Building a curp validator — should I use regex or an actual API?
Question
Answers
You definitely want both layers in your curp validator implementation. Here's the approach I recommend:
Layer 1: Client-side format validation (instant)
Keep your regex but enhance it. A proper CURP format validator should check:
- Exactly 18 characters
- Positions 1-4 are uppercase letters
- Positions 5-10 are digits forming a valid date (YYMMDD)
- Position 11 is H or M (gender)
- Positions 12-13 are a valid state code (AS, BC, BS, CC, CL, CM, CS, CH, DF, DG, GT, GR, HG, JC, MC, MN, MS, NT, NL, OC, PL, QT, QR, SP, SL, SR, TC, TS, TL, VZ, YN, ZS, NE)
- Positions 14-16 are consonants
- Position 17 is a digit or letter (homoclave)
- Position 18 is the check digit (verifiable via algorithm)
This catches typos and obvious fakes immediately without an API call.
Layer 2: Server-side RENAPO verification (500ms-2s)
After format validation passes, make an API call to a curp validator service that queries RENAPO. This confirms the CURP exists and returns the registered person's data so you can cross-reference with what the user entered.
For your volume (500-1000/day), look at providers on API Pull. Several offer per-query pricing that would be very affordable at that scale. Most curp validator APIs charge between $0.05-$0.15 per verification.
Pro tip: implement the API call asynchronously. Show the user they can proceed while the verification happens in the background. If it fails, flag the account for review rather than blocking sign-up entirely. This way latency doesn't kill your conversion rate.
Just want to add a security perspective to Nancy's answer. If you're building a microfinance app, you absolutely need the live database check, not just format validation. Here's why:
A sophisticated fraudster can easily generate a format-valid CURP using the publicly known algorithm. They just need to know the structure rules. Without a RENAPO check, your curp validator would happily accept completely fabricated identities.
Additionally, consider these edge cases a proper curp validator API handles:
- Duplicate CURPs — RENAPO has known issues with duplicates from the pre-2000 assignment era. A good API flags these
- Reassigned CURPs — when duplicates are resolved, one party gets a new CURP. The old one becomes invalid
- Deceased records — you don't want to issue a loan to someone using a dead person's identity
- Minor status — the DOB in the CURP tells you age, but the API confirms the person hasn't been declared legally incapacitated
For a fintech app specifically, regulators (CNBV, CONDUSEF) expect you to verify identity against authoritative sources. A regex-only curp validator would not satisfy an audit. Invest in a proper API-based solution from the start.
Yo, so I'm adding a curp validator to our sign-up form and I'm trying to figure out the right approach. Right now I'm just using a regex pattern to check the 18-character format, but my PM says that's not enough because users could enter a "valid-looking" CURP that doesn't actually exist.
The CURP structure is: 4 letters (name initials) + 6 digits (DOB) + 1 letter (gender) + 2 letters (state) + 3 consonants + 1 digit (homoclave) + 1 check digit.
My current regex catches format errors, but it can't tell me if:
What do you guys use as a curp validator in production? Is there a good API that does both format validation AND a live database check? I'd rather not maintain my own validation logic if there's a reliable service that handles everything.
We're a small team (3 devs) building a microfinance app. We'd need maybe 500-1000 validations per day during business hours. Latency matters because it's part of the sign-up flow — users will bounce if they have to wait more than a few seconds.