and create a new workflow
Configure the verification steps you want:
- ID Document — require a government-issued ID
- Selfie — require a selfie to match against the ID photo
- Liveness — enable passive liveness detection
Save the workflow and copy the Workflow ID

Step 2: Get Your API Credentials

In the Didit Business Console, go to Settings → API Keys
Create a new API key or copy an existing one
Copy the API Key
Go to Settings → Webhooks and copy your Webhook Secret

Step 3: Configure WPsigner

Add API Credentials

Go to WPsigner → Integrations in your WordPress admin
Find Didit.me under Identity Verification and click Configure
Enter your:
- API Key
- Workflow ID
- Webhook Secret
Click Test Connection to verify your credentials
Click Save Settings

Set the Webhook URL

Copy the webhook URL shown on the settings page and add it to your Didit console:

https://your-site.com/?wps_didit_webhook=1

In the Didit Business Console, go to Webhooks
Add the URL above as a webhook endpoint
Select the events to listen for (session completed, session declined)

Enable KYC Requirement

Go to WPsigner → Settings → Security & Compliance
Enable Require Identity Verification (KYC)
Save the settings

The toggle on the Security & Compliance page is separate from the API credentials. You need both: credentials configured on the Integrations page AND the requirement enabled on Security & Compliance.

How It Works

Signer Opens Signing Page
        ↓
KYC Check: Has signer been verified?
        ↓ No
Redirect to Didit Verification
        ↓
Signer uploads ID + selfie + liveness
        ↓
Didit processes verification
        ↓
Webhook callback updates signer status
        ↓
Signer redirected back → Can now sign

Verification Flow

When a signer opens a document that requires KYC, WPsigner checks their verification status.
If not verified, WPsigner creates a Didit session via the API, passing the signer’s name and email.
The signer is redirected to Didit’s verification page where they:
- Upload a photo of their government ID
- Take a live selfie
- Pass the liveness check
Didit processes the verification and sends a webhook to WPsigner.
WPsigner updates the signer’s kyc_status to Approved or Declined.
The signer is redirected back to the signing page and can proceed to sign.

KYC Statuses

Status	Meaning
Pending	Session created, waiting for signer to verify
Approved	Identity verified — signer can sign
Declined	Verification failed — signer cannot sign

Signer Experience

The KYC step appears before the signing page. Signers see a clear prompt explaining that identity verification is required:

Signer clicks the signing link in their email
Instead of the signing page, they see a verification prompt
They click “Verify Identity” which redirects to Didit
After completing verification, they’re sent back to the signing page
The signing page loads normally — they can now sign

Data Storage

Data	Storage Location
KYC status	`wps_signers` table: `kyc_status` column
Session ID	`wps_signers` table: `kyc_session_id` column
Verification URL	`wps_signers` table: `kyc_data` (JSON)
Verified timestamp	`wps_signers` table: `kyc_verified_at` (UTC)
API credentials	`wp_options` table (encrypted with AES-256-GCM)

Security

Feature	Implementation
API Key	Encrypted with AES-256-GCM at rest
Webhook Secret	Encrypted with AES-256-GCM at rest; used to validate incoming webhooks
Webhook Validation	Fail-closed: rejects all webhooks if secret is not configured
Session Creation	Rate limited, nonce verified, capability checked
Status Checks	Only authenticated AJAX requests with valid nonce
PII Handling	Verification data stays on Didit’s servers; WPsigner only stores status and session ID

Troubleshooting

”Test Connection” fails

Verify your API Key is correct (copy it again from the Didit console)
Ensure your server can make outbound HTTPS requests to verification.didit.me
Check that your Didit account is active and not suspended

Webhook not updating signer status

Verify the webhook URL is correctly set in the Didit console: https://your-site.com/?wps_didit_webhook=1
Confirm your Webhook Secret matches between Didit and WPsigner
Check that your site is publicly accessible (Didit cannot reach localhost)
Enable WP_DEBUG and check debug.log for entries starting with WPsigner Didit

Signer stuck on “Pending”

The signer may not have completed the verification process — ask them to check for a pending session
Check if the webhook was received (look in debug logs)
Try creating a new session by having the signer revisit the signing link

”Workflow ID not configured”

Go to WPsigner → Integrations → Didit.me and enter your Workflow ID from the Didit Business Console.

Next Steps

Audit Trails — KYC verification events are logged in the audit trail
Digital ID — Add cryptographic identity with PKI certificates
Compliance — How KYC fits into eIDAS, ESIGN, and other regulations