Changelog
Notable changes to the Loom API are recorded here. The current API is v1.
v1 — Current release
The first public release of the Loom API. v1 provides age verification through a hosted identity flow, with results delivered by polling or webhook.
Verification
POST /verify/start— create a verification session and receive asessionUrlto send the user to. The request body is optional and accepts onlyuserAgentandip.GET /verify/status— poll the status of a verification. Statuses:pending,started,submitted,approved,denied,resubmission,rejected.POST /tokens/validate— validate a signed age token and readover18.
See Verification for the full request and response reference.
Identity provider
- Verification is powered by iDenfy. The user completes document and biometric checks in the iDenfy-hosted session. Loom stores verification metadata and signed tokens — never ID images.
Outbound webhooks
- A
verification.completedevent is delivered to your configured webhook URL when a verification reaches a terminal status. - Requests are signed with an
X-Webhook-Signatureheader (HMAC-SHA256, hex) and carry anX-Webhook-Eventheader. Delivery is attempted up to 3 times. - The webhook URL and signing secret are managed in the dashboard under Settings. The secret can be rotated with a 24-hour grace window during which both the old and new secrets are accepted.
See Outbound Webhooks for the payload format and signature verification.
Authentication & limits
- Server-to-server requests authenticate with a tenant API key sent in the
x-tenant-api-keyheader. - The dashboard and
/consoleroutes authenticate with Clerk (Authorization: Bearer <JWT>). - Rate limiting is applied per tenant API key. All errors use a consistent flat JSON shape — see Errors.
Versioning policy
The current API is v1. Additive changes — new optional fields, new endpoints — ship within v1. Backwards-incompatible changes will be introduced under a new version. Material changes are recorded on this page.
Support
Questions about a change? Contact support@loomapi.com.