Authenticate all Sumsub API requests using HMAC-SHA256 request signing: sign the timestamp + HTTP method + path + body with your secret key and include the app token (YOUR_APP_TOKEN) and signature in the request headers.
Create an applicant by POST-ing to /resources/applicants with a levelName (the verification level configured in your Sumsub dashboard) and an externalUserId mapping to your internal user ID.
Generate an access token via /resources/accessTokens for the applicant and pass it to the Sumsub Web SDK or Mobile SDK to launch the document and selfie capture flow.
Configure a webhook endpoint in the Sumsub dashboard; Sumsub will POST events including applicantReviewed with a reviewResult.reviewAnswer of GREEN (pass) or RED (reject).
On receiving an applicantReviewed webhook, verify the webhook signature, then call GET /resources/applicants/{applicantId}/status to retrieve the full review result and any reject labels.
Use reject labels (such as FORGERY, DOCUMENT_EXPIRED, SELFIE_MISMATCH) to route users to appropriate remediation paths or manual review queues.
Known gotchas
Every API request must be HMAC signed; unsigned or incorrectly signed requests return 401 errors regardless of correct credentials.
Level names are case-sensitive and must exactly match levels configured in the dashboard; a mismatch returns an error at applicant creation.
Sumsub distinguishes between 'applicant' (individual) and 'company' applicant types; use the correct type for KYB versus KYC flows.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp