API Integration

This page documents how your website can use Redact-ID to verify its users age.

Flow Overview

Your website will include a special link to Redact-ID. After the verification process, the user will return to your website with POST data. This POST will contain a special certificate of age in JWT format. You can then update your own user database, or assign the user a special cookie, or however you wish to handle this.

Library

You may wish to refer to (or directly use) the Age Verification PHP Library, which integrates with this service (among others).

The reference for Redact-ID specifically is at this file.

API Step by Step

1. Setup site on Redact-ID

Create a new website entry:

• Keyword - Enter a short string that refers to your site (no spaces).
• Site name - Name of your website.
• Enabled - leave this checked.
• Redirect URL - enter the URL to a server-side script on your website which you will make.

Sign up for a billing plan, such as the free development testing plan.

2. Launch

On your website, create a link that launches Redact-ID. This link is the one listed as "Verification Link" in your site page on Redact-ID. It will look like

https://redact-id.com/verify.php?site=KEYWORDHERE

3. User Verifies

At this point, the user verifies on Redact-ID.

4. Parse JWT

The user returns to your website at the redirect URL you entered earlier.

The user will provide to your site a POST with the variable 'redactJwt' set to JWT format data.

You can use a library to parse and validate the JWT. You will want a library that can handle EdDSA signature encryption. (example)

The header of the JWT is:

{
  "typ": "JWT",
  "alg": "EdDSA"
}

The payload of the JWT will look like this:

{
  "iat": 1762915265,
  "nbf": 1762915265,
  "exp": 1762915565,
  "iss": "https://redact-id.com",
  "aud": "https://your-website.example.com/ageBlock.php?provider=RedactID&linkback",
  "sub": "test",
  "jti": "56a90e356913f3c189bf35.40508390",
  "reference": "136a953ab8fac9c5be96c20ed7fa9cdb062d6abaa733d0faff2ff32588d90745",
  "18plus": true,
  "ip": "127.0.0.1"
}

• iat - Issued at.
• nbf - Not before.
• exp - Expiry. (Redact-ID JWTs are not long lasting)
• iss - Issuer is our website, Redact-ID.
• aud - Audience is your website.
• sub - Subject is the keyword of your site.
• jti - This will be unique for any given JWT issued in the span of an hour, you can use it to ensure each JWT is used only once and not shared.
• reference - This is unique for each verification user per site. So a user using the same verification for the same site will have the same reference, even if they are logging back into Redact-ID later on outside the JWT window. For privacy reasons, a user using the same verification on two sites will have different reference hashes for each site.
• 18plus - If user is 18 or above.
• ip - The user's IP during verification. You may use this to further ensure the JWT has not been shared, though given some ISPs routing from multiple IPs, it is better to use the JTI method instead of the IP method.

The signature of the JWT will follow at the end. Our public key is: 9VwhyP2YI9IeQtt0oMgNfE6jTY/cqo9x40JiY7tEONQ= which you must use to validate the JWT is authentic.

At a minimum, your site should check the JWT signature is valid, the 18plus status, and the iat/exp timing fields.

---

Back to account