Skip to main content
Vero is built on top of the open Digital Receipt Protocol (DRP) — the standard for end-to-end encrypted digital receipts. That’s why the API is hosted at api.digitalreceiptprotocol.org: Vero implements the reference DRP infrastructure for key management, encryption, and receipt transmission.

Base URL

  • Production: https://api.digitalreceiptprotocol.org
  • Staging: https://staging-api.digitalreceiptprotocol.org
  • Local Development: http://localhost:3000
The Vero API provides centralized key management, receipt encryption/decryption, and transaction storage services.

Authentication

Most endpoints require authentication using an API key in the request header:
API keys are managed through the Vero platform and provide access to the API based on your subscription tier.

Core Concepts

User Onboarding

  1. Generate key pair - Create RSA-2048 keys for new users
  2. Register user - Associate keys with user identifiers (email, phone, card)
  3. Store securely - Private keys stored client-side, public keys managed by Vero

Receipt Encryption & Decryption

  1. Encrypt receipts - Encrypt receipt data with user’s public key using AES-256-GCM
  2. Store encrypted - Save encrypted receipts linked to transactions
  3. Request access - Generate short-lived access tokens for decryption
  4. Decrypt client-side - Users decrypt receipts with their private keys

Cryptographic Standards

  • Key Generation: RSA-2048 for asymmetric encryption
  • Receipt Encryption: AES-256-GCM with RSA-OAEP-SHA256 key wrapping
  • Access Tokens: Short-lived (2-3 minutes) for enhanced security
  • Escrow Support: Encrypted receipts for non-onboarded users

Pricing Format

All monetary values are represented in the smallest currency unit (e.g., cents for USD). Example: $42.00 = 4200

Rate Limits

Endpoints are rate limited by IP address. Limits vary by subscription tier and endpoint — contact support for specific limits applicable to your API key. Rate limit headers returned with each response:

Error Handling

Standard Error Response

Common Error Codes

CodeHTTP StatusDescription
invalid_request400Request validation failed
unauthorized401Invalid or missing API key
forbidden403Access denied for this resource
not_found404Resource not found
rate_limit_exceeded429Too many requests
internal_server_error500Internal server error
service_unavailable503Service temporarily unavailable

Retry Logic

Retry these errors: 429, 500, 502, 503, 504, network timeouts
Don’t retry: 400, 401, 403, 404, 409

Environments

Production Environment

  • Purpose: Live production use
  • Base URL: https://api.digitalreceiptprotocol.org
  • Authentication: Production API keys
  • Data: Real user data - handle securely

Staging Environment

  • Purpose: Testing and integration
  • Base URL: https://staging-api.digitalreceiptprotocol.org
  • Authentication: Staging API keys
  • Data: Test data only

Local Development

  • Purpose: Local development and testing
  • Base URL: http://localhost:3000
  • Authentication: Development API keys
  • Data: Local test data

Versioning

Current Version: v1

API versioned in URL path: /v1/, /v2/, etc. Backwards Compatibility Promise:
  • Breaking changes require new version
  • Previous versions supported for minimum 12 months after deprecation notice
  • Deprecation notices provided 6 months in advance
Non-breaking changes (no version change):
  • Adding new optional fields
  • Adding new endpoints
  • Adding new error codes
  • Increasing rate limits