Tour stop 1
The Trust Check Four lines of code, four factors of identity. This is where Polyguard does its work — before we ask the customer to type anything.
What's happening on this page
The page mounts a single client component that dynamically imports @polyguard/sdk and calls client.verify(). On desktop it renders a QR code. On mobile it offers a deep link straight into Polyguard Mobile.
Copy const { PolyguardClient } = await import('@polyguard/sdk');
const client = new PolyguardClient({
appId: process.env.NEXT_PUBLIC_POLYGUARD_APP_ID,
apiServer: 'api.polyguard.ai',
requiredProofs: ['name', 'pg_presence', 'pg_attestation_key_id', 'pg_region'],
scanType: 'multi',
});
const response = await client.verify('pg-qr-target', /* rawJwt */ true);
That's the whole integration on the browser side. The dynamic import() keeps the SDK (and its pre-bundled deps — qrcode, reconnecting-websocket, superagent) out of the initial page chunk and out of SSR.
What Polyguard Mobile does
When the applicant scans the QR (or taps the deep link), Polyguard Mobile runs a fused identity verification — four factors confirmed in a single Trust Check:
Person — 3D depth facial recognition on the applicant's device.
Document — NFC chip verification of the government ID. Not OCR.
Device — Apple AppAttest or Google Play Integrity confirms a real, untampered phone.
Location — GPS plus PG-Presence optical distance bounding confirms the applicant is physically there, in real time.
Biometric data never leaves the device. Beige Bank never sees it. Polyguard never stores it.
How we know the result
The SDK resolves the moment the Trust Check completes, with the full verification bundle — name, document type, region, PG-Presence score, biometric certainty. That data is what powers the next page, where Beige Bank pre-fills its onboarding form so the customer doesn't have to type their name or address.
In parallel, Polyguard's backend posts an AES-256-GCM-encrypted webhook to /api/webhook carrying the signed Transaction Affidavit URL . We poll our own /api/status/:linkUuid for that in the background — the user advances immediately; the affidavit just enriches the compliance record when it arrives.
This split is on purpose: the browser response is fast enough for UX, the webhook is tamper-evident enough for the audit trail.