Public API

VeroFlag API documentation

Use the API from trusted server-side systems and agent runtimes to create cases, run checks asynchronously, review candidate matches, monitor subjects, and record permitted decisions.

Quick start

  1. 1. Create an API key in Settings > API.
  2. 2. Choose API client or agent actor type, select scopes, and choose the owner and group scope.
  3. 3. Call GET /api/v1/groups to find the group id for case creation.
  4. 4. Call POST /api/v1/cases with an idempotency key. The response returns a case reference and queued check references immediately.
  5. 5. Poll the case or configure webhooks to receive check completion and review updates.

Authentication

API keys use bearer authentication and are shown only once when created. Store keys in a server-side secret manager and never expose them in browser or mobile clients.

Authorization: Bearer vf_live_...

Public API routes use a fixed window limit of 120 requests per 60 seconds. When the limit is exceeded, VeroFlag returns HTTP 429 with error code rate_limited and a request id for support and audit correlation.

Idempotency and retries

Mutation endpoints require an Idempotency-Key header. Use a stable key from your upstream object, such as a CRM id, case id, check id, or job id. If a network timeout happens, retry with the exact same method, path, body, and idempotency key.

# First attempt times out locally, but may still complete server-side.
curl https://veroflag.com/api/v1/cases \
  -H "Authorization: Bearer $VEROFLAG_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: case-crm-12345" \
  -d @case-request.json

# Retry with the same method, path, body, and Idempotency-Key.
curl https://veroflag.com/api/v1/cases \
  -H "Authorization: Bearer $VEROFLAG_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: case-crm-12345" \
  -d @case-request.json

Workspace admins can view safe per-key request metadata in Settings > API, including method, path, status, timestamp, request id, and whether an idempotency key was present. Request bodies, query strings, and authorization headers are not stored in that request log. This means raw API keys are not stored. Request metadata is retained for 90 days.

Actors and permissions

API keys can represent an API client or an agent actor. Both are first-class actors in the audit trail. Agent keys can create cases, poll checks, review matches, add materials, and enroll monitoring when permitted, but they cannot record final case decisions in the MVP.

cases:createcases:readchecks:readchecks:decidematches:reviewmaterials:writemonitoring:readmonitoring:writeevents:readcase_decisions:write

Agents

Agent keys are intended for supervised workflow automation. Use them to gather evidence, apply deterministic policy steps, and escalate ambiguity. Do not let agents invent a final compliance conclusion or record final case decisions.

1. GET /api/v1/groups
2. POST /api/v1/cases with mode=create_or_reuse and a stable Idempotency-Key
3. Poll GET /api/v1/cases/{case_reference} or wait for check.completed webhooks
4. For each completed check, GET /api/v1/checks/{check_reference}
5. If policy allows, PATCH /api/v1/matches/{match_id}/review
6. If evidence is ambiguous, POST /api/v1/cases/{case_reference}/materials
7. Leave final case decision pending for a human or permitted API client

Read the case object before acting. Use recommended_next_actions and requires_human_review to decide whether to poll, review matches, add materials, or escalate.

When escalating, add a concise material with the reason, uncertainty, and any relevant link. Leave check and case decisions pending unless a permitted human or API client records them.

A markdown agent brief is available at /docs/api/agent-skill.

Endpoint examples

These examples cover every public API endpoint currently exposed. Replace sample references, group ids, and user ids with values from your workspace.

GET/api/v1/groups

List the groups visible to the API key. Use this first when creating a group-scoped case.

POST/api/v1/cases

Create or reuse a subject, create a case, queue checks, and return durable references immediately.

GET/api/v1/cases/{case_reference}

Poll a case for subject details, check lifecycle state, matches, decisions, and recommended next actions.

PATCH/api/v1/cases/{case_reference}/decision

Record the final case decision when explicitly permitted for the API key.

POST/api/v1/cases/{case_reference}/materials

Add case-wide notes and links. Use this for escalation context, reviewer guidance, and integration evidence.

GET/api/v1/cases/{case_reference}/events

Read allowlisted case activity events with stable cursor pagination. Internal audit-only events are not exposed.

GET/api/v1/checks/{check_reference}

Read one check with match evidence and current check decision state.

PATCH/api/v1/checks/{check_reference}/decision

Record a pass, conditional pass, or fail decision for one completed check.

PATCH/api/v1/matches/{match_id}/review

Mark a candidate match as confirmed, not relevant, or pending review.

GET/api/v1/monitoring-configs

List subject monitoring configurations visible to the API key, optionally filtered by subject, status, or latest result.

POST/api/v1/monitoring-configs

Enroll an existing subject for ongoing monitoring, or update the existing subject and group configuration.

PATCH/api/v1/monitoring-configs/{monitoring_config_id}

Update monitoring check types, owner, collaborators, group, or active/paused status.

GET/api/v1/monitoring-configs/{monitoring_config_id}/runs

Read recent monitoring runs, including latest result, counts, snapshot version, and any follow-up case reference.

GET/api/v1/monitoring-configs/{monitoring_config_id}/alerts

Read material changed-match alerts and recommended next actions for a monitoring configuration.

GET /api/v1/groups

List visible groups

Scope: cases:create or cases:read

Idempotency: Not required.

POST /api/v1/cases

Create a case and queue checks

Scope: cases:create

Idempotency: Required. Reuse the same key for safe retries.

GET /api/v1/cases/{case_reference}

Retrieve a case

Scope: cases:read

Idempotency: Not required.

PATCH /api/v1/cases/{case_reference}/decision

Record final case decision

Scope: case_decisions:write plus final-decision permission

Idempotency: Required.

POST /api/v1/cases/{case_reference}/materials

Add case material

Scope: materials:write

Idempotency: Required.

GET /api/v1/cases/{case_reference}/events

List case activity events

Scope: events:read

Idempotency: Not required.

GET /api/v1/checks/{check_reference}

Retrieve a check

Scope: checks:read

Idempotency: Not required.

PATCH /api/v1/checks/{check_reference}/decision

Record check decision

Scope: checks:decide

Idempotency: Required.

PATCH /api/v1/matches/{match_id}/review

Review a candidate match

Scope: matches:review

Idempotency: Required.

GET /api/v1/monitoring-configs

List monitoring configurations

Scope: monitoring:read

Idempotency: Not required.

POST /api/v1/monitoring-configs

Create or update monitoring configuration

Scope: monitoring:write

Idempotency: Required.

PATCH /api/v1/monitoring-configs/{monitoring_config_id}

Update monitoring configuration

Scope: monitoring:write

Idempotency: Required.

GET /api/v1/monitoring-configs/{monitoring_config_id}/runs

List monitoring runs

Scope: monitoring:read

Idempotency: Not required.

GET /api/v1/monitoring-configs/{monitoring_config_id}/alerts

List monitoring alerts

Scope: monitoring:read

Idempotency: Not required.

Webhooks

Configure webhook endpoints in Settings > API. VeroFlag sends signed event payloads when API-created cases, checks, match reviews, monitoring alerts, and decisions change. Public webhook-management endpoints are not exposed yet.

Summary payloads include the workspace, group, and object that changed. Expanded payloads also include event-specific fields such as case references, check references, match ids, decision values, or monitoring alert details.

VeroFlag sends each delivery with VeroFlag-Event-Id, VeroFlag-Delivery-Id, VeroFlag-Timestamp, VeroFlag-Signature, and VeroFlag-Api-Version headers.

Signature base string: <timestamp>.<raw request body>. The HMAC key is the signing secret shown when the endpoint is created or rotated. Reject payloads older than five minutes and use the event id for idempotency.

Delivery is at least once. VeroFlag retries failed deliveries durably from the webhook delivery queue and shows recent delivery status in Settings > API.

Payload example

Signature verification

Error codes

Errors use a consistent envelope with an error code, message, optional details, and request id metadata.

{
  "error": {
    "code": "invalid_request",
    "message": "Case creation request is invalid.",
    "details": {
      "fieldErrors": {
        "subject": [
          "Subject name is required."
        ]
      }
    }
  },
  "meta": {
    "request_id": "req_01HX7Q3A9VY8K2M4N6P0R1S2T3"
  }
}
CodeStatusMeaningRemediation
unauthorized401The bearer API key is missing, invalid, revoked, or expired.Check the Authorization header and rotate the key if needed.
forbidden403The key is valid but lacks the required scope, actor permission, group access, or final-decision permission.Update the key scopes, group scope, or actor permission in Settings > API.
invalid_request400The JSON body, query string, or path parameter is malformed.Validate the payload against the OpenAPI schema and include required headers.
idempotency_conflict409The same Idempotency-Key was reused with a different method, path, or body.Reuse idempotency keys only for exact retries of the same mutation.
conflict409A duplicate or in-progress mutation conflicts with the requested operation.Retry after the in-progress request completes, or fetch the object before retrying.
not_found404The referenced case, check, match, subject, group, or monitoring config is missing or outside the key scope.Confirm the reference and that the API key has access to the relevant group.
unprocessable_entity422The payload is valid JSON but violates a business rule, such as owner membership or required decision notes.Inspect error details, then adjust owner, collaborators, decision notes, or review prerequisites.
rate_limited429The key exceeded the public API request limit.Back off, retry with jitter, and use webhooks instead of tight polling where possible.
source_unavailable503The current source snapshot is missing or stale, so VeroFlag will not create checks that could return false no-match results.Retry after the next successful OpenSanctions source refresh, or subscribe to webhooks and operator status updates.
internal_error500VeroFlag could not complete the request due to an internal error.Retry safely with the same idempotency key for mutations and share the request id with support if it persists.