
Verification lifecycle
Every verification moves through these statuses:
The flow: submit verification request, data validated against workflow requirements, entity/entities created and data stored in the vault, request sent, results returned with verification ID.
Risk levels
Every completed verification returns a risk level. This is Palm’s overall assessment based on all signals combined.Risk signals
Risk signals are the specific indicators that drove the risk assessment. Therisk.reasons array in the response contains the signals that contributed to the risk level. Examining individual signals — not just the overall level — is how you make informed decisions about borderline cases.
Identity risks
Match results
Match results indicate how well submitted data aligns with authoritative sources. Every verified field returns one of these values:
Only fields included in the verification request appear in match results.
Vault storage
Palm stores all submitted data in an encrypted vault at the time of verification. When you re-verify a person or business, Palm pulls from the vault.Workflows
Every verification request includes aworkflow_key. The workflow controls what happens when Palm processes a verification — which checks run, what fields are required, and how risk is assessed.
What a workflow configures
A workflow defines a sequence of automated checks. Depending on your configuration, a single verification request can trigger any combination of:Execution mode
Workflows run inheadless mode — the API call executes all checks and returns results synchronously. No user interaction required. You submit the verification request, Palm runs the configured checks, and you get results back in one response.
How to get a workflow key
Palm configures workflows based on your compliance requirements. During onboarding, we’ll set up one or more workflows tailored to your use case — the checks you need, the fields you require, and the risk thresholds that match your program. You’ll receive aworkflow_key for each configuration.
If your requirements change (e.g., you need to adjust required fields), reach out and we’ll update your workflow configuration.
A self-service workflow configurator is available in Palm Console (beta). Contact us for access.
Webhooks
Verification completion fires webhook events:
Webhook payloads include the verification ID, risk level, and summary match results. Subscribe to webhooks for async notification rather than polling. See Webhooks.
Best practices
- Handle all risk levels: Implement logic for
low,medium,high, andcriticaloutcomes. Don’t just handle the happy path. - Use risk signals: Examine individual signals in
risk.reasons, not just the overall risk level. Two verifications can both bemediumrisk for very different reasons — a PEP match requires different handling than a data mismatch. - Verify associated people: For businesses, verify owners with significant ownership by including them as associates. Regulatory frameworks typically require verification of anyone with 25%+ ownership or significant control.
- Subscribe to webhooks: Use async notification rather than polling for verification completion.
- Log verification IDs: Store verification IDs for audit trail and support. You’ll need them for compliance reporting and dispute resolution.
- Review match results: Use field-level match data to understand verification confidence. A verification with
lowrisk but severalpartial_matchresults is less confident than one with allmatchresults.

