AI products

AI products that serve children and teens face evolving global regulations on content, data, and AI behavior, including COPPA in the US, GDPR-K in the EU, and the UK's AADC. These regulations determine which AI capabilities are available at what age. k-ID's CDK resolves the user's age and jurisdiction into a set of AI-specific permissions, which your product reads to enable or disable each capability per user.

Try the k-ID Dev Explorer

Use the k-ID Dev Explorer, an open source developer sandbox, to test AI permission flows and view all traffic in an event log. You can also use it as a starting point for your own AI product implementation.

What's an AI product in k-ID's model?

An AI product is any application where users interact with generative AI capabilities such as text chat, voice, image or video generation, or persistent AI personas. k-ID treats each AI capability as a separate permission. Each permission can be enabled, disabled, or prohibited based on the user's age, jurisdiction, and parent settings.

The CDK flow is the same as any other k-ID product: age gate → VPC if the user is a minor → session → enforce permissions → respond to changes via webhook. The AI-specific part is the set of permissions returned in the session, listed in Step 1.

See the VPC quick start and Managing sessions and permissions quick start.

Prerequisites

Before you begin, you'll need:

A k-ID Product: Create and configure your product in the k-ID Compliance Studio
API Key: Generate your API key from the Developer Settings page of your product in the Compliance Studio
Webhook Endpoint (optional but recommended): Set up a secure HTTPS endpoint to receive session and permission events. For more detail, see Webhooks.
AI permissions enabled in Compliance Studio: Turn on the AI permissions that match your product's capabilities (see Step 1).

Step 1: Configure AI permissions

In the Compliance Studio, open your product's Configuration → Permissions tab. The AI category contains seven permissions that map to the capabilities common in AI products:

Permission	Display name	Description	Enable when…
`ai-chat`	AI Chat	Your child can freely communicate with a feature that uses generative AI, such as for interactivity or support functions.	Your product offers any freeform conversation with an AI, regardless of input modality.
`ai-companion-chatbot`	Companion Chatbots	Your child can interact with AI characters or companions that mimic human interaction through personalized content.	Your AI is positioned as a persistent companion or persona that maintains a relationship across sessions.
`ai-memory`	AI Memory	Your child's preferences and interactions with an AI will be retained and used to create a profile of their experience over time.	Your AI retains user preferences or conversation history across sessions to personalize future interactions.
`ai-voice-mode`	AI Voice Mode	Your child can speak to an AI in real-time voice conversations. The AI processes the child's voice.	Your AI processes the user's voice (speech-to-text) or generates speech back (text-to-speech).
`ai-media-generation`	AI Media Generation	Your child can interact with an AI that may generate images, and/or video based on the child's prompt.	Your AI generates images, video, or audio in response to the user.
`ai-media-upload`	AI Media Upload	Your child can provide an image, video, or other media as part of their interactions with AI.	Users can upload images, video, or audio to be processed by the AI.
`ai-model-training`	AI Model Training	Your child's information and inputs will be used to train an AI model.	User inputs may be used to train or fine-tune AI models.

Enable the permissions that reflect your product's capabilities and leave the rest off. Jurisdiction-specific defaults are already set across all supported jurisdictions, including tailored rules for US (COPPA), UK (AADC), Australia (Online Safety Act), EU (GDPR Art. 22), and Brazil.

ai-model-training and COPPA

Under the 2026 COPPA Amendment, disclosures of a child's personal information to train or develop AI models are treated as non-integral and require their own parental consent. If your product uses user inputs for training, make sure ai-model-training is enabled and review the COPPA 2026 Amendment guide.

For the full list of permissions across all categories, see Available permissions.

AI products follow the same age gate and Verifiable Parental Consent (VPC) flow as any other k-ID product. The widgets and APIs handle the jurisdictional logic, so your product just needs to start the flow and receive the resulting session.

For the end-to-end integration, follow one of:

VPC quick start: The fastest path. Use the end-to-end widget to handle age collection, VPC, data notices, and permissions in one iframe.
Custom age gate quick start: Build your own age gate UI while k-ID handles the compliance logic.

Once the parent completes the consent flow, your product receives a sessionId. Fetch the session with /session/get to read the AI permissions you configured in Step 1:

GET /api/v1/session/get?sessionId=0ad1641f-c154-4c2a-8bb2-74dbd0de7723

Response:
{
  "session": {
    "id": "0ad1641f-c154-4c2a-8bb2-74dbd0de7723",
    "permissions": [
      { "name": "ai-chat", "enabled": true, "managedBy": "GUARDIAN" },
      { "name": "ai-companion-chatbot", "enabled": false, "managedBy": "GUARDIAN" },
      { "name": "ai-memory", "enabled": true, "managedBy": "GUARDIAN" },
      { "name": "ai-voice-mode", "enabled": false, "managedBy": "GUARDIAN" },
      { "name": "ai-media-generation", "enabled": false, "managedBy": "GUARDIAN" },
      { "name": "ai-media-upload", "enabled": false, "managedBy": "GUARDIAN" },
      { "name": "ai-model-training", "enabled": false, "managedBy": "PROHIBITED" }
    ]
  }
}

The managedBy field tells you who controls each permission: GUARDIAN, PLAYER, or PROHIBITED. For the full semantics, see Permissions.

Step 3: Gate AI features based on the session

Before offering each AI feature, check the relevant permission on the session. The pattern is the same as any other k-ID-gated feature:

Permissions: how enabled and managedBy work, including GUARDIAN, PLAYER, and PROHIBITED semantics.
Managing sessions and permissions quick start: fetching sessions, comparing them over time, requesting upgrades, and handling disabled features in your UI.

Build the AI request from the session

Read permissions from the session, gate each AI capability with a small helper, and pass the resulting config object to your AI provider:

function allowed(session, name) {
  const permission = session.permissions.find((p) => p.name === name);
  return permission?.enabled === true;
}

function buildAIConfig(session) {
  return {
    chat: allowed(session, "ai-chat"),
    companion: allowed(session, "ai-companion-chatbot"),
    memory: allowed(session, "ai-memory"),
    voice: allowed(session, "ai-voice-mode"),
    mediaGeneration: allowed(session, "ai-media-generation"),
    mediaUpload: allowed(session, "ai-media-upload"),
    trainOnInputs: allowed(session, "ai-model-training"),
  };
}

const aiConfig = buildAIConfig(session);
const response = await aiProvider.respond({ prompt, ...aiConfig });

Four rules to remember as you wire this up:

Read, then enforce. Call /session/get on session start.
Fail closed. Permission missing or session unreachable = feature off.
Degrade gracefully. Feature off ≠ dead end. Show a fallback.
Default off for minors. Parents enable.

Step 4: Respond to permission changes

Parents can adjust AI permissions at any time through Family Connect. For example, a parent might disable ai-companion-chatbot after reading a notification or enable ai-voice-mode once the child is old enough. Your product needs to pick up those changes and reflect them to the user.

The detection and handling pattern is identical to any other permission change:

Subscribe to the Session.ChangePermissions webhook, or compare the cached session to the current session on each launch.
When a permission toggles, update your product's state immediately so the user doesn't try to use a feature that's been turned off.
Show a clear message to the user explaining what changed and why.

For the full implementation, including webhook handling, session comparison, handling managedBy: PLAYER for aged-up users, and communicating changes to the user, follow the Managing sessions and permissions quick start.

Webhook configuration

For AI products, ensure your webhook endpoint is configured to receive:

Session.ChangePermissions: Notifies when a parent enables or disables an AI permission for the user.

This event is essential for keeping AI features in sync with parent decisions without waiting for the next session fetch.

What's next?

Now that your AI product is wired up to k-ID, explore these resources to go deeper:

Permissions: Full reference for permission structure, managedBy values, and upgrade flows
Managing sessions and permissions: Real-time handling of parent-initiated permission changes
COPPA 2026 Amendment guide: Compliance implications for AI model training and other non-integral disclosures
Webhooks: Complete guide to webhook implementation and validation
CDK overview: Deeper dive into the compliance engine that powers permission decisions
Pre-launch checklist: Review requirements before going live

What's an AI product in k-ID's model?​

Prerequisites​

Step 1: Configure AI permissions​

Step 2: Collect parental consent and create a session​

Step 3: Gate AI features based on the session​

Build the AI request from the session​

Step 4: Respond to permission changes​

Webhook configuration​

What's next?​