Skip to main content
The Auth Engine integration adds step-up identity verification to your login, registration, and account recovery flows. Verify users at the moment of authentication with configurable verification profiles and automatic redirects.

Prerequisites

  • An application with an existing authentication system
  • Verilock Business or Enterprise plan

How It Works

Auth Engine sits between your authentication system and the protected resource. When a user triggers a verification requirement, they are redirected to the Verilock hosted flow, verified, and returned to your application with a signed result. 
User Login ──> Your Auth System ──> Verilock Auth Engine ──> Hosted Verification

                                                                     v
User Granted Access <── Your Callback URL <── Signed Result ◄────────┘

Setup

1

Register Your Application

Go to Dashboard > Settings > Integrations > Auth Engine and register your application:
  • Application Name: Your app’s display name
  • Callback URL: Where to redirect after verification (e.g., https://yourapp.com/auth/verilock/callback)
  • Allowed Origins: Domains permitted to initiate verification
2

Choose a Verification Profile

Select the verification level required for your flow:
ProfileStepsUse Case
BasicDocument capture onlyLow-risk account creation
StandardDocument + selfie + face matchStandard onboarding
EnhancedDocument + selfie + face match + liveness + address proofRegulated financial services
3

Configure Callback Handling

After verification, Verilock redirects the user to your callback URL with a signed token:
https://yourapp.com/auth/verilock/callback?token=eyJhbGciOiJSUzI1NiIs...&session_id=ses_a1b2c3d4e5f6
Verify the token server-side before granting access.
4

Implement the SDK

Use the Verilock SDK to initiate verification from your frontend.

SDK Integration

import { VerilockAuth } from '@verilock/auth-engine';

const auth = new VerilockAuth({
  clientId: 'your_client_id',
  callbackUrl: 'https://yourapp.com/auth/verilock/callback',
  profile: 'standard'
});

// Trigger verification
document.getElementById('verify-btn').addEventListener('click', () => {
  auth.startVerification({
    applicant: {
      email: 'user@example.com',
      external_id: 'usr_12345'
    },
    autoRedirect: true
  });
});

Callback Token Verification

Always verify the callback token server-side before granting access: 
curl -X POST https://verilock.io/api/v1/auth-engine/verify-token \
  -H "Authorization: Bearer qi_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "eyJhbGciOiJSUzI1NiIs..."
  }'
Response: 
{
  "valid": true,
  "session_id": "ses_a1b2c3d4e5f6",
  "status": "approved",
  "risk_score": 12,
  "applicant": {
    "email": "user@example.com",
    "external_id": "usr_12345"
  },
  "verified_at": "2026-03-15T14:30:00Z",
  "profile": "standard"
}
Never trust the callback parameters alone. Always verify the token via the API to prevent tampering.

Liveness Detection

When using the Standard or Enhanced profile, liveness detection is automatically included. The verification flow captures a short video sequence to confirm the user is physically present.
Liveness ModeDescription
PassiveAI-based analysis of a single selfie (no user action required)
ActiveUser performs head movements or reads a code on screen
Configure the liveness mode in Dashboard > Verification Profiles.

Auto-Redirect

When autoRedirect is enabled, users are automatically sent to the Verilock hosted flow without an intermediate step. After verification, they return to your callback URL.
SettingDescriptionDefault
autoRedirectSkip intermediate pagetrue
modalModeOpen in modal instead of redirectfalse
languageForce a specific localeAuto-detect
Use modalMode for single-page applications where a full redirect would disrupt the user experience.

Troubleshooting

The callback URL must exactly match the URL registered in the dashboard, including the protocol and path. Query parameters are allowed but the base URL must match.
Tokens expire after 5 minutes. Ensure your server verifies the token immediately upon receiving the callback. Check that your API key is valid and has Auth Engine permissions.
Add your application’s domain to the Allowed Origins list in the Auth Engine configuration. Include both the protocol and port if applicable.