Didit and the New Perimeter: Proving the Human Is Real
For most of the internet's history, the hard security problem was the password.
We built our defenses around secrets: something you know, something you have, something you are. The entire apparatus of online trust—logins, two-factor codes, security questions—rested on the assumption that if you could prove possession of a secret, you were probably who you claimed to be.
That assumption is quietly collapsing.
Generative AI has made it trivial to fabricate a face, clone a voice, and forge a document that looks more convincing than a real one. A deepfake that would have required a studio and a week of work in 2020 now takes a prompt and a few seconds. At the same time, autonomous AI agents are beginning to open accounts, make purchases, and move money on behalf of users. The question is no longer just "does this person know the password?" It's "is there a person here at all?"
That is the problem Didit is built to solve.
Didit is an identity and fraud infrastructure platform that confirms a real, live human is on the other end of a transaction—through document verification, biometrics, and liveness detection—and does it through a single programmable API. As the company puts it: in a world of agents and deepfakes, proving the human is real is the new perimeter.
The Verification Stack Was Never Designed for This
To understand why Didit matters, you have to understand how broken the incumbent approach is.
A typical company that needs to verify users—a fintech, a crypto exchange, a marketplace—doesn't buy one product. It assembles a patchwork. One vendor for document scanning. Another for liveness detection. A third for anti-money-laundering screening against sanctions lists. A fourth for ongoing transaction monitoring. Each has its own integration, its own contract, its own data format, its own dashboard.
The result is slow, expensive, and brittle. Every vendor is a separate negotiation and a separate point of failure. The handoffs between them create gaps—exactly the seams that fraudsters probe. And because these systems were architected for a pre-generative-AI world, many of them still treat a clear photo of a government ID as strong evidence. In an era of AI-generated documents, that's a dangerously outdated assumption.
The old stack has another problem: it's built for humans checking humans. Underwriting a new vendor takes weeks. Getting a sandbox key requires a sales call. Pricing is opaque and gated. None of this fits the pace at which modern software—and increasingly, autonomous software—needs to operate.
Didit's thesis is that identity verification shouldn't be a procurement project. It should be infrastructure you call with an API.
What Didit Actually Does
Didit collapses the fragmented verification stack into one platform with a single integration point.
At its core is a library of more than 25 composable modules that a developer can assemble into a custom verification flow. The building blocks span the full identity lifecycle:
Document and identity verification. Didit reads and validates identity documents across 220+ countries and 14,000+ document types, including NFC-based ePassport reading for cryptographically signed chips that are far harder to forge than a photograph.
Biometric liveness and face matching. Active and passive liveness detection confirm that a real, present human is being captured—not a photo, a screen replay, or a deepfake. A 1:1 face match then ties that live capture to the document. Didit's liveness has been tested to iBeta Level 1 presentation-attack-detection standards.
Business verification (KYB) and AML. For companies onboarding other companies, Didit validates business registration, identifies ultimate beneficial owners, and screens individuals and entities against thousands of sanctions lists and politically-exposed-person databases.
Ongoing monitoring. Verification isn't a one-time gate. Didit offers real-time transaction monitoring and crypto wallet screening so risk can be reassessed continuously after onboarding, not just at signup.
Tying it together is a workflow orchestrator that lets a customer compose these modules in any sequence within a single user session—running an age check here, a full KYC bundle there, an AML screen for high-value transactions. The company claims 99% of verifications complete end-to-end in under two seconds.
The strategic point isn't any single module. Plenty of vendors do liveness, or document scanning, or AML. The point is that they're unified—one API, one session, one integration—so the seams where fraud lives simply aren't there.
Pricing as a Product Decision
One of the most telling things about Didit is how it prices.
The platform offers a free tier of 500 verifications a month, indefinitely, with no credit card required. Above that, it's pure pay-as-you-go: no minimums, no annual contracts, no sales gatekeeping. And the per-module prices are published openly—a full KYC bundle at a fraction of what incumbents charge, individual modules priced à la carte down to fractions of a cent.
This is not a minor marketing choice. It's a strategic wedge.
Incumbent identity vendors sell through enterprise sales motions: opaque pricing, long contracts, mandatory demos. That model works when your buyer is a compliance officer at a large bank. It fails completely when your buyer is a developer at a fast-moving startup who wants to ship this week. By publishing prices, offering an instant sandbox, and letting anyone issue a production key without a credit card, Didit meets developers where they actually are.
Transparent, usage-based pricing also aligns the company with its customers in a way that seat licenses and annual minimums don't. You pay for verifications you actually run. The vendor grows only when the customer grows. It's the same dynamic that made so much of modern developer infrastructure—payments, communications, cloud—default to consumption pricing.
The Agent-Native Bet
The most forward-looking part of Didit's design is that it's built for a world where the "user" integrating it might not be human either.
Didit ships a Model Context Protocol server, which means an AI coding agent can configure verification workflows and deploy them without a human writing the integration by hand. That's a small feature with a large implication. The company clearly believes that software is increasingly going to be assembled by agents, and it wants its identity primitives to be callable by those agents natively.
There's a deeper symmetry here. As autonomous agents begin to act on behalf of users—booking, buying, transacting—the systems they interact with will need a reliable way to establish that a real, accountable human authorized the action. Identity verification becomes the checkpoint between "an agent did something" and "a person is responsible for it." A company that makes that checkpoint trivially easy to call is positioning itself at exactly the layer that matters as agentic software scales.
Proving the human is real isn't just a fraud-prevention feature anymore. In an agent economy, it's the thing that keeps accountability attached to actions.
Why the Trust Signals Matter
Identity infrastructure is a trust business, and trust in this category is earned through credentials and adoption—both of which Didit has been accumulating quickly.
On the compliance side, the platform carries the certifications that regulated customers require: ISO/IEC 27001, SOC 2, iBeta-tested liveness, GDPR alignment, and design conformance with a stack of financial regulations from AML directives to crypto-asset and operational-resilience rules. Notably, Spanish financial authorities recognized Didit's remote verification as safer than in-person checks through a regulatory sandbox—an unusually strong external validation for an early-stage company.
On the adoption side, Didit reports serving thousands of organizations and processing millions of verifications a month, spanning fintech, crypto, marketplaces, gaming, insurance, and more. The company has raised a seed round backed by Y Combinator and Robinhood Ventures—an investor that understands regulated financial infrastructure from the inside.
And then there are the founders. Didit was built by Alberto and Alejandro Rosas—identical twin brothers and repeat founders who, before software, competed as professional tennis players. It's an unusual background, but the pattern that matters is the one under it: repeat founders attacking an infrastructure problem they clearly understand, in a category where execution and trust compound over time.
The Category Being Redrawn
Step back, and Didit is a bet on a shift in what "security" means online.
For thirty years, the perimeter was informational. You secured secrets—passwords, keys, tokens—and trusted anyone who could produce them. That model assumed secrets were hard to fake and identity was hard to forge. Generative AI has broken both assumptions at once. Secrets leak, and the things secrets were supposed to protect—faces, voices, documents—can now be synthesized on demand.
When you can no longer trust the artifact, you have to verify the source. The new perimeter isn't "do you have the credential?" It's "are you a real, live, accountable human?" That question has to be answered fast, cheaply, at global scale, and increasingly on behalf of software agents that can't answer it for themselves.
That's the layer Didit is building. Not another point solution bolted onto an aging stack, but a single programmable surface for the one question that keeps getting harder to answer and more important to get right.
If the last era of internet security was about protecting secrets, the next one is about proving humanity. Didit is making that proof a single API call—and betting that in a world of deepfakes and agents, it becomes one of the most important calls software makes.