Transcom Group Veritus

Integrate in 5 minutes

Two integration styles. Pick the one that matches where your signup form lives.

Option A — JavaScript widget

Best for static sites, WordPress, marketing pages, or any form where JavaScript can intercept submission. The widget calls Veritus from the browser. No API key needed in client code — it authenticates against the form UUID. 

<form id="signup-form">
  <input name="email" required>
  <input name="password" type="password" required>
  <button type="submit">Sign up</button>
</form>

<script src="https://api.veritus.uk/v1/widget.js"></script>
<script>
  Veritus.protect({
    form: '#signup-form',
    formUuid: 'YOUR-FORM-UUID',
    onBlock: () => alert('Sign-up not permitted.'),
    onReview: () => true,  // submit anyway, flag for manual review
  });
</script>

The widget injects a honeypot field, scores the signup on submit, and either lets it through, blocks it, or adds a hidden _veritus_review=1 field your backend can pick up. Full widget reference.

Option B — Server-side API

Call Veritus from your backend after the form submits but before you create the account. The browser never sees the API key.

Python (requests):

import requests

resp = requests.post(
    "https://api.veritus.uk/v1/score",
    headers={"Authorization": f"Bearer {VERITUS_KEY}"},
    json={
        "form_id": "YOUR-FORM-UUID",
        "signup": {
            "email":   request.form["email"],
            "phone":   request.form.get("phone"),
            "country": request.form.get("country"),
            "ip":      request.remote_addr,
        },
    },
    timeout=2,
)
verdict = resp.json()["verdict"]   # 'allow' | 'review' | 'block'

if verdict == "block":
    return "Sign-up not permitted", 403
elif verdict == "review":
    pending_review = True   # create account but flag

PHP:

$ch = curl_init("https://api.veritus.uk/v1/score");
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_TIMEOUT => 2,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer " . getenv("VERITUS_KEY"),
        "Content-Type: application/json",
    ],
    CURLOPT_POSTFIELDS => json_encode([
        "form_id" => "YOUR-FORM-UUID",
        "signup"  => [
            "email"   => $_POST["email"],
            "country" => $_POST["country"] ?? null,
            "ip"      => $_SERVER["REMOTE_ADDR"],
        ],
    ]),
]);
$data = json_decode(curl_exec($ch), true);
if ($data["verdict"] === "block") { http_response_code(403); exit("Sign-up not permitted"); }

For Node.js, Ruby, Go, and more, see the server-side integration guide.

Decision: which one for me?

Use the widget if… Your signup form lives in a CMS (WordPress, Webflow, Squarespace), a static site, or any front-end you don't fully control on the backend.
Use server-side if… You own the backend, want to never expose an API key to browsers, or need to combine the Veritus verdict with your own business rules before deciding what to do.
Use both if… You want defence-in-depth. Widget catches obvious bots client-side; server call re-scores on submit so the verdict can't be bypassed by a malicious user editing the page.
Found a typo or have a suggestion? Let us know.