KYC/KYB verification API · Mozambique-first

Verify identities. One API, one hosted flow.

thibit reads an ID document, checks it's genuine, matches the selfie to the document photo, and returns a decision — over a simple API and a hosted page your users open on their phone. Engine-first, delivered over an API. Mozambican IDs and passports from anywhere.

Read the quickstart Talk to the team

create a verification

/v1

POST https://api.uat.thibit.id/v1/verifications
X-API-Key: tk_test_…

{
  "type": "kyc",
  "allowed_documents": [
    { "country": "MZ", "document_type": "bilhete_identidade" },
    { "country": "*",  "document_type": "passport" }
  ]
}

Response

{
  "id": "ver_…",
  "status": "collecting",
  "onboarding_url": "https://onboard…/?token=…"
}

Two surfaces, one record

You create it. Your user completes it.

The developer decides what a verification accepts; the applicant just follows the link.

Integrator API

The `/v1` API

Create a verification with the documents you accept, get a hosted onboarding_url, and receive the verdict by HMAC-signed webhook or by polling. Tenant-scoped API keys, self-serve sandbox.

Hosted onboarding

The mobile flow

Your user opens the link, picks one of the documents you allowed, photographs it, and takes a selfie. Mobile-first, in Portuguese, no thibit account. You only see the result.

What it verifies

One engine. Document, authenticity, liveness.

Every check runs in one in-house engine — no per-vendor integrations to wire up or keep in sync.

Documents

Mozambican Bilhete de Identidade and DIRE with format-aware templates, plus passports and national IDs from ~any country via ICAO 9303 MRZ check-digits and per-country number validation.

Authenticity

EXIF/metadata fingerprints, Error-Level-Analysis, and pixel forensics flag edited or re-captured images before they reach a decision.

Liveness

A selfie is matched against the photo on the document, so the person submitting is the person on the ID.

How it works

Three calls from zero to a verdict.

Create

Your backend calls POST /v1/verifications with the documents you accept. You get back a hosted onboarding_url.

Collect

Send the link to your user. They pick a document you allowed, photograph it, and take a selfie — on their phone, no account.

Decide

The engine runs asynchronously and returns accept / deny / flag for review with per-check evidence, by webhook or polling.

Status moves collecting → pending → processing → completed. See the quickstart for working curl.

Who it's for

Built for the developer who ships onboarding.

Developers

Get a sandbox key, a clear /v1 API, HMAC webhooks, and a hosted redirect — first integration in an afternoon. A developer portal lets you create test links and read a verification log.

Read the docs →

Your users

A Mozambican with a BI, a foreign resident with a passport, a business representative — each opens a link and completes verification on their phone in minutes, with a clear path if a document is unreadable.

What thibit is — and isn't

Document & liveness verification. Nothing you didn't ask for.

Engine-only

One in-house verification engine — OCR, template match, forensics, liveness — behind a clean API. No vendor orchestration to maintain.

Mozambique-first

Format-aware Mozambican ID templates, with global passport and national-ID coverage via ICAO MRZ so foreign residents verify too — expanding next across Lusophone Africa (Angola, Cabo Verde, Guiné-Bissau, São Tomé).

Compliance by webhook

Every verdict is delivered HMAC-signed and kept in a read-only verification log you can review.

Clear boundaries

thibit is not a sanctions/PEP/AML database, a fraud score, or an identity wallet. It verifies that a document is genuine and the person matches it — so you, the regulated party, can discharge your Lei nº 3/2017 KYC obligation.

Ship verification this week.

Grab a sandbox key, create your first verification, and open the hosted link on your phone. Free to start while we build — no local KYC API existed for Mozambique, so we built one.