I'm building an age verification add-on for XenForo and would love feedback from the community. The add-on makes use of an age verification service that I built for my own sites because OFCOM came after me threatening fines. I decided to build it as a multi-tenant SaaS service from the beginning. My website is XYZinc.com if you would like to check things out a bit.
What It Does
XYZ Age Verify adds a proper age gate to your forum that uses biometric face verification — not just a "click yes I'm 18" button. When a visitor from a regulated region hits your forum, they're presented with a verification screen before they can access any content. Once verified, they never have to do it again.
How It Works
Early request interception — The add-on hooks into
Region-based rules — You configure which countries and states require verification, right from the XenForo Admin CP. Rules are hierarchical (country-level or state/province-level) and support three actions:
Two verification tiers:
QR code + on-device verification — The age gate page gives visitors two options:
1. Scan a QR code with their phone to verify on mobile
2. Click "Verify on This Device" to open a verification popup
The page polls in the background and automatically redirects once verification completes — no manual refresh needed.
Returning Members
Verified visitors get an HMAC-signed cookie so they're never asked again on that device. But the real value is for registered members:
Admin CP Integration
Test Mode
You can test the age gate without being in a regulated region by appending
Security
What I'd Like Feedback On
1. Path-based gating — Would it be useful to only age-gate specific sections of your forum (e.g., certain node paths or route prefixes) rather than the entire site? I've been thinking about this but want to gauge interest before building it.
2. Member exemption — Currently there's an option to exempt all logged-in members from the age gate. Is that sufficient, or would you want more granular control (e.g., by user group)?
3. What regions matter to you? — The system can be pre-populated with region rules for the major jurisdictions but curious which specific countries/states you'd need day one.
4. AgeKey integration — I'm planning to add support for AgeKey (a reusable age credential) so returning visitors across multiple sites wouldn't need to re-verify each time. Is this something that would matter to your community?
5. Anything else? — Features, concerns, deal-breakers — I'd rather hear them now than after launch.
Thanks for reading. Happy to answer any questions about how it works under the hood.
Pricing
The add-on will be free. Lower traffic sites will purchase verification credit packs. Pricing to be determined. At low volumes (~100 verifications/month) a Tier 1 facial scan would be priced at the equivalent of $0.05US. Tier 2 would be $0.15US.
High-traffic sites would be best off signing up as SaaS customers.
I have a demo site up and running with the beta version in "test mode". I have created a fake region of ZZ-01 for testing. The API is live/real. Doing real verifications.
The age gate page looks like this:
And you can manage all of your regional rules:
What It Does
XYZ Age Verify adds a proper age gate to your forum that uses biometric face verification — not just a "click yes I'm 18" button. When a visitor from a regulated region hits your forum, they're presented with a verification screen before they can access any content. Once verified, they never have to do it again.
How It Works
Early request interception — The add-on hooks into
dispatcher_pre_dispatch so the age check happens before any page renders. There's no way for an unverified visitor to see gated content, even momentarily.Region-based rules — You configure which countries and states require verification, right from the XenForo Admin CP. Rules are hierarchical (country-level or state/province-level) and support three actions:
- Verify — Visitor must complete age verification
- Allow — No verification needed for this region
- Block — Content is completely blocked (with a custom message)
CF-IPCountry, CF-Region-Code), so there's zero latency added for geo lookup. (Must be running your forum behind Cloudflare!)Two verification tiers:
- Tier 1 — Face liveness check with minor probability assessment. Fast, low friction. Suitable for most jurisdictions.
- Tier 2 — Full ID document scan with face matching. Required where regulations demand government ID verification.
QR code + on-device verification — The age gate page gives visitors two options:
1. Scan a QR code with their phone to verify on mobile
2. Click "Verify on This Device" to open a verification popup
The page polls in the background and automatically redirects once verification completes — no manual refresh needed.
Returning Members
Verified visitors get an HMAC-signed cookie so they're never asked again on that device. But the real value is for registered members:
- Login bypass — If a verified member hits the age gate on a new device, they can log in directly from the gate page and skip re-verification entirely (saving you a verification credit).
- Automatic account stamping — If someone verifies anonymously and then registers an account (or logs into an existing one), their member record is automatically marked as verified. This means they won't need to re-verify if they log in from another device later.
- Persistent verification — The
xf_usertable is extended with verification metadata (verified_at,verification_method,verification_tier). A verified member is verified forever — they're only getting older.
Admin CP Integration
- Options page — API URL, API key, fail-open/fail-closed behavior, test mode toggle, logged-in member exemption
- Region management — Full CRUD for regional rules (add, edit, delete) with configurable age thresholds, tier requirements, low-risk skip options, and priority ordering
- Cookie signing key — Automatically fetched from the API and displayed read-only in settings
Test Mode
You can test the age gate without being in a regulated region by appending
?reg=XX-YY to any URL (where XX is a country code and YY is a state code matching one of your configured regions). Test mode is toggled on/off from the Admin CP options.Security
- API key never reaches the browser — all API communication is server-side
- HMAC-SHA256 signed cookies prevent forgery
- CSRF protection on all POST endpoints
- Input validation on all controller actions
- Admin routes require admin authentication
- Session IDs are regex-validated before any API calls
What I'd Like Feedback On
1. Path-based gating — Would it be useful to only age-gate specific sections of your forum (e.g., certain node paths or route prefixes) rather than the entire site? I've been thinking about this but want to gauge interest before building it.
2. Member exemption — Currently there's an option to exempt all logged-in members from the age gate. Is that sufficient, or would you want more granular control (e.g., by user group)?
3. What regions matter to you? — The system can be pre-populated with region rules for the major jurisdictions but curious which specific countries/states you'd need day one.
4. AgeKey integration — I'm planning to add support for AgeKey (a reusable age credential) so returning visitors across multiple sites wouldn't need to re-verify each time. Is this something that would matter to your community?
5. Anything else? — Features, concerns, deal-breakers — I'd rather hear them now than after launch.
Thanks for reading. Happy to answer any questions about how it works under the hood.
Pricing
The add-on will be free. Lower traffic sites will purchase verification credit packs. Pricing to be determined. At low volumes (~100 verifications/month) a Tier 1 facial scan would be priced at the equivalent of $0.05US. Tier 2 would be $0.15US.
High-traffic sites would be best off signing up as SaaS customers.
I have a demo site up and running with the beta version in "test mode". I have created a fake region of ZZ-01 for testing. The API is live/real. Doing real verifications.
The age gate page looks like this:
And you can manage all of your regional rules:
