L O R I C A
§1 · SOLUTION

One POST. One signed JWT.

Drop a single endpoint into your withdrawal handler. Lorica validates the live human, signs the verdict with your tenant's signing secret, and returns a JWT in 292ms median. Your backend verifies the signature locally and authorizes — or doesn't. That's the integration.

Express interest → API reference →
§01 · WHERE IT FITS

In front of every action. Behind every authorization.

Your existing stack stays. KYC at signup, session management, wallet custody, transaction routing — none of it changes. Lorica adds one synchronous call between "user requested an action" and "your backend authorizes it."

  • Synchronous. Single HTTP call, response in 292ms median. No webhooks, no eventual consistency, no callbacks.
  • Stateless on your side. The signed JWT is the only artifact you persist. Lorica retains nothing transactional — your audit, your storage.
  • Locally verifiable. Your backend validates the JWT signature against the per-tenant signing secret. No third-party round-trip to verify.
  • Per-action triggered. Your risk policy decides which actions need verification. Lorica runs the verification when called; the decision to call it is yours.
§02 · THE CODE

Three endpoints. One contract.

Drop the verify call into your withdrawal handler. The SDK returns a JWT. You verify it locally and either proceed or queue for review. Most teams complete the integration in a single sitting. 

# Verify a withdrawal in 4 lines
client = Lorica(api_key="lorica-prod-...")
result = client.verify(user_id="usr_xyz", action="withdrawal")
if result.match and result.liveness_score > 0.9:
    proceed_with_withdrawal(result.jwt)
// Verify a withdrawal in 4 lines
const lorica = new Lorica({ apiKey: 'lorica-prod-...' });
const result = await lorica.verify({ userId: 'usr_xyz', action: 'withdrawal' });
if (result.match && result.livenessScore > 0.9) proceedWithWithdrawal(result.jwt);
# Verify a withdrawal — direct HTTP
curl -X POST https://api.loricaapi.com/v1/verify \
  -H "Authorization: Bearer lorica-prod-..." \
  -H "Content-Type: application/json" \
  -d '{"user_id": "usr_xyz", "action": "withdrawal"}'
§03 · THE OUTPUT

The JWT is the auditable instrument.

Every verify response is a JWT. The header declares the algorithm. The payload contains the verdict, action context, and timestamps. The signature is HMAC-SHA256 with your signing secret. Your backend verifies it locally — no callback, no webhook. The JWT is the contract.

JWT · HEADER
{
  "alg": "HS256",
  "typ": "JWT"
}
JWT · PAYLOAD
{
  "iss": "lorica.api",
  "sub": "usr_4Z9X2fK8mPq",
  "act": "withdrawal",
  "amt": "50000",
  "asset": "USDT",
  "live": "dual_frame",
  "score": 0.9847,
  "iat": 1720123456,
  "exp": 1720123516
}
JWT · SIGNATURE · HS256
9f3c4e8b2a1d7f6c5e4d3b2a8f7e6d5c4b3a2918...