You can get a prototype integration running in under 15 minutes.
This guide walks you through the four-step verification flow: getting an API key, starting a verification, completing it with evidence, and validating the resulting JWT token. Code examples are provided in Node.js, Python, and PHP. Once you have a token, you can gate access to age-restricted content without handling raw ID data.
Step 1: Get Your API Key
Before you can make API calls, you need a tenant account and API key.
Quick Options:
- Test Account: Email hello@loomapi.comto request a free test account with mock provider
- Production Account: Email hello@loomapi.comfor production access with real verification
- Full Guide: See Getting Started for detailed instructions
Each tenant gets an isolated environment with separate rate limits, quotas, and billing. Test accounts use the mock provider and are free up to a usage cap.
Once you have your API key, include it in the x-tenant-api-key header for all requests. Keep this key secure—it authenticates all API calls for your tenant.
Step 2: Start a verification
Call POST /verify/start to initiate a verification session. You'll need to provide the user's userAgent and ipaddress for rate limiting and fraud detection.
The response includes a verificationId that uniquely identifies this verification session. Store this ID—you'll need it in the next step to complete the verification.
Step 3: Complete a verification
Once you have verification evidence (from your identity provider like Veriff), call POST /verify/complete with the verificationIdfrom step 2 and your evidence object.
If the verification is approved, the response includes a JWT token. This token is time-limited (default 24 hours) and contains verification metadata without any PII. Store this token securely—you'll use it to validate access on subsequent requests.
Step 4: Validate token
On each request where you need to verify age, call POST /tokens/validatewith the JWT token from step 3. This endpoint checks that the token is valid, not expired, and belongs to your tenant.
The response includes valid (boolean) and over18(boolean) fields. If both are true, grant access to age-restricted content. If the token is invalid or expired, prompt the user to complete a new verification.