Transcom Group Veritus

POST /v1/widget/score

Public scoring endpoint used by the JavaScript widget. Doesn't require Bearer authentication — authenticates via form UUID and Origin pinning instead.

You generally don't call this directly — the widget JS does it for you. We document it here for transparency.

Differences from /v1/score

  • No Authorization header. The form_uuid in the body identifies the customer.
  • CORS-pinned. If the form has an origin_url set, requests with wrong Origin are rejected.
  • Rate-limited. 30 requests/minute per (IP, form_uuid) tuple.
  • Sanitised response. Returns only verdict + request_id — not score, reasons, or vendor data (so attackers can't probe the model).
  • Honeypot field. The hp field, if non-empty, marks the signup as bot.

Request

POST https://api.veritus.uk/v1/widget/score
Origin: https://yoursite.example.com   // must match form.origin_url if set
Content-Type: application/json

{
  "form_uuid": "abc12345-...",
  "signup": {
    "email":   "user@example.com",
    "country": "GB",
    // ip + user_agent auto-stamped server-side from request
  },
  "hp": ""    // honeypot - widget injects this hidden field
}

Response (200 OK)

{
  "verdict":    "allow",
  "request_id": "8ce48bb4-0381-4e4f-959a-9e44ba0aa61f"
}

Error responses

  • 403 form_not_found — UUID doesn't match any form
  • 403 origin_not_allowed — Origin header doesn't match form.origin_url
  • 403 customer_inactive — Customer suspended
  • 429 rate_limited — Over 30 req/min for this (IP, form)
  • 402 quota_exceeded — Customer over monthly limit

CORS

Pre-flight is handled at OPTIONS /v1/widget/score. The response reflects the Origin header on a per-form basis — only forms with no origin_url set, or with a matching one, get Access-Control-Allow-Origin.

Found a typo or have a suggestion? Let us know.