By default a person you verify is a guest — recognized only by an anonymous browser identifier. Account linking ties the verification to a stable identity and to your own user record, which turns them into an account: permanent, portable uniqueness and far less repeat friction.
You link at POST /v3/initialize, from your server, with a secret key.
Link your own user with external_id
Pass external_id to associate the session with a record on your side. It comes straight back when you confirm, so you can match the verified human to your user without a lookup table.
const res = await fetch("https://trust.verifyyou.com/v3/initialize", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.VY_SK}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
origin: "https://yourapp.com",
return_path: "/verified",
external_id: "user_123", // your id for this user
}),
});
const { url } = await res.json();
// redirect the user to `url`; on confirm you'll get external_id back
Bind a stable identity with phone / email
Pass a phone or email to bind the person to a durable identifier. This is what makes them an account — their uniqueness becomes permanent and travels across devices, browsers, and every product you run on VerifyYou.
{
"origin": "https://yourapp.com",
"return_path": "/verified",
"external_id": "user_123",
"phone": "+12105550142"
}
Binding fails if that phone or email is already in use by another identity —
an identity is one human. Handle the 400 by routing the user to recover their
existing account rather than creating a duplicate.
Reading it back
The linked external_id is returned on the confirmation, so the result is self-describing:
{
"verified": true,
"external_id": "user_123",
"verification": { "external_id": "signup-flow", "external_tenant_id": null }
}
All of these parameters are secret key only — send them from your server.
See the full list on POST /v3/initialize. 
