ShipToVerified

ShipToVerified connects your WooCommerce store with the ShipToVerified service to automate identity verification and adult signature compliance for regulated product shipments. The plugin handles the full verification lifecycle:

• Evaluates whether an order requires adult signature or identity verification based on the customer's shipping destination and cart contents.
• Notifies the ShipToVerified service when a qualifying order is placed.
• Renders a secure identity verification widget on the order confirmation and account pages so the customer can complete verification without leaving your store.
• Receives signed webhook events from ShipToVerified when a customer completes or fails verification, and updates the WooCommerce order record accordingly.
• Gives store administrators a manual verification option and a verification status panel directly inside the WooCommerce order screen.

Who needs this plugin? Retailers that ship age-restricted, regulated, or compliance-sensitive products (such as firearms accessories, tobacco, cannabis, or adult goods) to jurisdictions that require adult signature delivery or government-issued identity verification at the point of purchase. How it works

1. The merchant connects the store to ShipToVerified via an OAuth flow in WooCommerce > ShipToVerified.
2. When a customer reaches the checkout page, the plugin sends the cart's shipping state, order total, and product details to the ShipToVerified API to determine whether the cart requires an adult signature fee or identity verification notice.
3. When the customer places an order and it moves to processing or completed status, the plugin notifies ShipToVerified with the order ID so that a verification requirement can be assigned.
4. On the order confirmation page (and optionally the account order-detail page), the plugin loads an identity verification widget served by ShipToVerified that guides the customer through document capture and liveness checks.
5. Once the customer completes the verification flow, ShipToVerified sends a signed webhook back to the store. The plugin validates the signature, marks the order as verified, and stores the verified name and address in the order meta.

External services This plugin connects to the ShipToVerified API (https://api.shiptoverified.com). A ShipToVerified merchant account is required. Connection is established by the store administrator during initial setup via OAuth. Checkout eligibility check Triggered automatically on the checkout page for every customer session (including guests) while the plugin is active and connected. This call determines whether the current cart requires an adult signature fee or identity verification notice.

• When it runs: on every checkout page load and on each cart update (shipping address change, quantity change, etc.).
• Data sent: customer's shipping state (two-letter US state code), cart grand total, and line items (product ID, product name, quantity, and product category names).
• Why it is sent: ShipToVerified maintains up-to-date jurisdiction rules for regulated products. Sending the cart snapshot allows the service to evaluate applicable state laws without storing a static ruleset inside the plugin.
• Data received: a boolean indicating whether an adult signature fee and/or a verification notice should be displayed.

Order created notification Triggered once per order, when the order status first moves to processing or completed.

• Data sent: WooCommerce order ID and store URL.
• Why it is sent: this tells ShipToVerified to create a verification record linked to the order so it can manage the customer-facing verification flow and track completion.
• Data received: a flag indicating whether the order requires identity verification.

Widget initialization Triggered on the order confirmation page (and optionally the account order-detail page) when an order requires identity verification.

• Data sent: WooCommerce order ID and store URL.
• Why it is sent: ShipToVerified generates a short-lived, single-use widget token scoped to that order so that the verification session cannot be replayed or hijacked.
• Data received: a widget token and a flag confirming verification is required.
• A JavaScript file (/widget.js) is then loaded directly from https://api.shiptoverified.com to render the verification interface. This file is served by the ShipToVerified service and is part of the core service functionality (similar to how payment processors serve their checkout scripts).

Webhook (inbound) ShipToVerified sends a signed POST request to /wp-json/shiptoverified/v1/webhook when a verification event occurs (e.g., customer completes or fails verification, or the verified shipping address changes).

• Supported events: verification.completed, address.updated, address.unverified, address.review_required.
• Data received: event type, event ID, order ID, verification ID, verified customer name, and verified shipping address (or the corrected/failed address for address.updated / address.unverified).
• All webhook payloads are validated with an HMAC-SHA256 signature before processing.
• Each event is idempotent: duplicate event IDs are ignored.

Order data endpoint (inbound) ShipToVerified may request full order details via GET /wp-json/shiptoverified/v1/order/{id} to display order context inside the ShipToVerified merchant dashboard.

• Data returned: order line items, customer name, and shipping address.
• Authentication: requires the store's API key in the X-API-Key header.

Connection management (OAuth) Used once during initial setup and optionally to test or re-establish the connection.

• Data sent: store URL, OAuth authorization code or callback parameters.
• Data received: API key, webhook secret.

By installing, activating, and connecting this plugin, the store administrator consents to the transmission of the above data to ShipToVerified on behalf of the store and its customers, in accordance with the service terms.

• Terms of Service: https://shiptoverified.com/terms
• Privacy Policy: https://shiptoverified.com/privacy

Merchants are responsible for disclosing the use of this service to their customers in their store's privacy policy.

1.1.1

• Webhook handler now supports address.review_required — fired when an address-only verification is sitting on customer interaction (suggestion to accept, candidate list to pick from, or a missing unit/apartment number). The plugin adds a private order note describing what Radar returned and what input is needed, so merchants see the pending state in the WooCommerce order admin without having to check the ShipToVerified dashboard. Note is posted once per order; duplicate event deliveries are ignored via the existing idempotency guard.

1.1.0

• Add support for Radar-powered shipping address validation as a standalone post-checkout flow (separate from ID verification).
• Webhook handler now supports two new events:
• address.updated — fired when the customer accepts a Radar-suggested address or submits a corrected one. The plugin updates the WooCommerce shipping address and adds an order note with the new address.
• address.unverified — fired when Radar cannot validate the shipping address. The plugin adds an order note flagging the order for manual review.
• Widget injection no longer marks the order as _requires_id_verification when the verification flow is address-only. ID-only verifications continue to behave as before.
• Webhook handlers defensively clear _requires_id_verification after a successful address validation so legacy/in-flight orders don't stay tagged as ID-pending.

1.0.0

• Initial public release.