Fraud, KYC/KYB, sanctions, and AML transaction monitoring on one platform — combines device intelligence and behavior biometrics with identity decisioning and case management.
- 01device + behavior fraud signals
- 02KYC/KYB onboarding
- 03AML transaction monitoring
- 04scam and ATO prevention
- 05case management
- pnpm add sardine-web-sdk
| Variable | Scope | Description |
|---|---|---|
| NEXT_PUBLIC_SARDINE_CLIENT_ID | Client | Public Sardine client ID for the browser SDK. |
| SARDINE_CLIENT_ID | Server | Sardine client ID for server-side API calls. |
| SARDINE_SECRET_KEY | Server | Sardine secret used as Basic auth password against api.sardine.ai. |
Use Sardine for device + behavior fraud signals layered with KYC and AML monitoring. On the client, load the Sardine Web SDK with `_Sardine.createContext({ clientId, sessionKey, userIdHash, flow })` early in the page lifecycle so it can fingerprint device and capture behavioral signals across the session. Pass the same `sessionKey` to your backend, then call `POST https://api.sardine.ai/v1/customers` with Basic auth (`SARDINE_CLIENT_ID:SARDINE_SECRET_KEY`) to start KYC, followed by `POST /v1/identity` for full identity verification with documents. For risk decisioning on transfers and trades, call `POST /v1/customers/{id}/devices` and `POST /v1/feedbacks` plus the rule-engine score endpoint, and consume the `decisions` and `cases` webhooks for async outcomes. Use `flow` consistently (`onboarding`, `login`, `withdrawal`) so device signals attribute correctly.
- ⚑The Web SDK must load and emit at least one event before the server-side risk call, otherwise you'll get device-signal coverage gaps and lower-confidence scores — gate the action button on `sardineReady`.
- ⚑Sardine geographic KYC coverage is broad but uneven (deeper in US/EU, thinner in some LATAM/APAC corridors) — confirm document and data-source coverage per jurisdiction before going live there.
- ⚑Behavioral models tune to your population for ~2–4 weeks before false-positive rates stabilize — expect noisy alerts on day one and feed `feedbacks` aggressively.
- ⚑Sandbox uses fixture customers and never hits real data sources — score thresholds you set in sandbox will not match production.
- ⚑Webhooks are signed with HMAC-SHA256 in `x-sardine-signature` and `x-sardine-timestamp` — reject events older than 5 minutes to prevent replay.
- ⚑Data retention for raw biometric/behavioral signals is configurable per contract — confirm your retention window matches your privacy policy and GDPR/CCPA disclosures.