Before going live
Best practices to build a production-ready Stripe Identity integration.
Review the supported use cases and terms of service to make sure that your business can use Stripe Identity.
The verification experience shows your company name, logo, and color. Make sure to configure the branding settings for your account before going live.
To prevent fraudsters from abusing your verification flow and incurring charges on your account, we recommend that you limit the number of times a user can verify themselves.
As much as possible, store only references to the verification and use the API to retrieve the VerificationSession when you need access to sensitive information. This simplifies your integration and limits your exposure from a security perspective, and helps you comply with privacy laws (such as GDPR) that require you to minimize data retention.
We recommend that you authenticate your user before showing or sending them to Stripe Identity. This allows you to keep relevant internal references and adds a layer of security to prevent fraudsters from abusing your verification flow.
Stripe Identity may not be able to verify all of your users. For example, your user might decline to be verified using biometric technology, they might attempt to verify with an unsupported document type, or they might not be covered by Identity’s verification checks. We recommend that you provide alternative ways to verify your user, such as reaching out to your support team. In some jurisdictions, privacy laws (such as GDPR) might require you to offer a non-biometric verification option for users who decline to consent to using their biometric information.
If your integration depends on webhooks, make you sure you’ve tested that your integration handles Identity events correctly and that you’re following the Best practices for using webhooks.
Follow the Development checklist to ensure a smooth transition when taking your integration live.
Stripe Identity collects sensitive information, such as facial and identity document images. Make sure that your own privacy policy tells your customers about all the ways you may use or reuse the collected identity data and that this data is shared with Stripe. You could add the following paragraph to your policy if it doesn’t already include information about how their data is disclosed to Stripe:
We use Stripe for identity document verification. Stripe collects identity document images, facial images, ID numbers and addresses as well as advanced fraud signals and information about the devices that connect to its services. Stripe shares this information with us and also uses this information to operate and improve the services it provides, including for fraud detection. You may also choose to allow Stripe to use your data to improve Stripe’s biometric verification technology. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy.
Make sure your account settings include a link to your privacy policy. This URL will be linked from Stripe Identity.
Add information to your site answering common questions about identity verification and your use of Stripe Identity. See the FAQ template.
When your users request their data to be deleted, redact the VerificationSession and let your users know that they’ll need to contact Stripe support to remove their data from Stripe’s servers. You could add the following paragraph to your application:
We use Stripe for identity document verification. Stripe retains a copy of all the data provided as part of a verification. You may also have consented to allow Stripe to use your data to improve their technology. You can delete your information from Stripe’s servers or revoke your consent by visiting https://support.stripe.com.
