Checkify
Developer docs

Verify on your backend

After the browser embed completes, your server must verify the result with a site API key before allowing signup, checkout, or any protected action.

Embed quickstart · Embed API

1. Create a site API key

In your business dashboard, open Developer and create a site API key for the site you are integrating. Store it in server environment variables only — never ship it to the browser.

2. Read the reference from your form

The embed SDK writes a request_id into your hidden field (legacy integrations may still submit the poll token — both work). 

// Example POST body from your frontend form
{
  "email": "user@example.com",
  "checkify_token": "56a57761-ff5b-42f0-9c97-6c13e223e017"
}

3. Call verify

POST https://checkify.me/v1/qr/results/verify
Authorization: Bearer YOUR_SITE_API_KEY
Content-Type: application/json

{
  "request_id": "56a57761-ff5b-42f0-9c97-6c13e223e017",
  "required_claims": ["human_verified"],
  "consume": true
}

You can also send token instead of request_id.

FastAPI example

from checkify_server import Checkify

checkify = Checkify(api_key=os.environ["CHECKIFY_SITE_API_KEY"])

@app.post("/signup")
async def signup(email: str, checkify_token: str):
    result = checkify.verify_human(request_id=checkify_token)
    if not result.get("success") or not result.get("approved"):
        raise HTTPException(status_code=403, detail="Human verification required")
    # continue signup...

Express example

import { Checkify } from "@checkify/server";

const checkify = new Checkify({ apiKey: process.env.CHECKIFY_SITE_API_KEY });

app.post("/signup", async (req, res) => {
  const result = await checkify.verifyHuman({
    requestId: req.body.checkify_token,
  });

  if (!result.success || !result.approved) {
    return res.status(403).json({ error: "Human verification required" });
  }

  // continue signup...
});

Response handling

FieldMeaning
successtrue when verification completed and requirements matched
statuscompleted or pending
approved_claimsClaims Checkify approved, e.g. human_verified: true
signed_resultOptional signed payload for audit trails

Security reminder

Treat the hidden field as an untrusted reference, not proof. Always verify with your site API key on the server before granting access. Use consume: true for one-time actions like signup or password reset.