Sovera API Documentation
Sovera is a sovereign identity verification API. Confirm that a person is real and present (liveness), that a selfie matches an ID photo (face match), that a document is genuine, and that a subject is not on a sanctions or watchlist (AML), then wrap it all in a hosted verification session. Biometric data is processed and stored inside Zimbabwe.
What Sovera does
Sovera exposes two ways to verify a person:
- Verify primitives. Single-purpose endpoints you call directly: passive
liveness(presentation attack detection),face-match(selfie to reference),active-liveness(an on-device oval plus a turn-left or turn-right challenge),documentauthenticity,amlscreening, and nationalid-validate. - Verification sessions. A single hosted flow that orchestrates several checks, returns a
hostedUrlfor capture, and returns a decision when the flow completes. Use sessions when you want Sovera to run and score the whole journey for you.
Every write is authenticated with a bearer key, scoped deny-by-default, and idempotent. Errors follow RFC 9457 application/problem+json.
Detection thresholds are provisional while Sovera calibrates its own ROC curves in house. Treat scores as directional until calibration is published, and set your own accept and reject bands per use case.
Data sovereignty
Sovera is designed so that biometric templates and captured media are processed and stored inside Zimbabwe, rather than being sent to a third country for matching. Consent is required before any biometric template is created, subject PII is tokenized, and a data subject access request (DSAR) erasure endpoint lets you delete a subject on request.
To be precise about what Sovera does and does not claim today:
- Sovera does process and store biometric data inside Zimbabwe by design.
- Sovera does not claim a signed partnership with, or an endorsement by, ZCHPC or POTRAZ.
- Sovera does not claim iBeta or any third party presentation attack detection certification. Thresholds are provisional pending in-house calibration.
Guides
Authentication
Authenticate requests with a bearer key and understand deny-by-default scopes.
Verification sessions
Create a hosted flow, capture at the hostedUrl, then read the decision and report.
Consent & privacy
Record consent before any biometric template and erase a subject on request.