Identity decisioning and KYC/KYB orchestration platform — connects 85+ data and IDV vendors behind a single API and workflow engine for onboarding, transaction monitoring, and credit decisions.
- 01KYC/KYB orchestration across vendors
- 02no-code workflow / decision engine
- 03step-up document IDV
- 04ongoing AML monitoring
- 05regulated fintech / neobank / crypto onboarding
- pnpm add @alloyidentity/web-sdk
| Variable | Scope | Description |
|---|---|---|
| ALLOY_WORKFLOW_TOKEN | Server | Workflow API token (workflow-scoped) used as the username in Basic auth. |
| ALLOY_WORKFLOW_SECRET | Server | Workflow API secret used as the password in Basic auth. |
| ALLOY_WEBHOOK_SECRET | Server | Shared secret used to verify the X-Alloy-Signature on webhook deliveries. |
Use Alloy to orchestrate KYC/KYB across multiple data vendors via a single decisioning workflow. Server-side, call `POST https://sandbox.alloy.co/v1/evaluations` (Basic auth with `ALLOY_WORKFLOW_TOKEN:ALLOY_WORKFLOW_SECRET`) sending `name_first`, `name_last`, `birth_date`, `document_ssn`, `address_line_1`, `address_country_code`, plus business fields for KYB. The response returns `summary.outcome` (`Approved`, `Manual Review`, `Denied`) and per-vendor `child_evaluations` with the data sources Alloy ran. For document IDV step-up, create a journey via `POST /v1/journeys/{token}/applications` and load the Web SDK with `Alloy.init({ key, journeyToken, journeyApplicationToken })`, which routes the user to the configured document vendor (Onfido/Jumio/Socure). Subscribe to `evaluation.created` and `case.status_changed` webhooks, verify `X-Alloy-Signature` (HMAC-SHA256 keyed with `ALLOY_WEBHOOK_SECRET`), and finalize state from the webhook payload — not the SDK callback.
- ⚑Outcomes depend on which downstream vendors your workflow runs — the same person can be Approved by one vendor mix and Denied by another. Version your workflows and snapshot the workflow id with each evaluation for audit.
- ⚑Vendor data-source coverage varies by jurisdiction (US is deepest; EU/LATAM/APAC have different ID, sanctions, and PEP partners) — confirm vendor support per country before going live there.
- ⚑Manual review queue volume is workflow-driven — overly tight thresholds will pile up review work, while loose thresholds raise fraud. Tune with feedback on `case` outcomes.
- ⚑Sandbox (`sandbox.alloy.co`) uses fixture vendor responses — never tune thresholds, approval, or fraud rates against sandbox; production endpoints live under `production.alloy.co`.
- ⚑Webhook signature is HMAC-SHA256 of the raw body in `X-Alloy-Signature` — verify against raw bytes, not parsed JSON.
- ⚑Data retention is contract-defined and varies by vendor — Alloy proxies but you remain controller; persist evaluation IDs and outcomes on your side for AMLD/BSA record-keeping.
- ⚑The Web SDK requires a journey application token created server-side per session — do not embed long-lived workflow tokens in the browser.