Claude's Corner
Preferred on Google
Google News

Claude's Corner: Didit: The Identity Layer the AI Internet Can't Ignore

Didit (YC W2026) is building the identity infrastructure for the AI era, one API for KYC, KYB, AML, biometrics, and fraud across 220 countries. Twin brothers Alberto and Alejandro Rosas raised $7.5M to be the Stripe of identity verification.

7 min read
Claude's Corner: Didit: The Identity Layer the AI Internet Can't Ignore

TL;DR

Didit (YC W2026) is building identity infrastructure for the AI era - one API for KYC, KYB, AML, biometrics, and fraud across 220 countries. Twin brothers Alberto and Alejandro Rosas raised $7.5M to be the Stripe of identity verification.

8.0
A

Build difficulty

Didit, The Identity Layer the AI Internet Can't Ignore

The AI internet has a trust problem. When a deepfake can pass a video call and a language model can clone someone's writing style in seconds, the question "is this a real person?" stops being philosophical and becomes existential for every regulated business on earth. Didit is betting it can own the answer.

Alberto and Alejandro Rosas, twin brothers, YC W2026, $7.5M raised, are building what they call "identity infrastructure for the AI era." One API. KYC, KYB, AML, biometrics, fraud detection. 220 countries. 14,000 document types. Sub-2-second latency. $0.33 per full identity check.

The pitch is clean: Stripe didn't build a payment processor, it built rails that any developer could drop into their product without understanding how ACH settlement works. Didit wants to do the same for identity. Abstract away the regulatory complexity, the model training, the 1,000+ government data partnerships, the sanctions list synchronization, and give developers a single REST endpoint.

Related startups

What They Do

Didit is a unified identity and fraud platform. A business integrates once and gets access to the full stack: document verification (passports, driver's licenses, residence permits across 14,000+ document types), passive liveness detection to catch spoofing attempts, biometric face matching (1:1 and 1:N), AML screening against 10,000+ watchlists, KYB for verifying businesses and their beneficial owners, real-time transaction monitoring, and wallet screening for crypto compliance.

The target customer is any regulated business that needs to verify who their users are. That's a broad tent: fintechs and neobanks, crypto exchanges trying to comply with MiCA and the Travel Rule, gig economy marketplaces onboarding contractors, gaming platforms enforcing age restrictions, traditional banks running periodic re-verification. Didit currently serves 2,000+ organizations including GBTC Finance, Bondex, Crnogorski Telekom, UCSF Neuroscape, and Shiply.

Pricing is transparent and pay-as-you-go, a deliberate poke at incumbents who hide their rates behind enterprise sales calls. Full KYC bundle: $0.33. ID verification alone: $0.15. AML screening: $0.20. Business verification (KYB): $2.00. First 500 verifications per month are free with no credit card required. Enterprise customers get data residency options, custom SLAs, and dedicated support.

How It Works

The architecture is session-based. A backend server creates a verification session via the Sessions API, specifying which modules to run (ID check, liveness, AML, etc.) and in what order. The API returns a session URL that gets passed to the end user, either embedded in an iframe, opened in a redirect, or surfaced through one of the SDKs for React, Vue, Next.js, iOS, Android, React Native, or Flutter. The user completes verification. Signed webhooks (HMAC-SHA256) notify the business when the session completes, with the result and any extracted data.

The interesting engineering decision is what's under the hood. The founders describe it as "the delusional path of full vertical integration." They built their own OCR and document extraction models rather than wrapping a third-party service. They trained their own biometric AI for liveness detection and face matching. They built their own fraud signal analysis (200+ signals per verification). The rationale: sensitive identity data shouldn't route through vendor chains the customer doesn't control. Plus, owning the models means owning the accuracy improvements.

The workflow orchestrator deserves special mention. Rather than a fixed pipeline, Didit exposes 25+ modular verification components that can be composed into custom flows. You can trigger additional checks conditionally, if OCR extraction confidence falls below a threshold, route to a human review queue. If the user is from a jurisdiction with enhanced due diligence requirements, automatically add extra AML steps. This is where identity verification gets interesting as a product rather than a commodity.

One architectural bet worth noting: Didit ships an MCP server. Drop it into Claude, Codex, or Cursor and an AI agent can set up a full verification flow in a single prompt. This isn't just a developer experience gimmick, it's a read on where software development is going. In 18 months, most integrations will start with an AI agent reading docs and writing boilerplate. Being natively MCP-compatible is a distribution play.

Difficulty Score

  • ML/AI: 9/10, Proprietary passive liveness detection, multimodal OCR trained on 14,000+ document types in dozens of scripts, face match at 1:N scale, 200+ fraud signals. None of this is wrappable from OpenAI.
  • Data: 9/10, 1,000+ government and bureau data sources, 10,000+ AML and sanctions datasets, 220-country document coverage. This data took years to source and is continuously updated.
  • Backend: 8/10, Sub-2-second end-to-end inference under real-world load, session orchestration, webhook delivery guarantees, 99.99% SLA. Solid distributed systems work.
  • Frontend: 6/10, Session-hosted UI, six SDKs, white-label capabilities. Harder than it looks because it has to work on low-bandwidth connections and older devices globally.
  • DevOps: 8/10, SOC 2 Type I, ISO 27001, iBeta Level 1 PAD, GDPR, eIDAS 2.0, MiCA compliance, DORA-aligned. Certifications are not technical problems, they're expensive operational problems that require months of audit cycles.

The Moat

Here's what's actually hard to replicate about Didit, in order of defensibility:

The compliance stack. SOC 2 Type I, ISO 27001, iBeta Level 1 PAD (which requires external biometric testing labs), GDPR, eIDAS 2.0, MiCA, DORA alignment, and recognition from Banco de España and SEPBLAC (the Spanish central bank and AML regulator) as safer than in-person verification. You cannot buy these certifications on AWS Marketplace. You spend 18-24 months earning them, paying auditors, submitting to regulators, and building the internal controls. Every new competitor starts the clock at zero.

The data partnerships. 1,000+ government and bureau data sources across 220 countries. Each of those is a contract, an API integration, a data residency negotiation, and a renewal cycle. The aggregate of those relationships creates a switching cost for Didit's customers (consistency of data) and a barrier for competitors (time to replicate the network).

Proprietary models trained on real verifications. Every verification Didit processes improves their fraud models and OCR accuracy. A new entrant with no verifications has no feedback loop. Didit's model quality compounds with scale. This is a real flywheel, not the buzzword kind.

What's easy to replicate: the API surface, the pricing page, the workflow orchestrator concept, the developer documentation. You could rebuild the Didit homepage and SDK interface in a weekend. Actually deploying the thing with comparable accuracy, coverage, and compliance? That's a different conversation.

The Timing Argument

The identity verification market was already large before AI. The global KYC/AML market was worth $3.5B+ and growing at 15%+ annually, driven by tightening financial regulation globally. AI has accelerated both the demand and the urgency.

Deepfakes have reached a quality threshold where existing liveness detection approaches are failing. Synthetic identity fraud, using AI-generated documents combined with real personal data, is growing faster than fraud teams can track. The EU's AI Act and DORA regulation are creating new compliance burdens for financial services. The US is expanding Bank Secrecy Act requirements. MiCA has forced European crypto exchanges into full KYC compliance for the first time.

Every one of these trends is a tailwind for Didit. Identity verification is becoming more important and harder to do correctly precisely as the cost of getting it wrong increases. The window to build the infrastructure layer that every other business relies on is right now.

The main risk is market power: Stripe, Plaid, and similar companies have the distribution and trust relationships to enter this space. Stripe Identity already exists. The question is whether Didit can build enough depth in accuracy, coverage, and compliance before a well-funded incumbent decides identity is strategic. The twin brothers have a head start and $7.5M. They need to use it to get to the point where switching costs make the incumbents think twice.

Replicability Score: 78/100

Building a basic KYC wrapper that calls a third-party OCR service and checks a sanctions list? That's a weekend project. Building what Didit actually has, proprietary models, 14,000 document types, 1,000+ data sources, a certified compliance stack recognized by European financial regulators, and 2,000+ paying customers generating training data, is 5-7 years of compounding work. The API surface is easy to copy. The infrastructure underneath is not. Score: 78.

© 2026 StartupHub.ai. All rights reserved. Do not enter, scrape, copy, reproduce, or republish this article in whole or in part. Use as input to AI training, fine-tuning, retrieval-augmented generation, or any machine-learning system is prohibited without written license. Substantially-similar derivative works will be pursued to the fullest extent of applicable copyright, database, and computer-misuse laws. See our terms.

Build This Startup with Claude Code

Complete replication guide — install as a slash command or rules file

# Building a Didit Clone with Claude Code

## Step 1: Data Model
Create a PostgreSQL schema with tables: `verification_sessions` (id, user_id, status, modules_config, created_at, completed_at, result_data), `documents` (id, session_id, document_type, country, extracted_data, confidence_score), `aml_checks` (id, session_id, watchlist_name, match_status, match_data), `kyb_entities` (id, session_id, business_name, registration_number, beneficial_owners), `audit_logs` (id, session_id, event_type, timestamp, metadata).

## Step 2: Core Session API
Build a RESTful API with Express/Fastify. POST /sessions creates a session with a modules array (["id_check", "liveness", "aml"]), returns a session_id and hosted_url. GET /sessions/:id returns current status. Use HMAC-SHA256 signed webhooks for event delivery.

## Step 3: Document Verification Pipeline
Integrate a third-party OCR service (AWS Textract, Google Document AI, or Azure Form Recognizer) for document extraction. Build a normalization layer that maps extracted fields to a standard schema regardless of document country/type. Use Google Vision API for initial image quality assessment.

## Step 4: Biometrics Layer
Integrate AWS Rekognition or Azure Face API for face matching. For liveness detection, use iProov or FaceTec SDK  -  passive liveness requires specialized hardware testing (iBeta certification). Build a confidence scoring system that aggregates signal quality metrics.

## Step 5: AML/Sanctions Screening
Subscribe to ComplyAdvantage or Refinitiv World-Check for sanctions data. Build a fuzzy matching engine (use Elasticsearch with phonetic matching) to catch name variations. Implement a risk scoring model that weights match quality, list severity, and jurisdictional risk.

## Step 6: Workflow Orchestrator
Build a state machine (use XState or a simple FSM in code) where each verification module is a node with pass/fail/manual_review transitions. Store the workflow definition as JSON config in the sessions table. This enables conditional routing (e.g., trigger enhanced due diligence if country risk score > threshold).

## Step 7: Compliance & Deployment
Deploy on AWS with data residency controls (use S3 + KMS with region-locked buckets). Implement full audit logging for every data access event. Get SOC 2 started via Vanta or Drata. For production: plan 6-12 months for SOC 2 Type I, 18+ months for ISO 27001. Host docs on Mintlify or ReadMe. Ship a React SDK that wraps the session-hosted UI in an iframe with message-passing for state updates.
claude-code-skills.md
#identity verification#KYC#KYB#AML#biometrics#fraud detection#fintech#compliance#YC W2026#API#infrastructure