Intent Verification
Verify a user’s identity by sending them a magic link or OTP code. Get the result via webhook or a signed JWT on redirect.Flow
Setup
Create a child workspace
One per organization. Returns API credentials.app_id and api_key_token. Save both.
Skip this if you’re using a single app — just use your existing credentials.
Get an M2M token
short_token (scm2m_...) in X-Authorization for all verification requests.
Send a verification
Add any extra fields to
meta_data — they’re all echoed back.
Email magic link
SMS OTP
Getting the result
Option A: Redirect with JWT
After verification, the user is redirected to:scute_token is an RS256 JWT signed with your app’s key. Verify it against your JWKS:
scute_token is appended automatically.
Option B: Webhook
Events fire to your registered webhook URL.
Replace
* with email or sms.
Payload:
was_opened: true/false so you know if the link was ever clicked.
Signature: X-Webhook-Signature: t={timestamp},v1={hmac} — verify with HMAC-SHA256("{timestamp}.{payload}", webhook_secret).
Verification modes
Set in Settings > Verification. Dismiss (default) — confirm identity, redirect. Done. Consent — confirm identity, then ask the user to approve or deny the action. Webhook includesconsent_decision: "approved" or "denied".
Managing verifications
Settings
Testing
Scute Testbench — connect with M2M token, search users, send verifications, watch webhooks live. Local webhooks:ngrok http 3000