> ## Documentation Index
> Fetch the complete documentation index at: https://docs.antonpayments.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Re-verify a Subject

> Opens a **new verification attempt** for an existing subject (periodic KYC refresh, or a
material change in the subject's details). The prior attempt history is preserved; the
subject's current status now tracks the new attempt. The response carries the new attempt
with its secret-once `hosted_link`; when the subject has an email on file, Anton also
re-delivers the link (status `sent`).




## OpenAPI

````yaml POST /v1/verification-subjects/{id}/verifications
openapi: 3.1.0
info:
  title: Anton Payments API
  version: 1.0.0
  summary: Cross-border payout infrastructure. Fiat, stablecoin, and crypto.
  description: >
    The Anton Payments merchant API. Versioned, idempotent, cursor-paginated.


    - **Authentication**: OAuth 2.0 client_credentials with DPoP
    proof-of-possession (RFC 6749 §4.4 + RFC 9449). Programmatic clients
    exchange `(client_id, client_secret)` for a short-lived access token at
    `POST /oauth/token`, then send each request with `Authorization: DPoP
    <access_token>` plus a per-request `DPoP: <proof>` header. Static API keys
    are not accepted on v1.

    - Base URLs: `https://api.antonpayments.com` (production),
    `https://api.antonpayments.dev` (sandbox).

    - Monetary amounts are decimal strings. Never floats.

    - Timestamps are RFC 3339 UTC.

    - All mutating endpoints support the `Idempotency-Key` header.

    - Anton's OAuth public signing key is published at `GET
    /.well-known/jwks.json` (5-minute cache; RFC 8615).


    **Capabilities and scopes.** Every account carries a capability set
    (`payouts`, `intelligence`) and every

    credential carries a scope set validated against it at creation.
    AI-compliance-only accounts hold only

    `intelligence` — all payout-surface endpoints return `403
    capability_required` for them. A credential

    minted without a scope returns `403 insufficient_scope` on that surface.
    Effective access is

    `scopes ∩ capabilities`. Access tokens embed the grants as a space-delimited
    `scope` claim, echoed in the

    token response.


    **What machine credentials can never do.** Approval decisions (payout
    approve/reject — maker-checker

    requires a human identity) and detokenized PII readback (beneficiary PII,
    verification name reveal,

    captured-document viewing) are dashboard-only: those operations require a
    signed-in portal user with the

    right role, and every access is audit-logged. Machine credentials can
    deposit and replace PII — your

    system is its source — but can never read it back, so a leaked credential
    cannot harvest identities.


    See the Cross-Cutting section of the docs for idempotency, pagination, rate
    limits, errors, webhook events, and webhook signing.
  contact:
    name: Anton Payments Support
    url: https://help.antonpayments.com
  license:
    name: Proprietary
    url: https://www.antonpayments.com
servers:
  - url: https://api.antonpayments.com
    description: Production
  - url: https://api.antonpayments.dev
    description: Sandbox
security:
  - oauthDPoP: []
    dpopHeader: []
tags:
  - name: Authentication
    description: >-
      OAuth 2.0 token endpoint and JWKS publication. See the API description for
      the full DPoP-bound flow.
  - name: OAuth Clients
    description: >-
      Manage OAuth credentials (programmatic access). Portal-only — JWT auth
      required.
  - name: Reference Data
    description: Currencies, countries, and supported payment methods.
  - name: Beneficiaries
    description: Create and manage the people and businesses you pay.
  - name: Instruments
    description: >-
      Payment instruments attached to beneficiaries — bank accounts, wallets,
      cards.
  - name: Payouts
    description: Initiate and track payouts.
  - name: Batches
    description: CSV-driven bulk payout processing.
  - name: Balances
    description: Merchant balance by currency.
  - name: Accounts
    description: Virtual accounts for merchant funding.
  - name: Webhooks
    description: Subscribe to event notifications.
  - name: Documents
    description: Upload and manage KYB and supporting documents.
  - name: RFIs
    description: Respond to Requests for Information raised during review.
  - name: Pricing
    description: Read merchant pricing plans and quote fees.
  - name: FX
    description: Quote, lock, and execute currency exchanges between balances.
  - name: Corridors
    description: Active cross-border corridors for your merchant.
  - name: Balance Alerts
    description: >-
      Per-currency low-balance thresholds that drive the `balance.low` webhook
      event.
  - name: Sandbox
    description: Reset and seed your sandbox environment.
  - name: Merchant
    description: Merchant profile, branding, preferences, and security posture.
  - name: API Keys
    description: Issue, list, and revoke API keys.
  - name: Users
    description: Self-service profile, MFA, and team management.
  - name: Notifications
    description: Per-user notification channels and preferences.
  - name: Velocity
    description: Merchant-scoped risk rules and what-if simulation.
  - name: Engine
    description: Glass-box view of Anton's risk intelligence.
  - name: Intelligence
    description: >-
      Normalized payee, instrument, payout, and merchant risk intelligence
      evaluations.
  - name: Verifications
    description: >-
      KYC/KYB-as-a-service — verify the identity of your customers and their
      businesses through Anton-hosted flows, with sanctions screening built in.
  - name: Onboarding
    description: Authenticated KYB onboarding draft and submission.
  - name: Public Onboarding
    description: >-
      Session-authenticated hosted onboarding flow. Not intended for SDK
      consumption.
paths:
  /v1/verification-subjects/{id}/verifications:
    post:
      tags:
        - Verifications
      summary: Re-verify a subject
      description: >
        Opens a **new verification attempt** for an existing subject (periodic
        KYC refresh, or a

        material change in the subject's details). The prior attempt history is
        preserved; the

        subject's current status now tracks the new attempt. The response
        carries the new attempt

        with its secret-once `hosted_link`; when the subject has an email on
        file, Anton also

        re-delivers the link (status `sent`).
      operationId: reverifySubject
      parameters:
        - $ref: '#/components/parameters/VerificationSubjectID'
        - $ref: '#/components/parameters/IdempotencyKey'
      responses:
        '201':
          description: New attempt opened.
          content:
            application/json:
              schema:
                type: object
                required:
                  - data
                properties:
                  data:
                    $ref: '#/components/schemas/VerificationAttempt'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/CapabilityForbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/IdempotencyConflict'
        '429':
          $ref: '#/components/responses/RateLimited'
        '503':
          description: The verification provider is not configured on this environment.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - oauthDPoP: []
          dpopHeader: []
components:
  parameters:
    VerificationSubjectID:
      name: id
      in: path
      required: true
      description: Verification subject ID.
      schema:
        type: string
        pattern: ^vsub_[a-zA-Z0-9]+$
    IdempotencyKey:
      name: Idempotency-Key
      in: header
      description: >
        Unique key identifying this operation. Sending the same key twice
        returns the original

        response instead of creating a duplicate. Keys are retained for 24
        hours.
      required: true
      schema:
        type: string
        maxLength: 255
  schemas:
    VerificationAttempt:
      type: object
      description: >
        One verification attempt. `hosted_link` is **secret-once**: present only
        on the response

        that minted it (create / resend / regenerate / re-verify) and never on a
        read.
      required:
        - id
        - status
        - reason
        - created_at
        - checks
      properties:
        id:
          type: string
          description: Attempt ID (`vrf_...`).
        status:
          $ref: '#/components/schemas/VerificationStatus'
        reason:
          type: string
          enum:
            - initial
            - reverification
            - regenerated
          description: Why this attempt was opened.
        created_at:
          type: string
          format: date-time
        completed_at:
          type: string
          format: date-time
          description: Present once the attempt reached a terminal outcome.
        link_expires_at:
          type: string
          format: date-time
          description: When the current hosted link lapses.
        checks:
          type: array
          items:
            $ref: '#/components/schemas/VerificationCheck'
        screening:
          $ref: '#/components/schemas/VerificationScreening'
        ubos:
          type: array
          items:
            $ref: '#/components/schemas/VerificationUBO'
          description: Business verifications only — the owner cascade.
        hosted_link:
          type: string
          description: Secret-once hosted verification link. Only on minting responses.
    ErrorEnvelope:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - message
          properties:
            message:
              type: string
              description: Human-readable description of what went wrong.
            code:
              type: string
              description: Machine-readable error code. Branch on this, not on `message`.
              example: insufficient_balance
      example:
        error:
          message: insufficient funds for this payout
          code: insufficient_balance
    VerificationStatus:
      type: string
      description: >
        Verification attempt lifecycle status.


        - `created` — attempt exists, link minted, nothing delivered yet (manual
        delivery, or email unavailable)

        - `sent` — hosted link delivered to the subject by email

        - `in_progress` — the subject opened the flow

        - `processing` — submitted; provider checks running

        - `awaiting_owners` — business only: the business case is done, owner
        (UBO) flows outstanding

        - `review` — flagged for manual review

        - `approved` — verified (terminal)

        - `declined` — failed verification (terminal)

        - `expired` — the link or inquiry lapsed unused (terminal)

        - `revoked` — cancelled by the merchant (terminal)
      enum:
        - created
        - sent
        - in_progress
        - processing
        - awaiting_owners
        - review
        - approved
        - declined
        - expired
        - revoked
    VerificationCheck:
      type: object
      description: >-
        One provider check on an attempt (e.g. government-ID authenticity,
        selfie match).
      required:
        - type
        - label
        - status
        - detail
      properties:
        type:
          type: string
          description: Machine-readable check type.
        label:
          type: string
          description: Human-readable check name.
        status:
          type: string
          enum:
            - passed
            - failed
            - review
            - pending
        detail:
          type: string
          description: Human-readable outcome detail.
    VerificationScreening:
      type: object
      description: >
        Sanctions/PEP/watchlist screening block. Every completed verification is
        screened through

        Anton Intelligence; `evaluation_id` resolves at `GET
        /v1/intelligence/evaluations/{id}` for

        the full decision evidence.
      required:
        - status
        - lists_checked
        - evaluation_id
        - detail
      properties:
        status:
          type: string
          enum:
            - clear
            - hit
            - pending
        lists_checked:
          type: array
          items:
            type: string
          description: >-
            Lists screened against (e.g. OFAC SDN, UN Consolidated, EU
            Consolidated, UK HMT, PEP).
        evaluation_id:
          type: string
          description: Anton Intelligence evaluation backing this screening outcome.
        detail:
          type: string
    VerificationUBO:
      type: object
      description: >
        A controlling owner (UBO) on a business verification. Each owner
        completes an individual

        KYC flow; the business cannot reach `approved` until every controlling
        owner has.

        `display_name` is masked.
      required:
        - id
        - display_name
        - email
        - ownership_pct
        - status
      properties:
        id:
          type: string
          description: Owner ID (`vubo_...`).
        display_name:
          type: string
          description: Masked owner name.
        email:
          type: string
        ownership_pct:
          type: integer
          description: Declared ownership percentage.
        status:
          $ref: '#/components/schemas/VerificationStatus'
        completed_at:
          type: string
          format: date-time
          description: Present once the owner's flow reached a terminal outcome.
  responses:
    Unauthorized:
      description: Missing or invalid API key, or key used against the wrong environment.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
          examples:
            missing_key:
              summary: Missing bearer token
              value:
                error:
                  code: unauthorized
                  message: missing or invalid credentials
            wrong_environment:
              summary: Test key used against production
              value:
                error:
                  code: key_environment_mismatch
                  message: this API key is not valid for this environment
    CapabilityForbidden:
      description: >
        The account capability or credential scope required by this endpoint is
        missing.

        `capability_required` — the merchant account does not hold the required
        capability

        (e.g. an AI-compliance-only account calling a payout endpoint).
        `insufficient_scope` —

        the account holds it, but this credential was created without the
        matching scope.

        Effective access is always `scopes ∩ capabilities`.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
          examples:
            capability_required:
              summary: Account lacks the capability
              value:
                error:
                  code: capability_required
                  message: this endpoint requires the "payouts" account capability
            insufficient_scope:
              summary: Credential lacks the scope
              value:
                error:
                  code: insufficient_scope
                  message: this endpoint requires a credential with the "payouts" scope
    NotFound:
      description: The resource does not exist, or belongs to a different merchant.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
    IdempotencyConflict:
      description: >-
        The same `Idempotency-Key` was previously used with a different request
        body.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
    RateLimited:
      description: >-
        Rate limit exceeded. See `Retry-After`. The `X-RateLimit-*` headers are
        present on every API response, not only on 429s — they are documented
        here because this is where clients act on them.
      headers:
        Retry-After:
          $ref: '#/components/headers/Retry-After'
        X-RateLimit-Limit:
          $ref: '#/components/headers/X-RateLimit-Limit'
        X-RateLimit-Remaining:
          $ref: '#/components/headers/X-RateLimit-Remaining'
        X-RateLimit-Reset:
          $ref: '#/components/headers/X-RateLimit-Reset'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
          examples:
            rate_limit_exceeded:
              summary: Retry after the limiter resets
              value:
                error:
                  code: rate_limit_exceeded
                  message: rate limit exceeded, retry after 60 seconds
  headers:
    Retry-After:
      description: Seconds to wait before retrying. Included on 429 responses.
      schema:
        type: integer
    X-RateLimit-Limit:
      description: Maximum requests permitted in the current window.
      schema:
        type: integer
    X-RateLimit-Remaining:
      description: Requests remaining in the current window.
      schema:
        type: integer
    X-RateLimit-Reset:
      description: Unix timestamp when the current window resets.
      schema:
        type: integer
  securitySchemes:
    oauthDPoP:
      type: oauth2
      description: >
        OAuth 2.0 client_credentials grant (RFC 6749 §4.4) bound to a DPoP
        keypair (RFC 9449).


        **Flow** (every authenticated `/v1` call requires both an access token
        AND a fresh per-request DPoP proof):


        1. Register a credential via the merchant portal. Anton issues a
        `client_id` (`ant_oc_<env>_<32hex>`) and a `client_secret`
        (`ant_ocs_<env>_<48hex>`, shown ONCE). The portal generates an ES256 or
        Ed25519 DPoP keypair in your browser; you store the private half.

        2. Mint an access token: `POST /oauth/token` with `Authorization: Basic
        <client_id:client_secret>` and `Content-Type:
        application/x-www-form-urlencoded`. Body:
        `grant_type=client_credentials`. A `DPoP` header carrying a proof signed
        for the token endpoint is required (no `ath` claim on this proof).

        3. Use the token: send `Authorization: DPoP <access_token>` plus a fresh
        `DPoP: <proof>` header on every `/v1` request. The proof JWT MUST carry
        `htm` (request method), `htu` (request URL, no query/fragment), `iat`
        (within ±60s), `jti` (unique within 5 min), and `ath` (SHA-256 of the
        access token, base64url).


        Tokens expire in **1 hour** in production / staging and **8 hours** in
        sandbox. There are no refresh tokens — call `/oauth/token` again with
        your secret. Anton's public signing key is published at
        `/.well-known/jwks.json`.


        OpenAPI 3.0 has no native DPoP scheme; this declaration plus
        `dpopHeader` together convey both the access-token Authorization and the
        per-request proof header.
      flows:
        clientCredentials:
          tokenUrl: /oauth/token
          scopes:
            payouts: >-
              Money movement — payouts, batches, beneficiaries, instruments,
              balances, funding, FX.
            intelligence: Anton Intelligence — screening evaluations and evidence.
    dpopHeader:
      type: apiKey
      in: header
      name: DPoP
      description: >
        Per-request DPoP proof JWT (RFC 9449). MUST accompany the
        `Authorization: DPoP <access_token>` header on every protected
        operation. The proof is signed by the merchant's private DPoP key and
        carries `htm`, `htu`, `iat`, `jti`, and `ath` claims.

````