Secure Verification Creation

Create verifications from your authenticated backend, then redirect users to the hosted form, so verification IDs can only originate from you.

What You’ll Build

In this tutorial you’ll create a verification from your own backend using an API token, then hand the user off to the SheerID hosted form to finish. With API Access Control enabled on your program, verifications can only be created with a valid token — so verification IDs can no longer be generated by anyone but you. This is the recommended, abuse-resistant way to start a verification.

Note: This is the Verification Tracking (pre-generation) model. For the broader posture and the other ways to require authentication, see Authentication.

Prerequisites

A published verification program and its programId (create one in MySheerID).
API Access Control enabled on the program so that verification creation requires a token. This is enabled by SheerID — contact your account team to turn it on.
An OAuth API access token — see API Tokens.

Terminology

verificationId
Unique identifier for the ongoing verification.

programId: Retrieve your programId from your Program tab in MySheerID.

verificationCreationPolicy: Determines whether creating a verification requires a token. public allows creation with no token (standard forms); requireToken requires a valid API token to create a verification.

Step 1: Get an access token

Obtain an OAuth bearer token as described in API Tokens. You’ll send it as an Authorization: Bearer header in the next step.

Step 2: Create the verification from your backend

Make an authenticated POST to the verification endpoint with your programId:

POST /rest/v2/verification HTTP/1.1
Host: services.sheerid.com
Authorization: Bearer <YOUR_ACCESS_TOKEN>
Content-Type: application/json

{
    "programId": "<YOUR_PROGRAM_ID>"
}

A successful response returns the verificationId to use for the redirect:

{
    "verificationId": "111111111111111111111111",
    "currentStep": "collectStudentPersonalInfo",
    "submissionUrl": "https://services.sheerid.com/rest/v2/verification/111111111111111111111111/step/collectStudentPersonalInfo"
}

Keep the verificationId; you’ll pass it to the hosted form.

Step 3: Redirect the user to the hosted form

Redirect the user’s browser to the hosted form for your program, passing the verificationId you just created:

https://services.sheerid.com/verify/<YOUR_PROGRAM_ID>/?verificationId=111111111111111111111111

Because the verification already exists, the form resumes the flow you started instead of creating a new verification on load.

Errors

If verification creation is attempted without a valid token while API Access Control requires one, the API returns 401 Unauthorized:

{
    "errorIds": [
        "invalidApiToken"
    ]
}

Make sure your backend includes the Authorization: Bearer header and that the token has not expired (see Token Expiration and Reuse).

Next Steps

Authentication — the full authenticated-by-default posture.
In-App SSO — another flow that redirects into the hosted form with a verificationId.
Webhooks — get notified of verification outcomes.