Skip to main content

Intent Verification

Verify a user’s identity by sending them a magic link or OTP code. Get the result via webhook or a signed JWT on redirect.

Flow


Setup

Create a child workspace

One per organization. Returns API credentials.
Returns app_id and api_key_token. Save both. Skip this if you’re using a single app — just use your existing credentials.

Get an M2M token

Use the returned short_token (scm2m_...) in X-Authorization for all verification requests.

Send a verification

Add any extra fields to meta_data — they’re all echoed back.

SMS OTP


Getting the result

Option A: Redirect with JWT

After verification, the user is redirected to:
The scute_token is an RS256 JWT signed with your app’s key. Verify it against your JWKS:
Payload:
60-second TTL. One-time use. Redirect URL template — set a default in Settings with placeholders:
The scute_token is appended automatically.

Option B: Webhook

Events fire to your registered webhook URL. Replace * with email or sms. Payload:
Expiration events include was_opened: true/false so you know if the link was ever clicked. Signature: X-Webhook-Signature: t={timestamp},v1={hmac} — verify with HMAC-SHA256("{timestamp}.{payload}", webhook_secret).

Verification modes

Set in Settings > Verification. Dismiss (default) — confirm identity, redirect. Done. Consent — confirm identity, then ask the user to approve or deny the action. Webhook includes consent_decision: "approved" or "denied".

Managing verifications


Settings


Testing

Scute Testbench — connect with M2M token, search users, send verifications, watch webhooks live. Local webhooks: ngrok http 3000