Getting started
This guide walks you through creating your account, enrolling users, integrating the API, and issuing your first Human Presence Token.
Head to /signup and create your organization. You'll set up your admin credentials and can enroll for secure admin login using a passkey (WebAuthn) or Proof 2FA in one flow.
Enter details
Org name, email, and a strong password.
2FA enrollment
Register a passkey (WebAuthn) or complete an identity scan for admin 2FA.
Done
You land on the dashboard with $5 API credit.
Set up 2FA within 7 days
After creating your account, you have 7 days to enroll in two-factor authentication. Choose passkey (WebAuthn) for phishing-resistant hardware key or biometric login, or Proof 2FA for biometric verification with consent. Go to Admin → Security → Two-Factor Authentication to enroll. After the deadline, login is blocked until 2FA is configured.
API keys authenticate your calls to the verification and presence APIs. In the admin portal, go to API Keys and click Create API Key.
The key (starting with prf_) is shown once — copy it somewhere safe. It authenticates both:
POST /api/verify)POST /api/presence/sessions)Before you can verify someone, they need to enroll. There are two ways:
Best for: onboarding teams and individuals
POST /api/enroll with an imageBest for: kiosk setups and automated provisioning
The user's status changes from Pending to Registered once enrollment is complete. You can track progress in the dashboard.
With at least one enrolled user, you can test the verification API. Send a selfie and your API key:
curl -X POST https://your-domain.com/api/verify \
-H "X-API-Key: prf_your_api_key" \
-H "Content-Type: application/json" \
-d '{ "image": "<base64-encoded-jpeg>" }'A successful response looks like:
{
"verified": true,
"email": "alice@company.com",
"confidence": 0.97,
"token": "eyJhbGciOiJIUzI1NiIs...",
"checks": {
"compositeScore": 0.95,
"liveness": 0.98,
"frameConsistency": 0.92
}
}The response includes a Human Presence Token (HPT) — a signed JWT that proves this person was biometrically verified at this moment.
Proof includes an MCP server that lets AI agents (Claude, Cursor, custom agents) request human presence verification before taking high-value actions like deployments or financial operations.
Add Proof to your AI agent's MCP config:
{
"mcpServers": {
"proof": {
"command": "npx",
"args": ["-y", "@webel/mcp-server"],
"env": {
"PROOF_API_URL": "https://your-domain.com",
"PROOF_API_KEY": "prf_your_api_key"
}
}
}
}Agent requests verification
When your agent needs human authorization, it calls request_human_presence and gets a verification URL.
Human verifies
The user opens the URL, sees the purpose (e.g., "Approve production deployment"), and completes an identity scan.
Agent gets the token
The agent polls get_presence_token and receives a signed HPT JWT proving the human authorized the action.
Token is used downstream
The agent passes the HPT to APIs, audit logs, or other services as tamper-evident proof of human authorization.
You're up and running. Here are some things to explore next:
Get real-time notifications when users enroll or verify.
Tune liveness thresholds, require specific checks, or create profiles for different use cases.
Add other admins or viewers to your organization.
Provision users automatically from Okta, Azure AD, or any SCIM 2.0 provider.
Add a payment method before your $5 trial credit runs out.
Explore every endpoint, webhook event, and configuration option.
A quick reference for the core ideas in Proof.
| Human Presence Token (HPT) | A short-lived signed JWT proving a specific human was biometrically verified at the time of issuance. Issued after identity verification. |
| Organization | A tenant in Proof. Each org has its own users, API keys, verification profiles, and billing. |
| API Key | An org-scoped credential (prf_xxx) used to authenticate API and MCP requests. Created in Admin → API Keys. |
| Verification Profile | A named configuration defining which biometric checks to run (liveness, frame consistency, travel, etc.) and their thresholds. |
| Presence Session | A time-limited verification request created by an AI agent. A human opens the URL, completes identity verification, and the agent retrieves the HPT. |
| Robustness Level | The assurance level of a verification: low, standard, high, or very-high — based on which checks passed and their scores. |
| MCP Server | A Model Context Protocol server that exposes Proof to AI agents. Supports stdio (local) and HTTP (hosted) transports. |
| DSAR Export | Data Subject Access Request — export all personal data held for a specific email. Available in Admin → DSAR (GDPR Article 15 / CCPA §1798.100). |
| Consent Revocation | Revoking biometric consent deletes biometric embeddings, embedding history, and probe data from verification logs. Available in Admin → Consent. |
| Encryption at Rest | AES-256-GCM envelope encryption with per-org data encryption keys. Covers biometric embeddings, webhook secrets, and OIDC client secrets. Enable by setting PROOF_MASTER_KEY (openssl rand -hex 32). |
| Retention Policy | Per-org retentionDays setting (default 90). A background worker enforces deletion of expired logs every 6 hours. |
Create your free account and run your first verification in under 5 minutes.