Age Gate & Verifiable Parental Consent
This guide will walk you through implementing the Age Gate & VPC widget in just a few steps, allowing you to quickly meet regulatory requirements while providing a smooth user experience for both children and their parents.
The End-to-end Widget is a comprehensive solution that handles the complete compliance flow in a single interface, covering age gate, VPC, data notices, permissions, and preferences all in one seamless experience. This widget can be used by parents either on the child's device or on their own device, providing maximum flexibility for the consent process.
What is an Age Gate?
An Age Gate is a mechanism used to collect and verify a user's age before allowing access to age-restricted content, features, or services. Age gates are required by regulations in many jurisdictions to ensure compliance with laws governing digital content access for minors.
Age gates serve several important purposes:
- Regulatory Compliance: Meet legal requirements for verification in different jurisdictions
- Content Protection: Prevent minors from accessing inappropriate content
- Data Privacy: Ensure proper handling of children's data according to regulations like COPPA, GDPR-K, and others
- Parental Control: Enable parents to make informed decisions about their children's digital access
By providing the user's jurisdiction, the End-to-end Widget automatically determines the best methods for collecting their age (if not already provided) and intelligently determines whether VPC is necessary based on that jurisdiction's specific regulations. This ensures compliance without requiring you to implement complex jurisdictional logic.
What is Verifiable Parental Consent (VPC)?
Verifiable Parental Consent (VPC) is a regulatory requirement that ensures parents or trusted adults can provide informed consent for children to access digital content, services, or features. When a child attempts to access age-restricted content, the system creates a Challenge that requires parental approval before access can be granted.
The VPC flow typically involves:
- Age Collection: Determining the child's age through appropriate methods
- Challenge Creation: Creating a consent challenge when parental approval is required
- Parental Notification: Notifying parents through various channels (email, QR code, etc.)
- Consent Processing: Parents review and approve/deny the request
- Session Management: Creating or updating the child's permissions based on consent results
Prerequisites
Before you begin, you'll need:
- A k-ID Product: Create and configure your product in the k-ID Compliance Studio
- API Key: Generate your API key from the Developer Settings page of your product
- Webhook Endpoint (optional but recommended): Set up a secure HTTPS endpoint to receive challenge and session events. For more detail, see Webhooks.
Step 1: Initiate the Age Gate & VPC Flow
Call the /widget/generate-e2e-url API to create an end-to-end widget URL that handles the complete VPC flow. This returns a unique URL that users will use to complete the age collection and parental consent process.
Use our interactive Swagger documentation with your API key to quickly generate your Age Gate & VPC widget URL.
Important: For your implementation, this should be a server-to-server call to protect your API key from being exposed in client-side code.
Example Request
POST /api/v1/widget/generate-e2e-url
Content-Type: application/json
Authorization: Bearer your-api-key
{
"jurisdiction": "US-CA"
}
Configuration Flags
The optional flags parameter allows you to customize which parts of the flow to skip:
skipDataNotices: Skip data notices and consent collectionskipVerification: Skip verification stepskipPermissions: Skip permission managementskipPreferences: Skip preference settings
Example Response
{
"id": "7854909b-9124-4bed-9282-24b44c4a3c97",
"url": "https://family.k-id.com/widget?token=eyJhbGciOiJFUzM4NCIs..."
}
Step 2: Display the Age Gate & VPC Widget
Use the returned URL to create an iframe in your website or app. Users will complete the age collection and parental consent process through this interface, with available methods automatically adapting to jurisdictional requirements.
HTML Implementation
<div id="vpc-container">
<iframe
id="vpc-widget"
src="WIDGET_URL"
width="100%"
height="600"
frameborder="0"
allow="camera;payment;publickey-credentials-get;publickey-credentials-create">
</iframe>
</div>
The iframe may present users with multiple verification methods such as:
- AgeKey: A reusable and anonymous age-proof generated after an initial verification process.
- Facial Age Estimation: Privacy-preserving age estimation using a device's camera
- ID Document Verification: Government-issued ID verification
The specific methods available depend on the jurisdiction and your product configuration. For more detail, see Verification Methods
The widget will present users with:
- Age Collection: Jurisdiction-appropriate age collection methods
- Data Notices: Data notices to accept, depending on the product's configuration
- Permissions: Permissions to manage, depending on the product's configuration
- Parental Consent Challenge: If the user is determined to be a minor, a challenge will be created for parental approval
The specific flow depends on the jurisdiction and your product's configuration.
Step 3: Handle Challenge and Session Events
When a Challenge is created for parental consent, you'll need to handle the results. You can receive challenge and session results in three ways:
Option A: Real-time JavaScript Events (Client-side)
const handleMessage = (event) => {
const message = event.data;
if (message.eventType === "Widget.AgeGate.Challenge") {
if (message.data.status === "PASS") {
// Parent approved consent - grant access
console.log("Consent approved:", message.data.sessionId);
grantAccess(message.data.sessionId);
} else if (message.data.status === "FAIL") {
// Parent denied consent - restrict access
console.log("Consent denied");
restrictAccess();
}
}
};
window.addEventListener("message", handleMessage);
Option B: Webhook Notifications (Server-side)
Configure your webhook endpoint to receive Challenge.StateChange and Session.ChangePermissions events:
Challenge.StateChange Event:
{
"eventType": "Challenge.StateChange",
"data": {
"id": "683409f1-2930-4132-89ad-827462eed9af",
"productId": 42,
"status": "PASS",
"sessionId": "0ad1641f-c154-4cc2-8bb2-74dbd0de7723",
"approverEmail": "parent@example.com",
"kuid": "123456"
}
}
Session.ChangePermissions Event:
{
"eventType": "Session.ChangePermissions",
"data": {
"id": "78c299b2-5c33-4bde-84fe-8fc950fc7a96",
"productId": 42
}
}
Option C: Polling (Alternative Method)
Query the challenge status using the challenge ID:
GET /api/v1/challenge/get-status?id=683409f1-2930-4132-89ad-827462eed9af
Response:
{
"id": "683409f1-2930-4132-89ad-827462eed9af",
"status": "PASS",
"sessionId": "0ad1641f-c154-4cc2-8bb2-74dbd0de7723"
}
Webhook Configuration
For the Age Gate & VPC widget, ensure your webhook endpoint is configured to receive:
Challenge.StateChange: Notifies when parental consent is approved or deniedSession.ChangePermissions: Notifies when session permissions are modified by parents
These events are essential for maintaining proper access control and ensuring compliance with parental consent requirements.
What's Next?
Now that you've implemented the Age Gate & VPC widget, explore these resources to enhance your integration:
- API Reference Documentation: Detailed documentation of all widget and challenge APIs
- Webhooks Setup: Implement robust webhook handling for production systems
- Best Practices: Implement best practices to ensure security and a reliable user experience
- Pre-launch Checklist: Review requirements before going live
With k-ID's Age Gate & VPC widget, you can quickly achieve compliance with parental consent regulations while providing families with a smooth, privacy-focused experience.