🙂 Face Active Liveness
The SDK runs the complete active liveness session for you: it locks onto the user's face, issues 3 randomized challenges (blink, turn left, turn right, smile) verified in real time with on-device face landmarks, selects the sharpest frontal selfie frame from the whole session, and finalizes it against the Face Active Liveness API — 1 IC per finalized session. The server re-verifies the selfie and returns an HMAC-SHA256 signed verdict that your backend can validate independently.
Flutter
import 'package:iapp_ekyc_sdk/iapp_ekyc_sdk.dart';
final client = IappEkycClient(apiKey: 'YOUR_API_KEY');
final liveness = await ActiveLivenessView.start(context, client: client);
if (liveness.verdict.passed) {
// Forward liveness.verdict + liveness.signature to YOUR backend,
// verify the HMAC there, then proceed with onboarding.
}
Web
import { IappEkyc } from '@iapp-technology/ekyc-sdk';
const ekyc = new IappEkyc({ apiKey: 'YOUR_API_KEY' });
const liveness = await ekyc.startActiveLiveness({
mount: document.getElementById('ekyc-mount'),
});
if (liveness.verdict.passed) {
// Forward liveness.verdict + liveness.signature to your backend for verification.
}
How the session works
- Face lock — requires exactly one frontal face, large and centered enough, held stable before challenges begin.
- Randomized challenges — 3 distinct challenges drawn at random per session; each is verified with strict predicates (a blink must be a closed-then-open transition, turns must reach ≥ 18° yaw and return to center, a smile must be sustained).
- Anti-cheat — losing the face, a second face entering the frame, or a face-identity switch restarts the current challenge; repeated restarts or timeouts fail the session.
- Best-frame selection — every sharp, frontal, eyes-open frame across the session is scored (Laplacian sharpness × face size); the best one becomes the selfie submitted to the server.
- Server-signed verdict — the finalize endpoint validates the challenge log, re-runs passive liveness on the selfie, and signs the verdict. On-device results alone are UX guidance only — always verify the signature on your backend.
Trust only the signed verdict
A modified client can fake on-device challenge results. Your backend must recompute HMAC-SHA256(secret, canonicalJSON(verdict)) and compare it to signature before trusting verdict.passed. See the signature verification example.
Learn more
- Product API: Face Active Liveness Detection
- SDK setup: Getting Started
- Source & liveness spec: github.com/iapp-technology/iapp-ekyc-sdk