• What are the password requirements?

    A character string with the following requirements:

    • A minimum of 8 characters
    • At least one lowercase letter
    • At least one uppercase letter
    • At least one number
    • At least one non-alphanumeric character (such as one of the following: !, @, #)
    • Is not the same as the username
  • How many invitees can an account have?


  • How does provisioning and unprovisioning access work?

    The master account can invite three types of users: Administrators, Agents, and Read-Only.
    Admins have the privileges as the master, which includes creating, deleting and changing settings inside experiences, analyze and update verification results, and invite additional users.
    Agents can review verification data and update results.
    Read Only users cannot make changes, but can analyze data and take notes. This type of access is recommended for auditors.

  • Does the system offer audit logs and/or user access reports?

    Yes, audit logs are available per verification to check who's altered a record.

  • What is the difference between a Rejected Validation and a Manual Review?

    "Rejected Validation" results if a user is underage or if a fraud attempt is detected by failing any of the validations.
    "Manual Review" results if the mistake is probably user error rather than deliberate fraud. Commmon mistakes might inlcude blank data, and missing documents

Country Restrictions

  • Can a merchant identify a document's country of origin using the webhooks data?


Detecting Duplicate Users

  • How does Mati detect duplicates?

    Duplicate user detection is a toggle inside the Document Verification building block. We use the full name and date of birth (DOB) to compare with existing records within experiences. This means that if users verify themselves using the same Experience flow, on which the toggle is on, they will be flagged as Manual Review. Biometric data is not analyzed at this point.

  • Can Mati detect the same person using different documents?

    Yes, as long as the name and DOB matches our records.

  • What is the scope of duplicate detection?

    We detect duplicates at the verification flow level.

Customizing Verification Flows

  • Can I customize the verification flow to have my own brand and style?

    Yes. You can change the color of the graphical elements (using the exact RGB or hex color code of your brand) as well as set you company logo on top of the screen.

  • What if I need a more customized UX?

    You can use our APIs to tailor your UX with Mati behind it. This approach may take more time than using a pre-built UX as you need to develop the UX.

  • Is there a sandbox environment for testing?

    Not yet.

  • How many verification flows can be created?

    The default limit in the Dashboard is 100.
    Contact support if you need more.

  • Is there an easy way where the I can redirect customers to the validation page using the SDK without the button?

    You can always use the direct link or invoke the verification process through a custom UI element in your web UX (HTML and JavaScript).

  • When using SDK, are both the Client ID and the Flow ID exposed in the browser?

    Yes, however they can be encapsulated using JavaScript.

  • Can a merchant that uses PHP for their front end use the Mati SDK?

    Yes, they can print the Web SDK entirely with echo.

  • Do verifications expire?

    Yes, users have a 30-minute window to complete the verification.
    On the API it's basically the time window occurs between verification_started and verification_inputs_completed.

Document Verification

  • How does Mati process Proof of Residence?

    We extract owner's Full Name, Address and Emission Date.
    We check that the document is no older than 3 months.

  • What kind of documents do we ask for as Proof of Residence?

    Bank statement and utility bills.

  • Can we correlate the names extracted from IDs with the names in Proof of Residence (PoR)?

    Yes. Using the extracted data delivered through the Document Reading webhooks, you can compare National ID/Passport/Driver Licence with the data extracted from the PoR. All Document Reading results contain full names.

  • Does Mati accept citizenship documents?

    Yes. Formas Migratorias (Mexico) and Permiso Especial de Permanencia (Venezuela) are examples of special IDs that can be processed.


  • How does the Selfie Video work?

    Users can record themselves either moving their head and/or reading out loud 3 numbers. These numbers are random and are prompted in the user's language

  • Does Mati have any kind of fingerprint recognition workflow related to the ID Validation process?

    There’s no way to perform this at the moment: Government and financial entities that would provide the fingerprint records use a significantly different technology than the fingerprint sensors on mobile devices, reducing the certainty of any matches. Also, phone OSs do not expose the fingerprint data to third parties.

Watchlists and AML

  • Does Mati have an integrated watchlist monitoring tool?

    Yes, watchlist monitoring is part of our premium services. We can create watchlist-based security alerts.

  • Can Mati do on-going monitoring through the API?

    Yes, through one of two ways:

    • If a user is validated from start to finish using our API process, the referenced Experience flow should have Watchlist Monitoring enabled inside the Anti-Money Laundering building block.
    • You can also make queries using our standalone Comply Advantage service; this can be executed within a specified interval of time.
      You can buy search-only or search and monitoring. Search requires one API call per user, whereas search and monitoring requires regular API calls to monitor a specific user.
  • Can the watchlist and AML be used through the API?

    Yes, it works as a separate endpoint, Comply Advantage

  • Can Mati run watchlist and AML validation without an ID?

    Yes, you can search for a user through our Standalone Comply Advantage service. You will need to enter the user’s full name and birth year.

Email and Phone Validation

  • How does phone/email ownership work?

    This service helps merchants confirm whether the user has real ownership of their phone/email by sending them a one time password (OTP) which needs to be entered in order to verify.

  • What is Email Risk Score Analysis?

    The Email Risk Score Analysis looks at the composition and source of the email, and if the email has been used with other events/transactions to determine a score. The higher the score, the more suspicious it is.

    Negative events can include chargeback, account takeover, and data breach. The email will also be examined as a potential spam bot.

  • What is Phone Risk Score Analysis

    Phone Risk Score Analysis looks at the source of the phone number as well as how it has been used to determine a score. The higher the score, the more suspicious it is.

    We look at whether the phone number has negative events associated with its usage (such as fraud, automated bot calls, criminal use), as well as carrier or VOIP use.



  • Do merchants have to build their own webhooks receptor?


  • What format does webhooks use?


  • Are webhooks sent in real time?

    Yes, they are asynchronous; they will be sent as soon as each validation step is completed, regardless of the Flow Endpoint-Widget order.

  • Can webhooks be sent to an endpoint URL with a specific port?

    No, the Webhook uses the default HTTPS port, 443.

  • What would happen if my webhook endpoint is unavailable?

    We will retry to deliver the webhook after:

    • 1 minute
    • 3 minutes
    • 5 minutes
    • 7 minutes
    • 10 minutes

    Webhooks are lost if delivery is unsuccessful. They can only be sent back if the validation is changed or updated on the dashboard.

    You can also retrieve the webhook data using our API, under Get Retrieve Webhook Resource Data and Get Verification Media.

  • What HTTP Request Methods can be used to obtain data from Mati through API?

    Only GET and POST

  • What type of encoding is used on Timestamps?

    Base 64.
    For more information, go to our document on timestamps.

  • Is there is a limit on API requests?

    For security purposes, merchants can only run one new verification request per second. Users wishing to send batch data will have to set up their calls as such.


  • What is metadata used for?

    Metadata helps you correlate a user you already know with a Mati verification process.

  • How can I correlate a user with a verification?

    You send metadata as unique value(s) related to the user (internal ID, email, doc number, etc.). Those values are attached to the verification data.

  • How do I send metadata in the Web SDK?

    Here is a sample in JavaScript:

     <script src="https://web-button.getmati.com/button.js"></script> 
    		"u_id": "193589035809",
    		"date": "05Oct2020",
    		"u_email": "[email protected]"}' 
  • I sent metadata through the API, how am I getting it back?

    Added metadata comes back in the verification_completed Webhook.

  • Are metadata arrays accepted?

    No, only a single-level hierarchy.


Saas Specifications

  • What OS does Mati use?

    CentOS through AWS virtual instances.

  • What is the stack of technologies used in your solution?

    NodeJS, Python, Kubernetes.

  • Regarding integration with Web and Mobile channels, is omnichannel supported?

    Yes. Pre-built experience for web, native mobile apps, and API.

  • Does Mati encrypt data communication?

    Yes. All data is encrypted in transit using cipher suites: Mati sends data to merchants over HTTPS, and merchants must have a TLS certificate installed.

  • How is customer data encrypted?

    We use AES-256 to encrypt customer data. This includes user selfies, videos, document images, and any verification data.

  • Does Mati use static or dynamic IPs?

    The only exposed IP (webhooks) is static:

  • What are the Endpoint Security policies for user devices and servers?

    Each session is tokenized, and locked in a secure connection. Every session is opened and closed for each user process.

  • Can merchants manage Mati under their own domains and subdomains?

    Our extensibility through API integration allows our endpoints to be used in back-end mechanisms, allowing the process to be transparent from merchants' domains and subdomains.

  • Given that Mati is a cloud solution, is it managed individually or on a shared tenant?

    By default, the solution is managed in a shared way. If required, individual instances can be created.

  • Is it possible to integrate Mati with Instant Messaging apps such as WhatsApp?

    Yes, the direct link can be used to reach instant messaging communication channels. It is also possible to use the API to make a personalized integration via WhatsApp.

  • How does Mati extract document details?

    Document details are extracted using Optical Character Recognition (OCR). However, it is limited to Latin characters only.

  • What file types are accepted through API?

    For still images we accept JPEG, PNG and JPG, with a minimum resolution of 600×600px and maximum file size of 50MB.
    Selfie videos can be 3GPP, MP4, QT, WEBM, or MKV, with a maximum size of 50MB.

  • What files are sent back through webhooks?
    • A selfie photo either taken from user's phone or extracted from the selfie video.
    • MP4 selfie videos as well as 4 frame sequences or sprites taken from the videos themselves.