Building Privacy-First Age Verification: Our Technical Approach

When we set out to build AgeCheck API, we made a commitment: no identity data retained on our servers. This sounds simple, but it creates some interesting engineering challenges.

The verification flow

Our verification flow is designed to be stateless from a data perspective. When a user initiates an age check, the process runs through a series of signals that together produce a confidence score. That score is used to generate a signed verification token — a JWT that the platform can verify independently.

The token contains the verification result (a boolean), a confidence level, a timestamp, and a platform-specific identifier. It contains no personal data. Once the token is issued, we discard the underlying signals.

The API design

We designed the API to be as simple as possible for developers to integrate. A single POST request to /v1/verify-age initiates the verification flow. The response is a verification object containing the token and metadata.

POST /v1/verify-age
{
  "session_id": "sess_abc123",
  "platform_id": "your-platform-id",
  "redirect_uri": "https://yourapp.com/callback"
}

The verification itself happens in a separate, user-facing flow that we host. This keeps the sensitive parts of the process off your infrastructure entirely.

What we are still working on

We are currently working on the SDK layer — client libraries for Node.js, Python, and React that make integration even simpler. We are also building a sandbox environment for testing without real verification signals.

If you are interested in early access, join the waitlist. We are looking for developers who want to help shape the product.