Vero is built on top of the open Digital Receipt Protocol (DRP) — the standard for end-to-end encrypted digital receipts. That’s why the API is hosted at
api.digitalreceiptprotocol.org: Vero implements the reference DRP infrastructure for key management, encryption, and receipt transmission.Base URL
- Production:
https://api.digitalreceiptprotocol.org - Staging:
https://staging-api.digitalreceiptprotocol.org - Local Development:
http://localhost:3000
Authentication
Most endpoints require authentication using an API key in the request header:Core Concepts
User Onboarding
- Generate key pair - Create RSA-2048 keys for new users
- Register user - Associate keys with user identifiers (email, phone, card)
- Store securely - Private keys stored client-side, public keys managed by Vero
Receipt Encryption & Decryption
- Encrypt receipts - Encrypt receipt data with user’s public key using AES-256-GCM
- Store encrypted - Save encrypted receipts linked to transactions
- Request access - Generate short-lived access tokens for decryption
- Decrypt client-side - Users decrypt receipts with their private keys
Cryptographic Standards
- Key Generation: RSA-2048 for asymmetric encryption
- Receipt Encryption: AES-256-GCM with RSA-OAEP-SHA256 key wrapping
- Access Tokens: Short-lived (2-3 minutes) for enhanced security
- Escrow Support: Encrypted receipts for non-onboarded users
Pricing Format
All monetary values are represented in the smallest currency unit (e.g., cents for USD). Example: $42.00 = 4200Rate Limits
Endpoints are rate limited by IP address. Limits vary by subscription tier and endpoint — contact support for specific limits applicable to your API key. Rate limit headers returned with each response:Error Handling
Standard Error Response
Common Error Codes
| Code | HTTP Status | Description |
|---|---|---|
invalid_request | 400 | Request validation failed |
unauthorized | 401 | Invalid or missing API key |
forbidden | 403 | Access denied for this resource |
not_found | 404 | Resource not found |
rate_limit_exceeded | 429 | Too many requests |
internal_server_error | 500 | Internal server error |
service_unavailable | 503 | Service temporarily unavailable |
Retry Logic
Recommended Retry Strategy
Don’t retry: 400, 401, 403, 404, 409
Environments
Production Environment
- Purpose: Live production use
- Base URL:
https://api.digitalreceiptprotocol.org - Authentication: Production API keys
- Data: Real user data - handle securely
Staging Environment
- Purpose: Testing and integration
- Base URL:
https://staging-api.digitalreceiptprotocol.org - Authentication: Staging API keys
- Data: Test data only
Local Development
- Purpose: Local development and testing
- Base URL:
http://localhost:3000 - Authentication: Development API keys
- Data: Local test data
Versioning
Current Version: v1
API versioned in URL path:/v1/, /v2/, etc.
Backwards Compatibility Promise:
- Breaking changes require new version
- Previous versions supported for minimum 12 months after deprecation notice
- Deprecation notices provided 6 months in advance
- Adding new optional fields
- Adding new endpoints
- Adding new error codes
- Increasing rate limits