Auth Check
Validate verification tokens server-side to determine a user's verified age.
Overview
The auth_check endpoint is the final step in the verification flow. After a user returns from MitID or BankID with a token_age_verified, call this endpoint from your server to determine their verified age.
GET https://app.verifyid.dk/api/auth_check/{web_user_id}/{device_id}Always call auth_check from your backend, not the browser. The token alone does not prove verification - you must validate it server-side.
Parameters
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
web_user_id | string | Yes | The token_age_verified value from the redirect callback URL. |
device_id | string | Yes | The device identifier from localStorage.getItem('verifyid_device_id'). Sent to your backend from the client. |
Request
curl -X GET \
"https://app.verifyid.dk/api/auth_check/TOKEN_HERE/DEVICE_ID_HERE"// Express example
app.get('/api/verify', async (req, res) => {
const { token, device_id } = req.query;
const response = await fetch(
`https://app.verifyid.dk/api/auth_check/${token}/${device_id}`
);
const data = await response.json();
if (data.age >= 18) {
// User is verified 18+ - allow access
res.json({ verified: true, age: data.age });
} else if (data.age >= 16) {
// User is verified 16+ - allow limited access
res.json({ verified: true, age: data.age });
} else {
// Not verified
res.json({ verified: false, age: null });
}
});# Flask example
import requests
from flask import Flask, request, jsonify
app = Flask(__name__)
@app.route('/api/verify')
def verify():
token = request.args.get('token')
device_id = request.args.get('device_id')
resp = requests.get(
f'https://app.verifyid.dk/api/auth_check/{token}/{device_id}'
)
data = resp.json()
if data.get('age') and data['age'] >= 18:
return jsonify(verified=True, age=data['age'])
else:
return jsonify(verified=False, age=data.get('age'))Responses
200 - Verified
The user has been verified. The age field contains their verified minimum age.
{
"age": 18
}{
"age": 16
}404 - Not Verified
The token is invalid, expired, or the user did not complete verification.
{
"age": null
}Response Values
age Value | Meaning |
|---|---|
18 | User is verified as 18 or older |
16 | User is verified as 16 or older |
null | User is not verified - token invalid, expired, or verification failed |
The age field reflects the minimum verified age, not the user's actual age. A value of 18 means "verified to be at least 18."
Full Integration Example
This shows the complete client → server flow.
Client Side
// After user returns from verification redirect
const token = new URLSearchParams(window.location.search)
.get('token_age_verified');
const device_id = localStorage.getItem('verifyid_device_id');
if (token && device_id) {
const res = await fetch(
`/api/verify?token=${encodeURIComponent(token)}&device_id=${encodeURIComponent(device_id)}`
);
const data = await res.json();
if (data.verified) {
// Grant access
showContent();
} else {
// Block access
showAgeGate();
}
}Server Side (Node.js)
import express from 'express';
const app = express();
app.get('/api/verify', async (req, res) => {
const { token, device_id } = req.query;
if (!token || !device_id) {
return res.status(400).json({ error: 'Missing token or device_id' });
}
try {
const response = await fetch(
`https://app.verifyid.dk/api/auth_check/${token}/${device_id}`
);
const data = await response.json();
res.json({
verified: data.age !== null,
age: data.age,
});
} catch (err) {
res.status(500).json({ error: 'Verification service unavailable' });
}
});
app.listen(3000);Server Side (Python / Flask)
import requests
from flask import Flask, request, jsonify
app = Flask(__name__)
@app.route('/api/verify')
def verify():
token = request.args.get('token')
device_id = request.args.get('device_id')
if not token or not device_id:
return jsonify(error='Missing token or device_id'), 400
try:
resp = requests.get(
f'https://app.verifyid.dk/api/auth_check/{token}/{device_id}'
)
data = resp.json()
return jsonify(
verified=data.get('age') is not None,
age=data.get('age')
)
except Exception:
return jsonify(error='Verification service unavailable'), 500Error Handling
Handle these cases in your server-side code:
| Scenario | age Value | Action |
|---|---|---|
| User verified 18+ | 18 | Grant full access |
| User verified 16+ | 16 | Grant age-appropriate access |
| Token invalid or expired | null | Deny access, re-trigger verification |
| Network error | - | Retry or show error state |
| Missing parameters | - | Return 400 to client |
Tokens are single-use. Once validated via auth_check, do not rely on the token for subsequent requests. Store the verification result in your own session or database.
Notes
- Always validate tokens server-side. Client-side token presence is not proof of verification.
- The
device_idmust match the device that initiated the verification flow. - Tokens expire after a short window. Validate promptly after the user returns.
- The response format is identical regardless of whether MitID or BankID was used for verification.
- Store the verification result in your user session - don't call
auth_checkrepeatedly for the same token.