Create a Verification Subject
Creates a verification subject (a person or a business) and opens its first verification attempt. Anton mints a hosted verification link — a one-time Persona flow where the subject submits their government ID and selfie (person) or business details plus a UBO cascade (business). Identity documents live with the verification provider and Anton’s vault; they never touch your systems.
Link delivery. With delivery: "email", Anton emails the link to the subject and the
attempt is created with status sent. If the environment cannot deliver email — or you
choose delivery: "manual" — the status is created and YOU deliver the returned
hosted_link through your own channel. Only trust sent as proof an email went out.
hosted_link is secret-once. It appears in this response (and on resend / regenerate /
re-verify responses) and is never readable again. Treat it like a credential: it opens a
flow that collects your customer’s identity documents.
Track progress via the verification.* webhook events or by polling the subject.
Requires the intelligence credential scope and account capability.
Authorizations
OAuth 2.0 client_credentials grant (RFC 6749 §4.4) bound to a DPoP keypair (RFC 9449).
Flow (every authenticated /v1 call requires both an access token AND a fresh per-request DPoP proof):
- Register a credential via the merchant portal. Anton issues a
client_id(ant_oc_<env>_<32hex>) and aclient_secret(ant_ocs_<env>_<48hex>, shown ONCE). The portal generates an ES256 or Ed25519 DPoP keypair in your browser; you store the private half. - Mint an access token:
POST /oauth/tokenwithAuthorization: Basic <client_id:client_secret>andContent-Type: application/x-www-form-urlencoded. Body:grant_type=client_credentials. ADPoPheader carrying a proof signed for the token endpoint is required (noathclaim on this proof). - Use the token: send
Authorization: DPoP <access_token>plus a freshDPoP: <proof>header on every/v1request. The proof JWT MUST carryhtm(request method),htu(request URL, no query/fragment),iat(within ±60s),jti(unique within 5 min), andath(SHA-256 of the access token, base64url).
Tokens expire in 1 hour in production / staging and 8 hours in sandbox. There are no refresh tokens — call /oauth/token again with your secret. Anton's public signing key is published at /.well-known/jwks.json.
OpenAPI 3.0 has no native DPoP scheme; this declaration plus dpopHeader together convey both the access-token Authorization and the per-request proof header.
Per-request DPoP proof JWT (RFC 9449). MUST accompany the Authorization: DPoP <access_token> header on every protected operation. The proof is signed by the merchant's private DPoP key and carries htm, htu, iat, jti, and ath claims.
Headers
Unique key identifying this operation. Sending the same key twice returns the original response instead of creating a duplicate. Keys are retained for 24 hours.
255Body
person, business The subject's legal name. Vault-tokenized at rest; masked on every read.
Where the hosted link is delivered (with delivery: "email"), and the address shown in the flow. Without an email on file, delivery cannot happen — the attempt stays created and you deliver the link yourself.
Optional identifier from your systems, echoed back on reads.
ISO 3166-1 alpha-2. Recommended — it feeds sanctions screening disambiguation.
email — Anton emails the hosted link to the subject. manual (the default when omitted) — you deliver the returned hosted_link yourself.
email, manual Optional text shown in the delivery email, attributed to your business. Used for that one send and never persisted (it may carry incidental PII) — it cannot be read back.
500Hosted-link lifetime.
7, 14, 30 Response
Subject created; first verification attempt opened.