Skip to main content

OAuth2

SDK

We provide a PHP SDK with an example integration to make it easier and faster to get ready to verify your customers' age:

VerifyMyAge Adult PHP SDK

Postman Workspace

We've created a Postman workspace specifically for our API, which contains example API calls that you can use to test and familiarise yourself with our API.

The workspace includes example API calls for each of our API endpoints, along with detailed descriptions of the request parameters and headers being used.

You can generate most of the client code to call our APIs using the Postman client code generator. With this feature, developers can select a range of programming languages, and generate the corresponding code with a few clicks.

Please note that while both the example API calls and the generated code can be a helpful starting point, it's important to thoroughly test your own API calls before deploying them in production. If you encounter any issues while using the example API calls, or if you have any questions about our API, please don't hesitate to reach out to our support team.

API Domain

Our API is designed to be used in two environments: a sandbox environment and a production environment.

The sandbox environment is intended for testing and development purposes, while the production environment is used for live data and real-world use cases.

To ensure the security and integrity of our API, we use separate API keys for each environment. This means that you will need to obtain different API keys for the sandbox and production environments, and should not use the same key for both.

DomainEnvironment
https://oauth.verifymyage.comproduction
https://sandbox.verifymyage.comsandbox

User Journey

Each country has different requirements for accessing adult content which are laid out by the regulator of that country.

A user is required to verify their age the first time they visit your site. They simply log in to their VerifyMyAge account for future sessions.

User journey diagram

Integration Steps

The OAuth2 verification consists of 2 basic steps, getting a user access token and then getting user data:

1. Redirect the user to the VerifyMyAge verification flow

2. Your server performs a POST request to exchange the code for an access_token

Then, you can confirm that the user is age-verified by calling the user details endpoint using the access_token received.

OAuth2 Flow

Redirect user to the flow

This will redirect the user back to the URL you've sent on the redirect_uri query parameter with one key extra query parameter code. This value sent will be used on the next step of the OAuth2 flow.

Request parameters

client_id required

Your API Key which can be found in your VerifyMyAge dashboard

scope required

Constant value must be set as adult

redirect_uri required

URL that the user will be redirected to after the age-verification flow

country required

2-letter ISO country code. Available options: gb, de, fr, or us.

user_id optional

User's unique ID

Error responses

CodeDescription
400
{"message": "invalid client id", "status_code": 400}
Copy

Copied!

400
{"message": "invalid params","status_code": 400}
Copy

Copied!

400
{"message": "invalid scope","status_code": 400}
Copy

Copied!

401
{"message": "Unauthorized redirect_uri","status_code": 401}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurlphp
GET /oauth/authorize?client_id=CLIENT-ID&scope=adult&country=gb&redirect_uri=https://your-domain.com/your-path HTTP/1.1
Copy

Copied!

curl https://sandbox.verifymyage.com/oauth/authorize?client_id=CLIENT-ID&scope=adult&country=gb&redirect_uri=https://your-domain.com/your-path
Copy

Copied!

<?php
require(__DIR__ . "/vendor/autoload.php");

use \VerifyMyAge\OAuth;
use \VerifyMyAge\Countries;


$redirectURL = $vma->redirectURL(Countries::FRANCE);
Copy

Copied!

Response 302

Exchange code by token

For security reasons, you'll have to send your secret key via server-side to exchange the code for an access_token.

Following the OAuth2 standard, you'll have to send the Authorization header using the Basic authentication format:

The value is generated by the base64 string of the concatenation of your API Key and API Secret separated by a colon (:).

Example in PHP:

[
    'Authorization' => 'Basic ' . base64_encode(
        $apiKey . ':' . $apiSecret
    )
]

Request parameters

code required

Code received as query parameter to your redirect_uri of the previous step

Error responses

CodeDescription
400
{"message": "invalid client credentials", "status_code": 400}
Copy

Copied!

401
{"message": "client id and client secret does not match","status_code": 401}
Copy

Copied!

401
{"message": "Unauthorized redirect_uri","status_code": 401}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurlphp
POST /oauth/token HTTP/1.1
Content-Type: application/json
Authorization: Basic {BASE64}

{
    "code": "CODE-RECEIVED-ON-THE-FIRST-STEP"
}
Copy

Copied!

curl -d '{"code": "CODE-RECEIVED-ON-THE-FIRST-STEP"}' \
    -H "Content-Type: application/json" \
    -H "Authorization: Basic {BASE64}" \
    -X POST https://sandbox.verifymyage.com/oauth/token
Copy

Copied!

<?php
require(__DIR__ . "/vendor/autoload.php");

use \VerifyMyAge\OAuth;
use \VerifyMyAge\Countries;

$accessToken = $vma->exchangeCodeByToken($_GET['code']);
Copy

Copied!

Response 200: (application/json)
{
  "access_token": "RANDOM-CODE"
}
Copy

Copied!

User details

You are able to get the status of the verification now.

Request parameters

access_token required

Token generated by the VerifyMyAge API during this flow

Response parameters

age_verified

Boolean that represents if the user proved age.

id

Unique Identifier representing a verification

threshold

Age-threshold used to verify the user age. It will be a fixed value of 18.

Error responses

CodeDescription
400
{"message": "malformed token", "status_code": 400}
Copy

Copied!

500
{"message": "error trying to save verification","status_code": 500}
Copy

Copied!

500
{"message": "invalid scope to present","status_code": 500}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurlphp
GET /users/me?access_token={TOKEN} HTTP/1.1
Copy

Copied!

curl https://sandbox.verifymyage.com/users/me?access_token={TOKEN}
Copy

Copied!

<?php
require(__DIR__ . "/vendor/autoload.php");

use \VerifyMyAge\OAuth;
use \VerifyMyAge\Countries;

$user = $vma->user($accessToken);
Copy

Copied!

Response 200: (application/json)
{
  "age_verified": true,
  "id": "ABC-12345-DEF-64321",
  "threshold": 18
}
Copy

Copied!

Allowed Redirect URLs

URLs that are allowed to be redirected to after a successful verification.

Get allowed URLs

Retrieve a list of allowed redirect URLs.

Response parameters

body

The list of Allowed Redirect URLs.

Error responses

CodeDescription
401
{"message": "invalid authentication", "status_code": 401}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurl
GET /business/allowed-redirects HTTP/1.1
Authorization: {API_KEY}
Copy

Copied!

curl https://sandbox.verifymyage.com/business/allowed-redirects
    --header 'Authorization: {API_KEY}'
Copy

Copied!

Response 200: (application/json)
{
  "body": [
    "https://your-website.com/redirect-1",
    "https://your-website.com/redirect-2"
  ]
}
Copy

Copied!

Add Allowed URLs

Add one or more allowed redirect URLs.

Request parameters

body required

An array containing the allowed redirect URLs.

Error responses

CodeDescription
401
{"message": "invalid authentication", "status_code": 401}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurl
PATCH /business/allowed-redirects HTTP/1.1
Authorization: {API_KEY}
[
    "https://your-website.com/redirect-1"
]
Copy

Copied!

curl -X PATCH https://sandbox.verifymyage.com/business/allowed-redirects
    --header 'Authorization: {API_KEY}'
    --data '[
    "https://your-website.com/redirect-1"
]'
Copy

Copied!

Response 204

Replace All Allowed URLs

Replace any existing allowed redirect URLs with the provided list.

Request parameters

body required

An array containing the allowed redirect URLs.

Error responses

CodeDescription
401
{"message": "invalid authentication", "status_code": 401}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurl
PUT /business/allowed-redirects HTTP/1.1
Authorization: {API_KEY}
[
    "https://your-website.com/new-redirect-url"
]
Copy

Copied!

curl -X PUT https://sandbox.verifymyage.com/business/allowed-redirects
    --header 'Authorization: {API_KEY}'
    --data '[
    "https://your-website.com/new-redirect-url"
]'
Copy

Copied!

Response 204

Delete Allowed URLs

Remove one or more allowed redirect URLs.

Request parameters

body required

An array containing the allowed redirect URLs.

Error responses

CodeDescription
401
{"message": "invalid authentication", "status_code": 401}
Copy

Copied!

500
{"message": "Internal Server Error","status_code": 500}
Copy

Copied!

API Call
httpcurl
DELETE /business/allowed-redirects HTTP/1.1
Authorization: {API_KEY}
[
    "https://your-website.com/redirect-1",
    "https://your-website.com/redirect-2"
]
Copy

Copied!

curl -X DELETE https://sandbox.verifymyage.com/business/allowed-redirects
    --header 'Authorization: {API_KEY}'
    --data '[
    "https://your-website.com/redirect-1",
    "https://your-website.com/redirect-2"
]'
Copy

Copied!

Response 204

Demo

You can try a demo of this integration at:

https://demo.verifymyage.com/