Production-ready API governance and control-plane visibility

Q: Do you store my API key in the browser?

Dashboard sign-in mints an HTTP-only session cookie; the playground uses your server session.

Track API key usage, rate limiting, verification status, outbound delivery health, and XFlow compatibility from one hardened control surface.

Start free See control plane specs Platform architecture API docs

Durable outbound stateVerify-self endpointPer-IP + per-key limitsKey rotation governanceXFlow-ready integration

API governance & control-plane visibilityCI-ready workflow gateMeter — AI token cost ledgerXFlow fleet guard + issue inboxOpenAPI 3.1 + typed SDKsPolicy-aware workspaces

The problem with most API platforms

🏷️ Typed failure buckets🔄 Graceful key rotation📡 Live operational state

Vague 500s, surprise key revocations, and green dashboards that lie — most platforms leave operators guessing. Verixet surfaces operational truth.

Know exactly why integrations fail

Auth errors, 4xx client faults, 5xx upstream failures, and network timeouts land in separate buckets. Never guess which layer broke — structured error codes surface the cause every time.

Rotate keys without chaos

Label, sunset, rotate, and revoke API keys with a 7-day overlap window. Old keys expire gracefully while deploys migrate — no emergency revocation, no downtime.

See operational truth, not fake green states

Track last outbound success, last failure, rate-limit events, and verification drift from one status surface. If something is broken, the dashboard reflects it — not a stale cached OK.

Every module you need

🔒 Workflow gate📊 Meter⚡ Deploy / Guard💳 Commerce

Eight purpose-built modules — each maps to real API routes, dashboard tools, and SDK helpers. Nothing is aspirational.

Workflow gate

safe_to_deploy and risk_score in one CI-ready response. Hard or soft gate — your call.

Validation engine

Evidence-backed verdicts with structured risk, warnings, and missing-context signals.

Audit engine

Score snapshots 0–100. Routes, APIs, and schema reviewed. Refuses to invent files you didn't supply.

Policy modes

Advisory surfaces risk. Blocking and strict can return 422. Per-workspace, per-engine scoped.

Meter

Token cost ledger per model, app, and end user. MTD forecast and anomaly detection built in.

Deploy / Guard

Fleet deploy validation — ready, warning, or blocked. Configurable rules, audited overrides, issue inbox.

Commerce

Purchase validation runs that verify the right product, price, and plan landed before you grant access.

Key rotation

POST /api/v1/keys/{id}/rotate — 7-day sunset overlap. Old key stops auth automatically after migration window.

All features →API reference →

Platform topology

⚙️ Control plane✅ Verify self📥 Event ingest🛡️ XFlow fleet

Requests flow from the API surface through the control plane into XFlow's fleet state — each hop observable, each check persisted.

Verixet API

Control Plane

Verify Self

Event Ingest

XFlow Fleet

Command center — one surface for everything

✅ Request tracing📊 Meter KPIs⚡ Guard signals🔐 Session-scoped

Keys, logs, meter, guard fleet, commerce, billing, and a live playground — all behind your session. The same engines as /api/v1, no separate tooling.

/dashboard/logs · Request log

OverviewCommand center

OperationsRequest logMeterDeploy / GuardWebhooksAudit log

ConfigurationAPI keysWorkspaceConnect appOnboardingBilling

BuildPlaygroundAPI explorer

AssistantVera Copilot

p95 (engines, 24h)

11.2s

requests_log

Workflow runs (24h)

pre-deploy volume

Policy mode

blocking

active workspace

Meter MTD

$2.14

token cost ledger

Time	Endpoint	Outcome	ms
14:02:11	`/api/v1/workflow/pre-deploy`	success	18 400
14:01:03	`/api/v1/validate/change`	success	6 200
13:58:44	`/api/v1/audit/project`	error	9 100

MTD cost

$2.14

Anomaly

None

Top model

gpt-4o

Provider	Model	Events	Cost
`openai`	`gpt-4o`	312	$1.82
`anthropic`	`claude-3`	48	$0.32

commerce: okmeter: okstripe_webhooks: ok

Run	Status	Findings	Time
latest	blocked	1 critical	14:03:01
prev	ready	0	13:55:22

Playground · pre-deploysafe_to_deploy

risk_score 0.18 · request_id a1b2…f9

Vera reflects engine outcomes — same signals your CI reads from the API.

Why teams use Verixet

Built for AI-assisted development workflows — from solo builders to platform teams shipping on CI with full audit trails.

Stop AI agents from shipping unchecked work

Deterministic engines intercept agent velocity with evidence-backed checks before a line reaches production.

Pre-deploy confidence

workflow.safe_to_deploy and risk_score land in the same response as audit + plan. One field to gate on.

Policy enforcement

Advisory, blocking, and strict modes match how your org tolerates risk. Per-workspace, per-engine scoped.

Request tracing

Every v1 response carries request_id. Logs enrich dashboards without leaking secrets.

AI cost visibility

Meter tracks token spend per model, app, and end user. MTD forecasting and anomaly signals are in the dashboard without extra instrumentation.

Commerce integrity

Purchase validation runs verify the right product, price, and plan are active before feature access is granted. Audited per run.

Fleet deploy guard

XFlow fleet validation returns ready, warning, or blocked with scored issues across commerce health, meter signals, and Stripe webhook state.

jq-friendly gates, idempotent retries

Hard or soft CI gates from one JSON field. Retry on network failure without double-counting.

Developer proof

📜 OpenAPI 3.1🧪 Typed SDKs✅ Predictable errors⚡ Idempotency-Key

OpenAPI-first contract, typed SDKs, GitHub Actions, and predictable errors — no hand-wavy integrations.

typed error codes

verify-self checks

key rotation overlap

field to gate on (safe_to_deploy)

Workflow response (truncated)

What POST /api/v1/workflow/pre-deploy returns inside the v1 success envelope — this is what your gate should assert on.

{
  "success": true,
  "request_id": "550e8400-e29b-41d4-a716-446655440000",
  "data": {
    "workflow": {
      "safe_to_deploy": true,
      "risk_score": 0.18,
      "recommended_next_step": "execute",
      "policy_mode": "blocking",
      "policy_pack": "github_pr_flow"
    }
  }
}

CI gate (jq)

JSON=$(curl -sS -X POST "$VG_URL/api/v1/workflow/pre-deploy" \
  -H "Authorization: Bearer $VG_API_KEY" \
  -H "Content-Type: application/json" \
  -d @snapshot.json)
echo "$JSON" | jq -e '.data.workflow.safe_to_deploy == true'

Idempotency header

curl -X POST "$VG_URL/api/v1/validate/change" \
  -H "Authorization: Bearer $VG_API_KEY" \
  -H "Idempotency-Key: deploy-2025-03-26T12-00-00Z" \
  -H "Content-Type: application/json" \
  -d '{"change":"…","context":{}}'

Security, contracts, and observability

🔐 Scoped keys + rotation🧾 Audit events✅ 10 typed error codes⚡ Idempotent POST

Explicit contracts, request correlation, and workspace policy as defaults — not add-ons. Every public JSON response is predictable and auditable.

Scoped bearer keys

Keys carry explicit scopes, rotate with overlap windows, and revoke instantly. last_used_at updates after every successful auth.

Key rotation

POST /api/v1/keys/{id}/rotate creates a replacement with a 7-day sunset_at overlap. Old key stops authenticating after the migration window — no emergency revocation required.

Request IDs

Every v1 envelope includes request_id for support and log correlation. Trace any failure back to its origin.

Idempotency

POST engines accept Idempotency-Key — same body replays cached success without double-counting.

No ambiguous failures

Every error is one of 10 typed codes. UNAUTHORIZED, RATE_LIMITED, CONTROL_PLANE_DISABLED — never a vague 500 with no signal.

Audit events

Workspace actions persist to audit_events for review in the dashboard. Key rotation, overrides, and policy changes are all recorded.

Policy controls

Per-workspace policy_mode and policy_pack shape how strict gates behave. Advisory, blocking, or strict — matched to your org's risk tolerance.

Security & trust · [email protected]

Prove your control plane is healthy

verify-self validates config, health, database reachability, namespace consistency, and auth mode in one round trip. Run it before every deploy to catch drift before it becomes an incident.

Verify-self/api/v1/control-plane/verify-self

✓config_validok

✓health_validok

✓database_reachableok

✓namespace_consistencyok

✓auth_modetoken

status: PASS · all checks resolved

🧠 How it works

🔍 Inspect📋 Plan✅ Validate🚀 Deploy gate

Sticky product sequence: inspect the system, plan the work, validate changes, gate deploys, then verify with full telemetry.

Inspect

Plan

Validate

Deploy

Verify

Project snapshot

Structure, routes, APIs, and DB schema ground every engine response.

Implementation plan

Goal-driven steps, files, and risks before a line of code ships.

Change & deploy checks

Evidence-backed verdicts, risk scores, and missing-context signals.

Workflow gate

pre-deploy combines audit + plan + validate with safe_to_deploy.

Trace & audit

Request IDs, logs, webhooks, and workspace policy for accountability.

Verixet v0.1.0ChangelogDeveloper hubStatus

Frequently asked questions

Common questions about the API contract, dashboard, Meter, and XFlow integration.

What is workflow.safe_to_deploy?

It is a boolean on POST /api/v1/workflow/pre-deploy that combines audit health, plan quality, and validation risk. CI can treat it as a hard gate; advisory workspaces may still return 200 with safe_to_deploy false.

Do you store my API key in the browser?

Dashboard sign-in accepts a key once to mint an HTTP-only session cookie. The playground uses your server session, not a pasted key in client storage.

Which policy mode should I use?

Start with advisory while tuning snapshots, move to blocking for PR gates, and strict when policy packs must never allow risky merges.

Where is the OpenAPI document?

GET /api/v1/openapi returns the machine-readable contract; the marketing /docs page links to explorer-friendly entry points.

What does Verixet Meter track?

Token cost per model, app, and end user. Meter ingests events via POST /api/v1/meter/usage/events and produces daily timeseries, MTD forecast, anomaly detection vs. prior month, and threshold alerts — visible in the dashboard without extra instrumentation.

What does Deploy / Guard do beyond policy modes?

Fleet-level deploy validation returning ready, warning, or blocked with scored issues. Configurable guard rules with dry_run mode let you preview impact before enforcing. Audited overrides (deploy_unblock, runtime_allow_feature) can be created from the dashboard or API. The issue inbox surfaces recurring findings across runs.

How does API key rotation work?

POST /api/v1/keys/{id}/rotate creates a new key and sets sunset_at 7 days out on the old one. During the overlap window both keys authenticate. After sunset_at the old key stops working automatically — no manual revocation required.

Deploy with confidence, not assumptions.

Start free with full dashboard access, or read the control plane spec first.

Start free Log in Control plane specs See workflow gate Read docs All features

Loading…

Production-ready API governance and control-plane visibility

Track API key usage, rate limiting, verification status, outbound delivery health, and XFlow compatibility from one hardened control surface.

Start free See control plane specs Platform architecture API docs

Durable outbound stateVerify-self endpointPer-IP + per-key limitsKey rotation governanceXFlow-ready integration

API governance & control-plane visibilityCI-ready workflow gateMeter — AI token cost ledgerXFlow fleet guard + issue inboxOpenAPI 3.1 + typed SDKsPolicy-aware workspaces

The problem with most API platforms

🏷️ Typed failure buckets🔄 Graceful key rotation📡 Live operational state

Vague 500s, surprise key revocations, and green dashboards that lie — most platforms leave operators guessing. Verixet surfaces operational truth.

Know exactly why integrations fail

Auth errors, 4xx client faults, 5xx upstream failures, and network timeouts land in separate buckets. Never guess which layer broke — structured error codes surface the cause every time.

Rotate keys without chaos

Label, sunset, rotate, and revoke API keys with a 7-day overlap window. Old keys expire gracefully while deploys migrate — no emergency revocation, no downtime.

See operational truth, not fake green states

Track last outbound success, last failure, rate-limit events, and verification drift from one status surface. If something is broken, the dashboard reflects it — not a stale cached OK.

Every module you need

🔒 Workflow gate📊 Meter⚡ Deploy / Guard💳 Commerce

Eight purpose-built modules — each maps to real API routes, dashboard tools, and SDK helpers. Nothing is aspirational.

Workflow gate

safe_to_deploy and risk_score in one CI-ready response. Hard or soft gate — your call.

Validation engine

Evidence-backed verdicts with structured risk, warnings, and missing-context signals.

Audit engine

Score snapshots 0–100. Routes, APIs, and schema reviewed. Refuses to invent files you didn't supply.

Policy modes

Advisory surfaces risk. Blocking and strict can return 422. Per-workspace, per-engine scoped.

Meter

Token cost ledger per model, app, and end user. MTD forecast and anomaly detection built in.

Deploy / Guard

Fleet deploy validation — ready, warning, or blocked. Configurable rules, audited overrides, issue inbox.

Commerce

Purchase validation runs that verify the right product, price, and plan landed before you grant access.

Key rotation

POST /api/v1/keys/{id}/rotate — 7-day sunset overlap. Old key stops auth automatically after migration window.

All features →API reference →

Platform topology

⚙️ Control plane✅ Verify self📥 Event ingest🛡️ XFlow fleet

Requests flow from the API surface through the control plane into XFlow's fleet state — each hop observable, each check persisted.

Verixet API

Control Plane

Verify Self

Event Ingest

XFlow Fleet

Command center — one surface for everything

✅ Request tracing📊 Meter KPIs⚡ Guard signals🔐 Session-scoped

Keys, logs, meter, guard fleet, commerce, billing, and a live playground — all behind your session. The same engines as /api/v1, no separate tooling.

/dashboard/logs · Request log

OverviewCommand center

OperationsRequest logMeterDeploy / GuardWebhooksAudit log

ConfigurationAPI keysWorkspaceConnect appOnboardingBilling

BuildPlaygroundAPI explorer

AssistantVera Copilot

p95 (engines, 24h)

11.2s

requests_log

Workflow runs (24h)

pre-deploy volume

Policy mode

blocking

active workspace

Meter MTD

$2.14

token cost ledger

Time	Endpoint	Outcome	ms
14:02:11	`/api/v1/workflow/pre-deploy`	success	18 400
14:01:03	`/api/v1/validate/change`	success	6 200
13:58:44	`/api/v1/audit/project`	error	9 100

MTD cost

$2.14

Anomaly

None

Top model

gpt-4o

Provider	Model	Events	Cost
`openai`	`gpt-4o`	312	$1.82
`anthropic`	`claude-3`	48	$0.32

commerce: okmeter: okstripe_webhooks: ok

Run	Status	Findings	Time
latest	blocked	1 critical	14:03:01
prev	ready	0	13:55:22

Playground · pre-deploysafe_to_deploy

risk_score 0.18 · request_id a1b2…f9

Vera reflects engine outcomes — same signals your CI reads from the API.

Why teams use Verixet

Built for AI-assisted development workflows — from solo builders to platform teams shipping on CI with full audit trails.

Stop AI agents from shipping unchecked work

Deterministic engines intercept agent velocity with evidence-backed checks before a line reaches production.

Pre-deploy confidence

workflow.safe_to_deploy and risk_score land in the same response as audit + plan. One field to gate on.

Policy enforcement

Advisory, blocking, and strict modes match how your org tolerates risk. Per-workspace, per-engine scoped.

Request tracing

Every v1 response carries request_id. Logs enrich dashboards without leaking secrets.

AI cost visibility

Meter tracks token spend per model, app, and end user. MTD forecasting and anomaly signals are in the dashboard without extra instrumentation.

Commerce integrity

Purchase validation runs verify the right product, price, and plan are active before feature access is granted. Audited per run.

Fleet deploy guard

XFlow fleet validation returns ready, warning, or blocked with scored issues across commerce health, meter signals, and Stripe webhook state.

jq-friendly gates, idempotent retries

Hard or soft CI gates from one JSON field. Retry on network failure without double-counting.

Developer proof

📜 OpenAPI 3.1🧪 Typed SDKs✅ Predictable errors⚡ Idempotency-Key

OpenAPI-first contract, typed SDKs, GitHub Actions, and predictable errors — no hand-wavy integrations.

typed error codes

verify-self checks

key rotation overlap

field to gate on (safe_to_deploy)

Workflow response (truncated)

What POST /api/v1/workflow/pre-deploy returns inside the v1 success envelope — this is what your gate should assert on.

{
  "success": true,
  "request_id": "550e8400-e29b-41d4-a716-446655440000",
  "data": {
    "workflow": {
      "safe_to_deploy": true,
      "risk_score": 0.18,
      "recommended_next_step": "execute",
      "policy_mode": "blocking",
      "policy_pack": "github_pr_flow"
    }
  }
}

CI gate (jq)

JSON=$(curl -sS -X POST "$VG_URL/api/v1/workflow/pre-deploy" \
  -H "Authorization: Bearer $VG_API_KEY" \
  -H "Content-Type: application/json" \
  -d @snapshot.json)
echo "$JSON" | jq -e '.data.workflow.safe_to_deploy == true'

Idempotency header

curl -X POST "$VG_URL/api/v1/validate/change" \
  -H "Authorization: Bearer $VG_API_KEY" \
  -H "Idempotency-Key: deploy-2025-03-26T12-00-00Z" \
  -H "Content-Type: application/json" \
  -d '{"change":"…","context":{}}'

Security, contracts, and observability

🔐 Scoped keys + rotation🧾 Audit events✅ 10 typed error codes⚡ Idempotent POST

Explicit contracts, request correlation, and workspace policy as defaults — not add-ons. Every public JSON response is predictable and auditable.

Scoped bearer keys

Keys carry explicit scopes, rotate with overlap windows, and revoke instantly. last_used_at updates after every successful auth.

Key rotation

POST /api/v1/keys/{id}/rotate creates a replacement with a 7-day sunset_at overlap. Old key stops authenticating after the migration window — no emergency revocation required.

Request IDs

Every v1 envelope includes request_id for support and log correlation. Trace any failure back to its origin.

Idempotency

POST engines accept Idempotency-Key — same body replays cached success without double-counting.

No ambiguous failures

Every error is one of 10 typed codes. UNAUTHORIZED, RATE_LIMITED, CONTROL_PLANE_DISABLED — never a vague 500 with no signal.

Audit events

Workspace actions persist to audit_events for review in the dashboard. Key rotation, overrides, and policy changes are all recorded.

Policy controls

Per-workspace policy_mode and policy_pack shape how strict gates behave. Advisory, blocking, or strict — matched to your org's risk tolerance.

Security & trust · [email protected]

Prove your control plane is healthy

verify-self validates config, health, database reachability, namespace consistency, and auth mode in one round trip. Run it before every deploy to catch drift before it becomes an incident.

Verify-self/api/v1/control-plane/verify-self

✓config_validok

✓health_validok

✓database_reachableok

✓namespace_consistencyok

✓auth_modetoken

status: PASS · all checks resolved

🧠 How it works

🔍 Inspect📋 Plan✅ Validate🚀 Deploy gate

Sticky product sequence: inspect the system, plan the work, validate changes, gate deploys, then verify with full telemetry.

Inspect

Plan

Validate

Deploy

Verify

Project snapshot

Structure, routes, APIs, and DB schema ground every engine response.

Implementation plan

Goal-driven steps, files, and risks before a line of code ships.

Change & deploy checks

Evidence-backed verdicts, risk scores, and missing-context signals.

Workflow gate

pre-deploy combines audit + plan + validate with safe_to_deploy.

Trace & audit

Request IDs, logs, webhooks, and workspace policy for accountability.

Verixet v0.1.0ChangelogDeveloper hubStatus

Frequently asked questions

Common questions about the API contract, dashboard, Meter, and XFlow integration.

What is workflow.safe_to_deploy?

Do you store my API key in the browser?

Dashboard sign-in accepts a key once to mint an HTTP-only session cookie. The playground uses your server session, not a pasted key in client storage.

Which policy mode should I use?

Start with advisory while tuning snapshots, move to blocking for PR gates, and strict when policy packs must never allow risky merges.

Where is the OpenAPI document?

GET /api/v1/openapi returns the machine-readable contract; the marketing /docs page links to explorer-friendly entry points.

What does Verixet Meter track?

What does Deploy / Guard do beyond policy modes?

How does API key rotation work?

Deploy with confidence, not assumptions.

Start free with full dashboard access, or read the control plane spec first.

Start free Log in Control plane specs See workflow gate Read docs All features