Skip to main content

States

Unverified → Pending → Verified → Expired

              Failed
StateDescription
UnverifiedVisitor has no session cookie. The popup will be shown.
PendingVisitor has opened the popup and a proof request is in progress.
VerifiedProof was accepted. A session cookie has been issued.
FailedProof was rejected (invalid, wrong network, identity issues). The visitor is shown an error and can retry.
ExpiredThe session cookie has passed its TTL. The visitor is treated as unverified on their next visit.
Once verified, the worker issues a signed session cookie scoped to your domain. The cookie contains:
  • A session ID (used for usage tracking)
  • The verification timestamp
  • A signature (HMAC, validated by the worker on each request)
The worker validates this signature locally on every request — no API call is needed for returning verified visitors.

Re-verification

Visitors are not re-verified during an active session. When the session expires, they will be prompted again on their next visit to a protected page. There is no way for a visitor to “log out” of their Veriox session — the cookie expires naturally. If you need to force re-verification (e.g. after changing your age threshold), you can shorten the session TTL and redeploy, which will cause existing sessions to be rejected as the signature will no longer match.