User lifecycle: enrollment → authentication
This guide describes the recommended way to model the full lifecycle of a returning user in VerifEye's Redirect — first visit (enrollment) and return visits (authentication) — using a single Verification project.
Key concept: the first verification call is the enrollment
When a user is sent through a Face Recognition verifier in UniqueMatchVerification or MatchVerification mode with a never-before-seen reExternalId, the face embedding is automatically stored under that identifier as part of the verification.
There is no separate enrollment endpoint or step. On every subsequent call with the same reExternalId, the same verifier performs a 1:1 match against the stored embedding.
This is the property that makes a single-project lifecycle possible: the same Verification can both onboard a brand-new user and authenticate a returning one — the verifier knows the difference from the state of the face collection.
Recommended pattern: single project + session overrides
The single-project pattern uses one Verification, configured with the full enrollment-time verifier set, and uses session-level overrides to disable verifiers that are only relevant on the first visit.
Do not split one user base across multiple Verifications
Each Verification has its own face collection scope — a user known to one Verification is unknown to another. Creating multiple Verifications for the same user base (for example, one for enrollment and a separate one for authentication) is not recommended: the second Verification will not see the enrollment from the first and will silently auto-enroll the user again, defeating the separation.
Use a single Verification with session-level overrides instead, as described below.
Verification configuration (one-time setup):
- Liveness:
Verification - Face Recognition:
UniqueMatchVerification(orMatchVerification— seeVerifier choice below) - Age:
ThresholdVerificationorCalculationOnlyas needed - Gender:
CalculationOnlyas needed AllowVerifierOverrides:true— required for the return-visit overrides to take effect
First visit vs. return visit
The two flows use the same Verification URL; only the session-level query string differs.
Do not disable the Face Recognition verifier on the return visit (reDisableFaceRecognitionVerifier=true) — that is the verifier performing the authentication. The other verifiers (liveness, age, gender) are the ones safe to disable.
The Verification URL itself must be signed by your backend in both cases (see the Security page). The session-level override parameters are part of the signed payload, so they cannot be tampered with by the end user.
Verifier choice: UniqueMatchVerification vs. MatchVerification
Both modes auto-enroll on first use and perform a 1:1 match on subsequent visits. The difference is whether cross-identifier uniqueness is enforced.
Common pitfalls
AllowVerifierOverridesmust be enabled on the Verification. If it isfalse, thereDisable…Verifierquery parameters on the return visit are silently ignored and the full enrollment flow runs every time.- Use the same
reExternalIdfor the same user across visits. This identifier is the only thing linking the first and the return visit; without a stable value, the system treats each visit as a new user and auto-enrolls a fresh embedding. - Do not disable Face Recognition on the return visit. Disabling Liveness / Age / Gender is the intended override; disabling Face Recognition removes the authentication step itself.
Related
- Concept — Verification, scope, and face collections
- Verification configurations — verifier modes and session overrides
- Parameters —
reExternalIdand the session override keys
Last updated: 2026-05-19