Authenticate with biometrics using the Dashboard
Beta

Last updated: January 21, 2026

The Face Authentication solution enables you to confirm that an applicant requesting to access new services or an existing account is the same person whose identity you've successfully verified.

The applicant captures a video of their face. Checkout.com compares the biometrics to a previous video of the applicant to check if they show the same person, and shares the result.

Information

To enable Face Authentication, contact your account manager or request support.

You must have already integrated the Identity Verification solution and verified the applicant.
The applicant must already have a profile and an applicant ID, prefixed with aplt_.
You must have a non-anonymized face video from a previous successful identity verification or face authentication available for the applicant.
Handle statuses, attempts, and response codes.
Subscribe to Face Authentication webhooks.

When you request to enable Face Authentication, your account manager provides you a Face Authentication configuration ID, prefixed with usj_. This is different to your Identity Verification configuration ID.

You must provide the ID every time you create an authentication. It configures the following elements of the solution:

The service level agreement for receiving the result from Checkout.com
How long to retain verification face videos to ensure you have one available for authentications
Processing type:
- Auto – Fully automated processing
- Expert – Systematic human review

Retrieve the applicant ID.
Create an authentication linked to the applicant's profile.
Create an attempt.
Redirect the applicant to the attempt.
View the authentication result.
If requested, you can remove the applicant's personal details from the authentication.

To create a face authentication, you need one of the following user roles:

Admin
Identities manager
A custom role with the Process identities checks and manage configurations permission

You can also create an initial attempt at the same time.

Sign in to the Dashboard.
Go to Identities > Face authentication.
Select Create authentication.
In the Create authentication window, enter the applicant ID.
Select the configuration you want to apply to the authentication from the drop-down.
Select Create authentication.
In the Create attempt window, provide the URL to redirect the applicant to after they complete the authentication. For example, your success or failure URL.
Select Confirm.

The authentication ID and the attempt URL are displayed, which you can copy if required.

If the authentication is created successfully:

You receive an authentication ID, prefixed with fav_.
The authentication status changes to created.
You receive a Face authentication created webhook.

If the attempt is created successfully:

You receive an attempt ID, prefixed with fatp_.
You receive an attempt URL.
The attempt status changes to pending_redirection.
The authentication status changes to pending.
You receive a Face authentication opened webhook.

To create a face authentication attempt, you need one of the following user roles:

Admin
Identities manager
A custom role with the Process identities checks and manage configurations permission

Sign in to the Dashboard.
Go to Identities > Face authentication.
Search or filter for the authentication you want to create an attempt for, and select it.
On the Authentication details page, select Create attempt.
In the Create attempt window, provide the URL to redirect the applicant to after they complete the authentication. For example, your success or failure URL.
Select Confirm.
The attempt ID and attempt URL are displayed, which you can copy if required.
Select Done.

On the Authentication details page, the attempt appears under Authentication.

If the attempt is created successfully:

You receive an attempt ID, prefixed with fatp_.
You receive the attempt URL.
The attempt status changes to pending_redirection.
The authentication status changes to pending.
You receive a Face authentication opened webhook.

Redirect the applicant to the attempt URL, which is valid for 15 minutes.

Note

If an attempt is unsuccessful and the applicant needs to retry, you can create new attempts.

The following table describes the process of a successful attempt:

A successful attempt proceeds as follows:

Step Description

Step	Description
Applicant starts the attempt	The authentication and attempt statuses change to `capture_in_progress`. You receive a Face authentication started webhook. When successfully completed, the attempt status changes to `completed`. You receive a Face authentication capture completed webhook.
Checkout.com processes the authentication	The authentication status changes to `checks_in_progress`. When processing is complete, you receive a Face authentication checks completed webhook. You may receive the checks completed webhook simultaneously with the capture completed webhook.
Result is available	The authentication status changes to either `approved` or `declined`. If the applicant is declined, you can create a new authentication.

Applicant starts the attempt

The authentication and attempt statuses change to capture_in_progress.

You receive a Face authentication started webhook.

When successfully completed, the attempt status changes to completed.

You receive a Face authentication capture completed webhook.

Checkout.com processes the authentication

The authentication status changes to checks_in_progress.

When processing is complete, you receive a Face authentication checks completed webhook.

You may receive the checks completed webhook simultaneously with the capture completed webhook.

Result is available

The authentication status changes to either approved or declined.

If the applicant is declined, you can create a new authentication.

An attempt may be unsuccessful due to the following scenarios:

Scenario	Description
Attempt URL expires	The attempt status changes to `expired`. You receive a Face authentication link expired webhook. Recommended action – Create a new attempt.
Applicant refuses the authentication	The authentication status changes to `refused`. The attempt status changes to `capture_refused`. You receive a Face authentication capture refused webhook. Recommended action – Suggest an alternative authentication method to the applicant.
Applicant drops out of the attempt	The attempt status changes to `capture_aborted`. You receive a Face authentication capture aborted webhook. Recommended action – You can create a new attempt.
Applicant needs to retry	The authentication status changes to `retry_required`. You receive a Face authentication retry requested webhook. When you create a new attempt, the status of the previous attempt changes to `terminated`. You receive a Face authentication closed webhook, followed by an Face authentication reset webhook. Recommended action – Redirect the applicant to the new attempt URL.
Result is inconclusive	The authentication status changes to `inconclusive`. The attempt status changes to `checks_inconclusive`. You receive a Face authentication checks inconclusive webhook. Recommended action – You can create a new attempt.

Information

You can use the response codes returned in webhooks to implement your own business logic. Sharing guidance from response codes with the applicant can help the next attempt succeed. For example, if the applicant's data connection is poor, inform them so they can try to improve it.

To view a face authentication attempt, you need one of the following user roles:

Admin
Identities manager
A custom role with the View identities checks and data or Process identities checks and manage configurations permission

Sign in to the Dashboard.
Go to Identities > Face authentication.
Search or filter for the authentication you want to view an attempt for, and select it.
On the Authentication details page, all attempts appear under Authentication.

You can view the face authentication at any time. For example, to check the status or details of an attempt.

When the result is available, it is displayed in the Dashboard.

You need one of the following user roles:

Admin
Identities manager
A custom role with the View identities checks and data or Process identities checks and manage configurations permission

Sign in to the Dashboard.
Go to Identities > Face authentication.
Search or filter to find the authentication, and select it.

On the Authentication details page, you can view the following information:

Page section	Data
Authentication details Always visible	The authentication ID The authentication status Created – The date and time when the authentication was created. Last updated – The date and time when the authentication was last updated. Processing type – The processing type in your configuration. This can be `Auto` or `Expert`. Configuration ID
Response codes Visible if the result is available	One or more response codes if the status is one of the following: `approved` `declined` `inconclusive` `pending` `refused` `retry_required`
Risk codes Visible if the result is available	One or more risk labels
Captures Visible if the result is available	Face captures – Any images captured from the applicant's face video
Applicant Always visible	Applicant ID – The Checkout.com identifier for the applicant. Created – The date and time the applicant's profile was created. Last updated – The date and time the profile was last updated. Applicant email External applicant ID – Your identifier for the applicant. External applicant name – The name you have on record for the applicant. To view the applicant's full details, select View applicant profile.
Authentication Always visible	This can include the following: Applicant profile created Authentication created All webhook events All attempts Final authentication status

If the authentication is later audited and the status updated, you receive a Face authentication audit completed webhook.

If requested by an applicant under the General Data Protection Regulation (GDPR), you can remove the following personally identifiable information (PII) from the face authentication:

External applicant name – The name you have on record for the applicant.
Applicant email – The applicant's email address.

Note

Removing an applicant's PII is permanent. You cannot undo this action. Any information from the applicant's checks that is not linked to their personal identity is retained for your records.

You need one of the following user roles:

Admin
Identities manager
A custom role with the Process identities checks and manage configurations permission

Sign in to the Dashboard.
Go to Identities > Face authentication.
Search or filter for the authentication you want to remove the PII for, and select it.
On the Authentication details page, select Remove personal details.
A warning that this action is permanent appears.
Select Remove personal details to confirm the action.

On the Authentication details page, you can see the date and time when the PII was removed.

You receive a Face authentication anonymized webhook.

Authenticate with biometrics using the Dashboard
Beta

Information

Before you begin

Configuration

How it works

Create an authentication

Create an attempt

Redirect the applicant

Note

Information

View attempts

View the authentication

Audits

Remove personal details

Note