API Integration Guide

The Partner API lets you run verification inside your own product. Your user verifies an account in a secured, iframe-based browser session, and you receive cryptographically attested proof of the result. Credentials never reach Cr3dentials servers. This guide covers the end-to-end flow. For exact request and response schemas, use the interactive API Reference.

Authentication

Every Partner API request authenticates with your API key:

x-api-key: your_api_key_here

Or with a bearer token:

Authorization: Bearer your_api_key_here

Requests with a body must send Content-Type: application/json. See Authentication for full detail.

Response envelope

Successful responses are wrapped in a standard envelope:

{
  "status": "success",
  "data": { }
}

Errors return the matching HTTP status with { "statusCode", "message" }.

The integration flow

List available platforms

Call GET /partner/browser-platforms to get the platforms you can verify. Use a platform’s id as platformId when creating a session.

Create a browser session

POST /partner/browser-session with a platformId. Optionally set receiverData, expiresInHours, webhookUrl, externalReferenceId, and country (proxy exit country). You receive an embedUrl.

Embed the session

Load the embedUrl in an iframe. The user logs in and completes verification inside the isolated browser.

Receive the result

Either poll GET /partner/browser-session/{id} or register a webhookUrl to be notified when the session reaches a terminal status. On success you get extractedData and hasAttestation: true.

curl -X POST https://app.cr3dentials.xyz/v1/partner/browser-session \
  -H "x-api-key: $CR3D_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "platformId": 1,
    "receiverData": { "name": "John Doe", "email": "john@example.com" },
    "country": "US",
    "expiresInHours": 24,
    "webhookUrl": "https://your-app.com/webhooks/cr3dentials",
    "externalReferenceId": "user_abc123"
  }'

Set country to route the verification browser through a residential proxy in a specific country (US, IN, DE, GB, JP, SG, AU, BR). The closest region is selected automatically. Omit it to auto-select based on the platform’s domain.

Session lifecycle

A session moves through these statuses. Poll the session or use webhooks to track it.

Status	Description
`CREATED`	Session created, browser environment not yet assigned.
`INITIALIZING`	Browser environment spinning up.
`READY`	Browser ready, waiting for the user to connect.
`CONNECTED`	User connected via iframe and can interact with the browser.
`LOADING_TREE`	Session agent is loading the verification workflow.
`RUNNING`	Executing verification steps.
`AWAITING_USER`	Waiting for user action (login, 2FA, security questions).
`COLLECTING_DATA`	Extracting account data after successful login.
`VERIFYING`	Generating cryptographic attestation.

Terminal statuses: COMPLETED, PARTIAL_COMPLETE, ERROR, CANCELLED, TERMINATED. A webhook is delivered when any terminal status is reached.

GET /partner/browser-session/{id} never returns the full attestation object. The hasAttestation flag indicates a cryptographic proof exists for the session.

Next steps

API Reference

Every endpoint, parameter, and schema with interactive examples.

Webhooks

Receive verification results in real time.

Rate limits

Limits and how to handle them.

Authentication

API key headers and key management.

​Authentication

​Response envelope

​The integration flow

​Session lifecycle

​Next steps

API Reference

Webhooks

Rate limits

Authentication

Authentication

Response envelope

The integration flow

Session lifecycle

Next steps