Guide · 20 June 2026

How to add age verification to an Indian website (2026 guide)

If you run an Indian e-commerce store, a gaming site, or any platform serving age-restricted content, you have probably been told you now need "age verification" or "KYC" — and that your payment gateway may hold funds until you add it. This guide explains what that actually means in 2026, what the law expects, and how to ship a compliant age gate today without hiring a vendor or writing a verification engine yourself.

Why age-gating suddenly matters for Indian sites

Two forces are converging. First, India's IT rules and sector regulators increasingly expect platforms hosting age-restricted goods (alcohol, tobacco, vaping accessories, certain supplements), real-money gaming, and adult or mature content to make a reasonable effort to confirm a visitor's age before granting access. Second, payment gateways enforcing KYC norms have started asking merchants in these categories to demonstrate an age-gating control as a condition of keeping their account in good standing.

The practical upshot: a checkbox that says "I am 18+" is no longer convincing on its own for higher-risk categories. Regulators and gateways want to see a record — proof that a check happened, when, and what the outcome was. That audit trail is the part most home-grown solutions miss.

The three levels of age verification

Not every site needs the same strength of check. In practice there are three tiers:

1. Self-attestation (age confirm)

The visitor affirms they meet the minimum age and consents to the check being recorded. This is the lightest tier, suitable for general mature content. The compliance value comes not from the click itself but from logging the consented attestation with a timestamp.

2. Date-of-birth age derivation

The visitor enters a date of birth; your system computes their age and compares it to the minimum. This is stronger than a checkbox because it forces a specific claim and lets you block under-age dates server-side. Crucially, you should store the derived age number, not the raw date of birth, to minimise the personal data you hold.

3. Document-backed verification (PAN / Aadhaar)

For real-money gaming, alcohol, and other high-risk categories, you validate an identity document. In India the two common documents are PAN and Aadhaar. The right approach is to validate the document's structure and checksum and then mask it — never to store the raw number.

How Aadhaar and PAN validation actually work

You do not need a government API to perform meaningful first-pass document validation, and for data-minimisation reasons you often should not call one unless you truly need authentication against UIDAI.

• PAN follows a fixed pattern: five letters, four digits, one letter (AAAAA9999A). The fourth character encodes the holder type (P for an individual). A regex check rejects the vast majority of mistyped or fake PANs instantly.
• Aadhaar is a 12-digit number whose final digit is a Verhoeff checksum over the first eleven. A random 12-digit string passes the Verhoeff test only about one time in ten, so verifying the checksum is a strong, free integrity filter that catches typos and fabricated numbers.

Both checks run in milliseconds, on your server, without sending the number anywhere. After validation you mask the value — for example XXXXXXXX1234 — and store only the masked form alongside the verification record.

DPDP and the data-minimisation principle

India's Digital Personal Data Protection (DPDP) Act, 2023 pushes you toward collecting the least personal data necessary. For age-gating that translates into a few concrete rules:

• Store a derived age, not a date of birth, whenever you can.
• Store a masked document reference, never the raw Aadhaar or PAN number.
• Capture explicit consent for the check and log it.
• Hash or truncate technical identifiers like IP addresses rather than keeping them raw.
• Have a deletion path for verification records on request.

Get this wrong and your "compliance" feature becomes a liability — a database of raw identity numbers is exactly what DPDP is designed to discourage.

What an auditable consent log should contain

When a regulator or payment gateway asks you to prove your age-gating works, you want to hand over a clean export. A good per-verification record includes:

• A unique verification id and a UTC timestamp.
• The method used (confirm, date of birth, PAN, or Aadhaar).
• The outcome (pass or fail) and the minimum age enforced.
• The derived age, where applicable.
• A masked document reference, where applicable.
• A consent flag and the page the check occurred on.

Notice what is absent: no raw document number, no date of birth, no visitor name. That is the point. The log proves a compliant check happened without itself becoming a sensitive data store.

Build vs buy: the honest trade-off

You can build all of this yourself — a modal, a server endpoint, the Verhoeff algorithm, a consent table, and a CSV exporter. It is a few days of engineering plus ongoing maintenance, and you carry the data-handling risk. Heavyweight global KYC vendors solve the verification problem but are priced for enterprises, speak the wrong compliance language for India, and take weeks to integrate.

The middle path is a purpose-built, India-first widget that installs in one line and gives you the audit trail out of the box.

Installing a compliant age gate in one line

AgeGate Kit packages everything above into a single embeddable snippet. You create a site key, choose a minimum age, and paste:

<script
  src="https://agegate.aiskillhub.info/v1/agegate.js"
  data-site-key="agk_your_key"
  data-min-age="18"
  data-mode="dob"></script>

That renders an accessible modal over your page, runs the check server-side, writes the consent log, and remembers verified visitors for 30 days. On paid plans you add PAN/Aadhaar document checks and a one-click CSV compliance export. It works on plain HTML, Shopify, WordPress, and custom stacks — no build step.

Frequently asked questions

Does an age-confirm checkbox satisfy the rules?

For low-risk mature content, a logged, consentedattestation is often a reasonable control. For alcohol, tobacco, and real-money gaming, expect to need date-of-birth or document-backed checks. The deciding factor is usually your category and your payment gateway's stance.

Will this slow down my site?

The snippet is a few kilobytes and loads asynchronously. The check only blocks the gated page, and a pass is cached in the browser so repeat visitors are not re-prompted.

Is this legal advice?

No. AgeGate Kit gives you the tooling and the audit trail; you remain responsible for your own compliance posture. But having a logged, exportable record of consented age checks puts you in a far stronger position than a bare checkbox.