Full-stack KYC/KYB/AML platform with WebSDK, server APIs, and applicant lifecycle webhooks. Supports document verification, liveness, PEP/sanctions screening, and ongoing monitoring across most jurisdictions.
- 01regulated KYC/KYB
- 02document + liveness verification
- 03PEP and sanctions screening
- 04reusable KYC across products
- 05global jurisdiction coverage
- pnpm add @sumsub/websdk-react
| Variable | Scope | Description |
|---|---|---|
| SUMSUB_APP_TOKEN | Server | Sumsub app token (format `sbx:` for sandbox, `prd:` for prod) used for HMAC-signed API calls. |
| SUMSUB_SECRET_KEY | Server | Sumsub secret key used to sign requests (HMAC-SHA256) and verify inbound webhook digests. |
| SUMSUB_WEBHOOK_SECRET | Server | Per-webhook secret configured in the Webhook Manager; used to verify the `x-payload-digest` header. |
Use Sumsub for KYC/AML. Server route `/api/sumsub/access-token` calls `POST https://api.sumsub.com/resources/accessTokens?userId={externalUserId}&levelName=basic-kyc-level` signed with HMAC-SHA256 using `SUMSUB_APP_TOKEN` + `SUMSUB_SECRET_KEY` (headers: `X-App-Token`, `X-App-Access-Sig`, `X-App-Access-Ts`). On the client, render `<SumsubWebSdk accessToken={token} expirationHandler={refresh} onMessage={...} />` from `@sumsub/websdk-react`. Webhook handler at `/api/sumsub/webhook` verifies the `x-payload-digest` header against the raw body using HMAC-SHA1/256 with `SUMSUB_WEBHOOK_SECRET`, then handles `applicantReviewed` events — read `reviewResult.reviewAnswer` (`GREEN`/`RED`) and `reviewRejectType` to update user KYC state.
- ⚑Webhook signature MUST be verified against the raw request body before parsing — Next.js requires `export const runtime = 'nodejs'` and reading the request via `req.text()` to preserve byte-exact payload for HMAC.
- ⚑Access tokens are single-use per applicant and short-lived (default 10 min) — wire `expirationHandler` to your server to issue a fresh token, or the SDK will hang.
- ⚑Sandbox (`sbx:` token) and production (`prd:` token) are completely separate environments with different applicant IDs; never mix levels between them.
- ⚑Some jurisdictions (notably US states, sanctioned regions) require enabling specific applicant levels and document types in the dashboard — the SDK silently falls back if a level is misconfigured.
- ⚑PII is stored on Sumsub's servers; if your DPA requires EU residency you must request the EU data region at onboarding — it cannot be changed later.
- ⚑False-positive rate on liveness/face match is non-trivial for low-light selfies; budget for a manual review queue rather than auto-approving on `GREEN` alone.