Best Practices
Recommendations for integrating VeroID
Security
Server-Side Only
Never call the VeroID API from client-side code:
// ✅ DO: Server-side API route
export async function POST(req) {
const data = await req.json();
const result = await fetch('https://api.veroid.com.au/v1/verify', {
headers: { 'X-API-Key': process.env.VEROID_API_KEY },
body: JSON.stringify(data),
});
return result.json();
}Store Keys in Environment Variables
// ✅ DO: Use environment variables const apiKey = process.env.VEROID_API_KEY; // ❌ DON'T: Hardcode keys const apiKey = 'sk_live_abc123...';
Error Handling
Implement Retries
async function verifyWithRetry(data, maxRetries = 3) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const result = await verify(data);
// Don't retry on permanent failures
if (result.status === 'failed') return result;
// Retry on transient errors
if (result.code === 'E' || result.code === 'U') {
await sleep(1000 * Math.pow(2, attempt));
continue;
}
return result;
}
}Handle All Outcomes
const result = await verify(data);
switch (result.status) {
case 'success':
// Document verified
break;
case 'failed':
// Document not verified
break;
case 'error':
// System error - may retry
break;
}Compliance
Data Handling
- Don't store PII longer than necessary
- Don't log sensitive document numbers
- Do store verification IDs for audit trails
// ✅ DO: Log verification ID only
logger.info('Verification completed', {
verificationId: result.verificationId,
status: result.status
});
// ❌ DON'T: Log PII
logger.info('Verification', {
name: data.givenName,
licenceNumber: data.licenceNumber
});