Welcome to Lorica
Step-up biometric verification API for crypto exchanges and fintechs. One POST returns a signed JWT in 292ms median. Three endpoints. Three SDKs. The JWT is the auditable artifact your insurance underwriter wants.
What Lorica does
Every exchange verifies identity at signup — KYC. None re-verify when money moves. That gap is where most 2025 crypto theft happened. Lorica sits at the moment of action: a withdrawal, a wire, a beneficiary change. The user's camera opens, the live face matches the enrolled biometric, and the API returns a signed JWT in 292ms median.
The JWT is the contract. Your backend verifies it locally with the shared signing secret. There is no callback, no webhook, no eventual consistency. The signed JWT is also what your insurance underwriter audits — it documents that a human authorized a specific action at a specific time.
Choose an interface
pip install lorica-sdk · synchronous and async clients · type hintsnpm install lorica-node · TypeScript-native · Promise API<script src="https://cdn.loricaapi.com/widget.js"> · drop-in capture UIHow it works
- Enroll once. Capture the user's face during signup. Lorica computes a 512-dimensional embedding and stores it Fernet-encrypted, keyed per tenant. Photos are not retained — only the embedding.
- Verify on every high-risk action. When the user initiates a withdrawal, your frontend calls the SDK or widget. The camera captures one to three frames; the API validates and returns a signed JWT in 292ms median.
- Receive a signed JWT. 292ms median end-to-end. The JWT contains the user, action, score, liveness method, and a 60-second exp claim.
- Verify locally. Your backend validates the JWT against the per-tenant signing secret. If the verdict and score are acceptable, proceed with the action; the JWT is your audit artifact.
- Delete on demand. A single DELETE call zeroizes the embedding and revokes any active JWTs for that user. GDPR Article 17 and CCPA compliant.