API REFERENCE

VeriBureau API

Base URL: https://veribureau.net/api/v1

Version 0.3.0. All responses are JSON. Authenticated endpoints require the X-VB-API-Key header.

OpenAPI Specification

Machine-readable API documentation. Import into Postman, Insomnia, or any OpenAPI-compatible tool.

Download openapi.json

Public Endpoints

GET/health

Service health and version check.

curl https://veribureau.net/health

{
  "status": "ok",
  "service": "VeriBureau API",
  "version": "0.3.0",
  "axioms": {
    "one": "No proof — no review",
    "two": "Weight = f(history)",
    "three": "Every event is immutable"
  }
}

GET/stats

Platform-wide statistics. Cached for 5 minutes.

curl https://veribureau.net/api/v1/stats

{"businesses": 3, "reviews": 3, "countries": 1}

GET/businesses/:slug

Public business profile including Trust Score, trend, review count.

curl https://veribureau.net/api/v1/businesses/your-business

{
  "id": "b19a3114-...",
  "name": "Your Business",
  "slug": "your-business",
  "industry": "TELECOM",
  "country": "UA",
  "city": "Odesa",
  "cbs": 72.5,
  "trend": "UP",
  "reviewCount": 15,
  "responseRate": 80,
  "certificationStatus": "NONE",
  "createdAt": "2025-12-01T..."
}

GET/businesses/:slug/badge

Dynamic SVG trust badge. Embed on your website.

Query parameters:

size — micro | standard (default) | detailed | banner

theme — light (default) | dark

# Standard badge
<img src="https://veribureau.net/api/v1/businesses/your-business/badge" height="56" />

# Micro badge, dark theme
<img src="https://veribureau.net/api/v1/businesses/your-business/badge?size=micro&theme=dark" height="32" />

# Detailed badge with review count
<img src="https://veribureau.net/api/v1/businesses/your-business/badge?size=detailed" height="72" />

GET/reviews/business/:slug

All published reviews for a business, newest first.

curl https://veribureau.net/api/v1/reviews/business/your-business

{
  "business": {"name": "Your Business", "cbs": 72.5},
  "reviews": [
    {
      "id": "r1a2b3c4-...",
      "overallScore": 85,
      "text": "Excellent service, fast delivery.",
      "weight": 0.354,
      "industryScores": {"Delivery Speed": 90, "Support": 80},
      "response": {
        "text": "Thank you for your feedback!",
        "createdAt": "2026-01-15T..."
      },
      "createdAt": "2026-01-14T..."
    }
  ]
}

GET/tokens/:token/verify

Check if a Proof Token is valid and unused.

curl https://veribureau.net/api/v1/tokens/VB-M5X2K-A8B3CD/verify

# Valid token:
{"valid": true, "business": {"name": "...", "industry": "IT"}}

# Used token:
{"valid": false, "reason": "Token already used"}

# Expired token:
{"valid": false, "reason": "Token expired"}

# Not found:
{"valid": false, "reason": "Token not found"}

GET/tokens/:token/qr

QR code for review link (SVG). Also available as PNG at /qr.png

# SVG (scalable)
<img src="https://veribureau.net/api/v1/tokens/VB-M5X2K-A8B3CD/qr" width="200" />

# PNG (raster)
<img src="https://veribureau.net/api/v1/tokens/VB-M5X2K-A8B3CD/qr.png" width="200" />

GET/audit/verify

Verify cryptographic audit chain integrity. Save the rootHash — if it changes retroactively, the chain was tampered with.

curl https://veribureau.net/api/v1/audit/verify

{
  "rootHash": "8b8c530b3ef2cf4f...",
  "totalRecords": 22,
  "lastId": 22,
  "valid": true,
  "timestamp": "2026-03-02T...",
  "axiom": "Every event is an immutable fact",
  "instruction": "Save this hash. If it ever changes retroactively, the chain has been tampered with."
}

Authenticated Endpoints

Include your API key in the X-VB-API-Key header.

POST/businesses/registerAUTH

curl -X POST https://veribureau.net/api/v1/businesses/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corp",
    "slug": "acme-corp",
    "industry": "IT",
    "country": "US",
    "email": "admin@acme.com",
    "city": "New York",
    "website": "https://acme.com"
  }'

# Response:
{"pending": true, "message": "Verification code sent to your email"}

# Then verify:
curl -X POST https://veribureau.net/api/v1/businesses/verify-registration \
  -H "Content-Type: application/json" \
  -d '{"email": "admin@acme.com", "code": "123456"}'

# Response:
{
  "id": "...",
  "name": "Acme Corp",
  "slug": "acme-corp",
  "apiKey": "vb_live_...",
  "message": "Save your API key. It will not be shown again."
}

Required fields: name, slug, industry, country, email. Optional: city, website, description. Valid industries: see protocol page.

POST/businesses/authAUTH

Authenticate with API key. Returns business profile and token stats.

curl -X POST https://veribureau.net/api/v1/businesses/auth \
  -H "X-VB-API-Key: vb_live_your_key_here"

{
  "id": "...",
  "name": "Acme Corp",
  "slug": "acme-corp",
  "industry": "IT",
  "cbs": 72.5,
  "trend": "UP",
  "reviewCount": 15,
  "stats": {
    "tokens": {"total": 45, "active": 12, "used": 28, "expired": 5}
  }
}

PUT/businesses/profileAUTH

Update business description, website, or city.

curl -X PUT https://veribureau.net/api/v1/businesses/profile \
  -H "Content-Type: application/json" \
  -H "X-VB-API-Key: vb_live_your_key_here" \
  -d '{"description": "We build fiber networks.", "website": "https://acme.com"}'

{"updated": true}

POST/tokens/generateAUTH

Generate one or more Proof Tokens.

curl -X POST https://veribureau.net/api/v1/tokens/generate \
  -H "Content-Type: application/json" \
  -H "X-VB-API-Key: vb_live_your_key_here" \
  -d '{"count": 5, "source": "API"}'

{
  "tokens": ["VB-M5X2K-A8B3CD", "VB-N7Y3L-B9C4DE", ...],
  "reviewUrls": ["https://veribureau.com/review?token=VB-M5X2K-A8B3CD", ...]
}

count: 1-100 (default 1). source: “API” | “DASHBOARD”.

POST/tokens/sendAUTH

Generate token + send branded review invitation email to customer.

curl -X POST https://veribureau.net/api/v1/tokens/send \
  -H "Content-Type: application/json" \
  -H "X-VB-API-Key: vb_live_your_key_here" \
  -d '{
    "customerEmail": "john@example.com",
    "customerName": "John",
    "orderRef": "ORD-2026-001"
  }'

{
  "tokenId": "VB-M5X2K-A8B3CD",
  "sent": true,
  "reviewUrl": "https://veribureau.com/review?token=VB-M5X2K-A8B3CD"
}

Required: customerEmail. Optional: customerName, orderRef.

GET/tokens/listAUTH

List all tokens for your business with status and metadata.

curl https://veribureau.net/api/v1/tokens/list \
  -H "X-VB-API-Key: vb_live_your_key_here"

{
  "tokens": [
    {
      "token": "VB-M5X2K-A8B3CD",
      "status": "ACTIVE",
      "source": "EMAIL",
      "expiresAt": "2026-06-01T...",
      "createdAt": "2026-03-02T..."
    }
  ]
}

POST/reviews/:reviewId/respondAUTH

Respond to a customer review. One response per review.

curl -X POST https://veribureau.net/api/v1/reviews/r1a2b3c4-.../respond \
  -H "Content-Type: application/json" \
  -H "X-VB-API-Key: vb_live_your_key_here" \
  -d '{"text": "Thank you for your feedback. We are glad you had a great experience."}'

{"response": {"id": "...", "text": "...", "createdAt": "..."}}

POST/disputesAUTH

File a dispute against a review you believe violates guidelines.

curl -X POST https://veribureau.net/api/v1/disputes \
  -H "Content-Type: application/json" \
  -H "X-VB-API-Key: vb_live_your_key_here" \
  -d '{
    "reviewId": "r1a2b3c4-...",
    "reason": "FACTUAL_ERROR",
    "details": "The reviewer claims we delivered late, but tracking shows on-time delivery."
  }'

{"dispute": {"id": "...", "status": "OPEN", "createdAt": "..."}}

Valid reasons: FACTUAL_ERROR, NOT_A_CUSTOMER, HARASSMENT, SPAM, OTHER.

POST/apikey/rotateAUTH

Rotate your API key. The old key becomes invalid immediately.

curl -X POST https://veribureau.net/api/v1/apikey/rotate \
  -H "X-VB-API-Key: vb_live_your_current_key"

{
  "apiKey": "vb_live_new_key_here...",
  "message": "Save your new API key. The old key is now invalid."
}

POST/verify/domain/startAUTH

Start DNS domain verification. Generates a unique TXT record value for your domain.

curl -X POST https://veribureau.net/api/v1/verify/domain/start \
  -H "X-VB-API-Key: vb_live_your_key_here"

{
  "domain": "yourdomain.com",
  "records": {
    "required": {
      "type": "TXT",
      "name": "yourdomain.com",
      "value": "veribureau-verify=b19a3114-a1b2c3d4e5f6g7h8",
      "purpose": "Domain ownership verification (required)"
    },
    "optional": [
      {
        "type": "TXT",
        "name": "_veribureau.yourdomain.com",
        "value": "v=vb1; id=your-business; status=verified",
        "purpose": "Protocol declaration — like DMARC for trust",
        "badge": "PROTOCOL_DECLARED"
      },
      {
        "type": "TXT",
        "name": "yourdomain.com",
        "value": "veribureau-profile=https://veribureau.com/biz/your-business",
        "purpose": "Public link to your verified profile",
        "badge": "PROFILE_PUBLISHED"
      }
    ]
  }
}

Requires website to be set via PUT /businesses/profile first. Optional records increase your certification level.

POST/verify/domain/checkAUTH

Verify DNS records. Checks ownership, protocol declaration, and profile link.

curl -X POST https://veribureau.net/api/v1/verify/domain/check \
  -H "X-VB-API-Key: vb_live_your_key_here"

{
  "domain": "yourdomain.com",
  "verified": true,
  "certificationStatus": "CERTIFIED",
  "badges": ["DOMAIN_VERIFIED", "PROTOCOL_DECLARED", "PROFILE_PUBLISHED", "FULLY_CERTIFIED"],
  "checks": {
    "domainOwnership": {"status": "PASS"},
    "protocolDeclaration": {"status": "PASS", "voluntary": true},
    "profileLink": {"status": "PASS", "voluntary": true}
  },
  "logoUrl": "https://www.google.com/s2/favicons?domain=yourdomain.com&sz=128"
}

GET/verify/domain/statusAUTH

Current domain verification status and DNS records to add.

curl https://veribureau.net/api/v1/verify/domain/status \
  -H "X-VB-API-Key: vb_live_your_key_here"

{
  "domain": "yourdomain.com",
  "domainVerified": true,
  "domainVerifiedAt": "2026-03-02T...",
  "certificationStatus": "DOMAIN_VERIFIED",
  "badges": ["DOMAIN_VERIFIED"],
  "logoUrl": "..."
}

GET/verify/domain/lookup/:domain

Public endpoint. Check if any domain has VeriBureau DNS records.

curl https://veribureau.net/api/v1/verify/domain/lookup/example.com

# Domain with VeriBureau:
{
  "domain": "example.com",
  "hasVeriBureau": true,
  "protocolVersion": "vb1",
  "slug": "example-corp",
  "business": {"name": "Example Corp", "cbs": 72.5, "certificationStatus": "CERTIFIED"}
}

# Domain without VeriBureau:
{
  "domain": "random-site.com",
  "hasVeriBureau": false,
  "protocolVersion": null,
  "slug": null,
  "business": null
}

Error Handling

All errors return JSON with an error field.

# Example error response:
{"error": "Invalid or expired verification code"}

# Rate limit exceeded:
{"error": "Too many requests", "retryAfter": 42}

CodeMeaningWhen

400Bad RequestMissing or invalid parameters

401UnauthorizedMissing or invalid API key

404Not FoundResource does not exist

409ConflictSlug already taken, token already used

429Too Many RequestsRate limit exceeded

500Server ErrorInternal error — contact support

Authentication

Your API key authenticates all non-public requests. Include it in the X-VB-API-Key header.

API keys begin with vb_live_ and are 52 characters long. They are hashed with SHA-256 before storage — VeriBureau never stores your raw API key.

If your key is compromised, rotate it immediately via POST /apikey/rotate. The old key is invalidated instantly. If you lose your key entirely, recover it via email at /dashboard (Recover tab).

Rate Limits

Each endpoint has its own rate limit based on expected usage patterns. Rate limit headers are included in every response:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 97
Retry-After: 42          # only when 429

If you receive a 429 response, wait for the number of seconds indicated in Retry-After before retrying.