GET /api/v1/groups
List visible groups
Scope: cases:create or cases:read
Idempotency: Not required.
Public API
Use the API from trusted server-side systems and agent runtimes to create cases, run checks asynchronously, review candidate matches, monitor subjects, and record permitted decisions.
GET /api/v1/groups to find the group id for case creation.POST /api/v1/cases with an idempotency key. The response returns a case reference and queued check references immediately.API keys use bearer authentication and are shown only once when created. Store keys in a server-side secret manager and never expose them in browser or mobile clients.
Authorization: Bearer vf_live_...Public API routes use a fixed window limit of 120 requests per 60 seconds. When the limit is exceeded, VeroFlag returns HTTP 429 with error code rate_limited and a request id for support and audit correlation.
Mutation endpoints require an Idempotency-Key header. Use a stable key from your upstream object, such as a CRM id, case id, check id, or job id. If a network timeout happens, retry with the exact same method, path, body, and idempotency key.
# First attempt times out locally, but may still complete server-side.
curl https://veroflag.com/api/v1/cases \
-H "Authorization: Bearer $VEROFLAG_API_KEY" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: case-crm-12345" \
-d @case-request.json
# Retry with the same method, path, body, and Idempotency-Key.
curl https://veroflag.com/api/v1/cases \
-H "Authorization: Bearer $VEROFLAG_API_KEY" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: case-crm-12345" \
-d @case-request.jsonWorkspace admins can view safe per-key request metadata in Settings > API, including method, path, status, timestamp, request id, and whether an idempotency key was present. Request bodies, query strings, and authorization headers are not stored in that request log. This means raw API keys are not stored. Request metadata is retained for 90 days.
API keys can represent an API client or an agent actor. Both are first-class actors in the audit trail. Agent keys can create cases, poll checks, review matches, add materials, and enroll monitoring when permitted, but they cannot record final case decisions in the MVP.
Agent keys are intended for supervised workflow automation. Use them to gather evidence, apply deterministic policy steps, and escalate ambiguity. Do not let agents invent a final compliance conclusion or record final case decisions.
1. GET /api/v1/groups
2. POST /api/v1/cases with mode=create_or_reuse and a stable Idempotency-Key
3. Poll GET /api/v1/cases/{case_reference} or wait for check.completed webhooks
4. For each completed check, GET /api/v1/checks/{check_reference}
5. If policy allows, PATCH /api/v1/matches/{match_id}/review
6. If evidence is ambiguous, POST /api/v1/cases/{case_reference}/materials
7. Leave final case decision pending for a human or permitted API clientRead the case object before acting. Use recommended_next_actions and requires_human_review to decide whether to poll, review matches, add materials, or escalate.
When escalating, add a concise material with the reason, uncertainty, and any relevant link. Leave check and case decisions pending unless a permitted human or API client records them.
A markdown agent brief is available at /docs/api/agent-skill.
These examples cover every public API endpoint currently exposed. Replace sample references, group ids, and user ids with values from your workspace.
/api/v1/groupsList the groups visible to the API key. Use this first when creating a group-scoped case.
/api/v1/casesCreate or reuse a subject, create a case, queue checks, and return durable references immediately.
/api/v1/cases/{case_reference}Poll a case for subject details, check lifecycle state, matches, decisions, and recommended next actions.
/api/v1/cases/{case_reference}/decisionRecord the final case decision when explicitly permitted for the API key.
/api/v1/cases/{case_reference}/materialsAdd case-wide notes and links. Use this for escalation context, reviewer guidance, and integration evidence.
/api/v1/cases/{case_reference}/eventsRead allowlisted case activity events with stable cursor pagination. Internal audit-only events are not exposed.
/api/v1/checks/{check_reference}Read one check with match evidence and current check decision state.
/api/v1/checks/{check_reference}/decisionRecord a pass, conditional pass, or fail decision for one completed check.
/api/v1/matches/{match_id}/reviewMark a candidate match as confirmed, not relevant, or pending review.
/api/v1/monitoring-configsList subject monitoring configurations visible to the API key, optionally filtered by subject, status, or latest result.
/api/v1/monitoring-configsEnroll an existing subject for ongoing monitoring, or update the existing subject and group configuration.
/api/v1/monitoring-configs/{monitoring_config_id}Update monitoring check types, owner, collaborators, group, or active/paused status.
/api/v1/monitoring-configs/{monitoring_config_id}/runsRead recent monitoring runs, including latest result, counts, snapshot version, and any follow-up case reference.
/api/v1/monitoring-configs/{monitoring_config_id}/alertsRead material changed-match alerts and recommended next actions for a monitoring configuration.
GET /api/v1/groups
Scope: cases:create or cases:read
Idempotency: Not required.
POST /api/v1/cases
Scope: cases:create
Idempotency: Required. Reuse the same key for safe retries.
GET /api/v1/cases/{case_reference}
Scope: cases:read
Idempotency: Not required.
PATCH /api/v1/cases/{case_reference}/decision
Scope: case_decisions:write plus final-decision permission
Idempotency: Required.
POST /api/v1/cases/{case_reference}/materials
Scope: materials:write
Idempotency: Required.
GET /api/v1/cases/{case_reference}/events
Scope: events:read
Idempotency: Not required.
GET /api/v1/checks/{check_reference}
Scope: checks:read
Idempotency: Not required.
PATCH /api/v1/checks/{check_reference}/decision
Scope: checks:decide
Idempotency: Required.
PATCH /api/v1/matches/{match_id}/review
Scope: matches:review
Idempotency: Required.
GET /api/v1/monitoring-configs
Scope: monitoring:read
Idempotency: Not required.
POST /api/v1/monitoring-configs
Scope: monitoring:write
Idempotency: Required.
PATCH /api/v1/monitoring-configs/{monitoring_config_id}
Scope: monitoring:write
Idempotency: Required.
GET /api/v1/monitoring-configs/{monitoring_config_id}/runs
Scope: monitoring:read
Idempotency: Not required.
GET /api/v1/monitoring-configs/{monitoring_config_id}/alerts
Scope: monitoring:read
Idempotency: Not required.
Configure webhook endpoints in Settings > API. VeroFlag sends signed event payloads when API-created cases, checks, match reviews, monitoring alerts, and decisions change. Public webhook-management endpoints are not exposed yet.
Summary payloads include the workspace, group, and object that changed. Expanded payloads also include event-specific fields such as case references, check references, match ids, decision values, or monitoring alert details.
VeroFlag sends each delivery with VeroFlag-Event-Id, VeroFlag-Delivery-Id, VeroFlag-Timestamp, VeroFlag-Signature, and VeroFlag-Api-Version headers.
Signature base string: <timestamp>.<raw request body>. The HMAC key is the signing secret shown when the endpoint is created or rotated. Reject payloads older than five minutes and use the event id for idempotency.
Delivery is at least once. VeroFlag retries failed deliveries durably from the webhook delivery queue and shows recent delivery status in Settings > API.
Errors use a consistent envelope with an error code, message, optional details, and request id metadata.
{
"error": {
"code": "invalid_request",
"message": "Case creation request is invalid.",
"details": {
"fieldErrors": {
"subject": [
"Subject name is required."
]
}
}
},
"meta": {
"request_id": "req_01HX7Q3A9VY8K2M4N6P0R1S2T3"
}
}| Code | Status | Meaning | Remediation |
|---|---|---|---|
| unauthorized | 401 | The bearer API key is missing, invalid, revoked, or expired. | Check the Authorization header and rotate the key if needed. |
| forbidden | 403 | The key is valid but lacks the required scope, actor permission, group access, or final-decision permission. | Update the key scopes, group scope, or actor permission in Settings > API. |
| invalid_request | 400 | The JSON body, query string, or path parameter is malformed. | Validate the payload against the OpenAPI schema and include required headers. |
| idempotency_conflict | 409 | The same Idempotency-Key was reused with a different method, path, or body. | Reuse idempotency keys only for exact retries of the same mutation. |
| conflict | 409 | A duplicate or in-progress mutation conflicts with the requested operation. | Retry after the in-progress request completes, or fetch the object before retrying. |
| not_found | 404 | The referenced case, check, match, subject, group, or monitoring config is missing or outside the key scope. | Confirm the reference and that the API key has access to the relevant group. |
| unprocessable_entity | 422 | The payload is valid JSON but violates a business rule, such as owner membership or required decision notes. | Inspect error details, then adjust owner, collaborators, decision notes, or review prerequisites. |
| rate_limited | 429 | The key exceeded the public API request limit. | Back off, retry with jitter, and use webhooks instead of tight polling where possible. |
| source_unavailable | 503 | The current source snapshot is missing or stale, so VeroFlag will not create checks that could return false no-match results. | Retry after the next successful OpenSanctions source refresh, or subscribe to webhooks and operator status updates. |
| internal_error | 500 | VeroFlag could not complete the request due to an internal error. | Retry safely with the same idempotency key for mutations and share the request id with support if it persists. |