VeraFi API Access

Access to the VeraFi API is governed through a token-based authentication mechanism. To interact with any protected resource, a client must first authenticate using one of the supported login methods. The API allows users to log in either through traditional password-based authentication or through an OTP-based workflow. In both cases, successful authentication results in the issuance of a session token. This token includes the user’s identity, role assignments, tenant details, and subscription information, and is required for performing operations across most endpoints within the system. Once obtained, the token functions as proof of authorization for subsequent requests.

The VeraFi API accepts authentication tokens in two different ways depending on the endpoint. Some endpoints expect the token to be provided in the Authorization header using the standard bearer format, while others accept the token as a query parameter. The specific requirement varies by endpoint, and clients must ensure that the token is passed in the correct location to avoid authorization errors. Token validation can be performed using the session-checking endpoint, which inspects the token and returns a detailed view of the authenticated session, including user details, assigned roles, tenant information, subscription tier and service, report usage, subscription start and end dates, and the number of days remaining in the subscription. The response also indicates whether the subscription is active, expiring soon, or expired.

Access to password recovery operations is also managed through a secure OTP process. Users may initiate a password reset sequence by requesting an OTP to their registered email address. The OTP must be verified before the user can set a new password. These operations do not require an active session token, enabling recovery even when a user cannot log in.

OTP delivery for login and recovery follows a structured security model. OTPs are transmitted either through email using a configured Gmail sender or via SMS using Twilio. All OTPs have a strict five-minute expiry window. To maintain system integrity and prevent abuse, OTP requests are rate limited to one request every two minutes, and the number of OTP verification attempts is capped at three for each generated code.

Access permissions within the VeraFi API are influenced by user roles and tenant associations. During login, the optional role parameter allows the system to confirm whether a user holds the requested role. Only when this role validation is satisfied will the login succeed. Once authenticated, user privileges determine the scope of accessible data. For example, product owners are permitted to view verification logs across all tenants, while admins and operators are limited to logs belonging to their own tenant. Similarly, access to user-specific verification counts is restricted unless the requester is a product owner.

Rate limits apply to all authenticated operations, guiding how frequently a client may interact with the platform. Authentication endpoints allow up to five requests per minute from a single IP address, while general API endpoints permit up to one hundred requests per minute per token. These limitations ensure consistent and reliable performance across all tenants.