API & Developer Terms

These terms apply to any person or organisation (“Developer”) that accesses the FinVeil platform through its REST API, SDKs, or webhooks. These terms supplement the applicable service agreement (Employer, Employee, or Verifier terms) and prevail in case of conflict regarding API-specific matters.

API access requires authentication via JWT tokens issued through the FinVeil authentication endpoint. Developers must keep all credentials, API keys, and tokens confidential. Sharing credentials with unauthorised parties will result in immediate revocation of access.

• Standard tier: 100 requests per minute per API key
• Growth tier: 500 requests per minute per API key
• Enterprise tier: 2,000 requests per minute per API key, with burst allowance

Rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) are included in every response. Exceeding rate limits will result in HTTP 429 responses. Persistent abuse may result in temporary or permanent suspension.

Developers must not:

• Attempt to circumvent rate limits, authentication, or tenant isolation
• Reverse engineer, decompile, or attempt to extract source code from the API
• Use the API to build a competing product or service
• Store or cache personal information obtained via the API beyond what is necessary for the integration's stated purpose
• Use the API to scrape, harvest, or aggregate data across tenants
• Submit falsified or misleading data through any API endpoint

FinVeil retains all intellectual property rights in the API, including endpoint designs, response schemas, documentation, and SDKs. The Developer retains ownership of integration code they write. No licence is granted to FinVeil's source code, algorithms, or internal systems. API documentation may not be reproduced or redistributed without written permission.

FinVeil versions its API and will provide at least 90 days' notice before deprecating any endpoint. Breaking changes will be introduced in new API versions only. Developers are responsible for migrating to supported versions within the deprecation window.

Webhook endpoints must be HTTPS and respond within 10 seconds. FinVeil will retry failed deliveries with exponential backoff for up to 72 hours. Developers are responsible for idempotent handling of webhook events, as duplicate deliveries may occur.

The API is provided on an “as is” basis. FinVeil does not warrant uninterrupted or error-free API availability. FinVeil's liability for API-related claims is limited to the fees paid by the Developer's associated organisation in the preceding twelve months.

FinVeil may revoke API access immediately if a Developer breaches these terms. On termination, the Developer must delete all cached data obtained through the API within 14 days.

These terms are governed by the laws of the Republic of South Africa. Any dispute shall be referred to the courts of the Gauteng Division of the High Court, Pretoria.