Privacy-first age verification that collects minimal data and returns only yes/no
AgeGate provides a simple and secure way to verify user ages without collecting personal data. Our API is designed to be easy to integrate while maintaining complete user privacy.
// 1. Start verification request
$partner_id = 'your_partner_id';
$api_key = 'your_api_key';
$timestamp = time();
$signature = hash_hmac('sha256', $partner_id . '|' . $timestamp, $api_key);
$response = curl_exec(curl_init_with([
CURLOPT_URL => 'https://agegate.app/verify/server.php',
CURLOPT_POSTFIELDS => http_build_query([
'partner_id' => $partner_id,
'timestamp' => $timestamp,
'signature' => $signature,
'return_url' => 'https://yourapp.com/callback'
])
]));
// 2. Redirect user to AgeGate
$result = json_decode($response, true);
header('Location: ' . $result['redirect_url']);
// 3. Handle callback (no user data received!)
if (isset($_GET['verified'])) {
$expected_sig = hash_hmac('sha256', $partner_id . '|' . $_GET['verified'], $api_key);
if (hash_equals($expected_sig, $_GET['signature'])) {
// User verified as 18+ - that's all we know!
grant_access();
}
}
All API requests use HMAC-SHA256 signatures for authentication. This ensures request integrity and prevents tampering.
// Create signature for request
$partner_id = 'your_partner_id';
$timestamp = time();
$data = $partner_id . '|' . $timestamp;
$signature = hash_hmac('sha256', $data, $your_api_key);
// Send with request
$postfields = [
'partner_id' => $partner_id,
'timestamp' => $timestamp,
'signature' => $signature,
'return_url' => $your_return_url
];
Never expose your API key in client-side code. Always make API requests from your backend server.
AgeGate's privacy-first API collects minimal data - only what's needed for verification. We don't store personal information and only return a simple yes/no answer.
Starts an age verification session with minimal data collection.
partner_id=your_partner_id timestamp=1640995200 signature=hmac_sha256_signature return_url=https://yourapp.com/callback
No user data is sent to AgeGate. Only your partner ID, timestamp, and return URL. The signature ensures request authenticity.
{
"success": true,
"redirect_url": "https://agegate.app/verify/start.php?token=abc123"
}
AgeGate redirects users back to your site with a simple verified/not verified result.
verified=1640995800 // Timestamp if verified signature=abc123def456... // HMAC signature for verification
AgeGate only returns a timestamp (indicating verification occurred) and a signature. No age data, no personal information, no biometrics - just yes/no verification.
// Verify the callback signature
$data = $partner_id . '|' . $_GET['verified'];
$expected_signature = hash_hmac('sha256', $data, $api_key);
if (hash_equals($expected_signature, $_GET['signature'])) {
// User is verified as 18+
$is_verified = true;
}
AgeGate is designed from the ground up to minimize data collection and protect user privacy. Here's exactly what we collect, process, and return.
All verification happens in real-time during the user's session. No data is stored on our servers after verification is complete. Images are processed immediately and discarded - never saved to disk or database.