For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Changelog
Verifa uses date-based API versioning. Breaking changes are released as new dated
versions. Non-breaking changes (new fields, new endpoints, new webhook events)
ship continuously and are available on all versions.
Verifa now speaks the Model Context Protocol
at https://api.withverifa.com/mcp. AI agents (Claude Code, Cursor,
Claude Desktop, the Anthropic API MCP connector) can call 45 structured
tools against your account without LLM-generated cURL. See the
MCP Server integration guide for the full surface.
New endpoints
POST /mcp — Streamable HTTP MCP transport. Bearer-authenticated by
existing API keys. Supports ?toolsets=… filter and ?read_only=true
flag at connect time.
GET /.well-known/oauth-protected-resource — RFC 9728 protected
resource metadata. Currently advertises Bearer-only (empty
authorization_servers list); future OAuth support will populate it.
New audit-log query
GET /api/v1/events?action_prefix=mcp — action_prefix is a new
query param on the events endpoint; matches action LIKE 'prefix.%'
so callers can scope to one source. Pair with mcp to surface only
MCP tool calls. Both the model layer and dashboard “MCP only” filter
use it.
New scope
redact:write — required for the five destructive MCP tools
(redact session / identity / bulk / blocklist-entry / link-revoke)
and the matching REST GDPR Art. 17 endpoints. Never granted by
default, never available on publishable keys; manage on a per-key
basis in the dashboard’s Developers → API Keys page.
New rate-limit bucket
MCP requests get a 120 requests / minute per API key bucket
separate from the REST quota — a runaway agent on one key cannot
starve the REST budget your integration depends on. Destructive MCP
operations are throttled by a second bucket on top: 5 ops /
hour per key.
Dashboard
New Integrations → AI / MCP page (URL builder + per-client config
snippets).
Audit log gains an MCP only filter button.
API-key edit modal: new Destructive scope group with danger
styling + a warning callout when enabled.
2026-04-17 — Pre-launch hardening release
New endpoints
DELETE /api/v1/screening-subjects/{subject_id}/data — GDPR Art. 17 erasure for a screening subject
DELETE /api/v1/me/account — Permanent erasure of the authenticated dashboard user’s account (Art. 17)
GET /api/v1/sessions/{session_id}/export — GDPR Art. 15 data subject access export
GET /api/v1/identities/{identity_id}/export — Same, aggregated across every session linked to an identity
POST /api/v1/auth/refresh — Refresh the dashboard session cookie
Webhook changes
Signature format: outbound webhooks now use Stripe-style X-Verifa-Signature: t=<unix_ts>,v1=<hex_hmac>. Update your verifier per the new tutorial. Legacy bare-hex format remains accepted during a deprecation window so in-flight deliveries continue to verify.
Per-endpoint signing secret is now the source of truth (the whsec_* returned at endpoint creation/rotation). The legacy org-level webhook secret is the fallback only.
New event: consortium.match_found — fired when face matching detects the same identity across orgs in the Verifa Network.
Cross-environment isolation: live API keys can no longer read sandbox sessions/identities/workflows and vice versa. Requests with mismatched env return 404. If you were using a live key against sandbox IDs by mistake, you’ll start seeing 404s.
X-Request-Id header is echoed on every API response. Pass X-Request-Id on inbound requests to correlate logs end-to-end.
Vendor name scrubbing: verification_check.details.providers now uses sanitized labels (e.g. "aml_screening") instead of raw vendor names like "complyadvantage". The session verifications API never returns vendor names directly anymore.
Field length limits: request bodies for sessions, cases, identities, screening enforce maxLength on string fields, maxItems on lists, and a 16 KB cap on metadata dicts. Oversized inputs return 422 Validation Error.
Operational
AML enhanced add-on now requires an annual billing plan with a minimum $5,000 annual contract value (per ComplyAdvantage commercial terms). Existing active addons are grandfathered.
SAML IdP-initiated sign-in is opt-in per organization (default off). Contact support to enable for orgs using Okta/Azure tile launch.
Free-plan-expired orgs now blocked at the API layer with a clear 403. Previously only the IDV quota path enforced this.
These changes ship continuously and are available without a version upgrade.
April 2026
Standalone Documents & AI Extraction
New top-level Documents area in the dashboard. Upload documents, classify them
automatically, extract structured fields, and run verification checks. Custom
document types with extraction hints. Server-side PDF preview rendering. All
extraction runs on Verifa’s private infrastructure — document data is never
sent to third-party services.
Dashboard Documents page (list, detail, and upload)
Automatic classification against system and custom document types
Structured field extraction with per-field confidence scores
Recency checks via document groups
PDF page preview with page navigation
GET /documents now supports standalone=true and excludes redacted documents by default
New GET /documents/{id}/preview endpoint for server-side page rendering
Example “Health Insurance Card” document type seeded for new organizations
March 2026
NFC chip authentication check (nfc_chip_auth)
Mobile SDK endpoints (/api/v1/sdk/config, /api/v1/sdk/nfc, /api/v1/sdk/attest)