These Developer & API Terms (“Developer Terms”) govern your use of Veyra's APIs, webhooks, signing keys, embeds, SDKs, documentation, and any other developer surface. They supplement the Terms of Service and, where the user is a merchant, the Merchant Services Agreement. By calling any Veyra API, deploying our embeds, or accepting webhook deliveries, you accept these Developer Terms.
1. Authorized use
You may use Veyra's APIs and developer surfaces only as authorized for your account and only for the purpose of operating your own integration with the platform. You will not use the APIs to operate a competing service, to facilitate payments for third parties not authorized by your merchant account, to provide aggregation or factoring services, or to access information you are not authorized to access.
2. API keys, webhook secrets, and HMAC signing
API keys, webhook secrets, and HMAC signing material are confidential. You are solely responsible for keeping them confidential, for limiting access to authorized personnel, and for rotating them immediately upon known or suspected compromise. We may rotate or revoke keys at any time for risk, compliance, or operational reasons. You will not embed secret keys in client-side code, public repositories, mobile binaries, or any environment you do not control.
Webhook deliveries must be authenticated using the published HMAC scheme on every request. You will not bypass or stub-out HMAC verification, and you will treat any unsigned, mis-signed, or replayed delivery as suspicious.
3. Domain restrictions and embed integrity
Our checkout iframe and Veyra-hosted surfaces are authorized only on domains you have verified during onboarding. You will not embed our checkout on unverified domains, proxy our origin through your own backend in a way that masks the integration, or modify our embedded surfaces in ways that obscure consumer disclosures, hide statement descriptors, alter risk decisioning, or bypass 3-D Secure or other authentication. We may revoke domain authorization at any time.
4. Rate limits, throttling, and abuse
APIs are rate-limited. You will respect documented rate limits, the response codes that indicate throttling, and the Retry-After header where present. You will not run load-test or stress-test campaigns against Veyra infrastructure without prior written approval. We may throttle, suspend, or disable your access at any time for abuse, including patterns consistent with card-testing, account-testing, scraping, denial-of-service, or unauthorized data exfiltration.
5. No scraping, no reverse engineering
Except as expressly permitted, you will not scrape, harvest, or download bulk data from Veyra surfaces, reverse engineer or decompile our software, attempt to derive the source code of any closed-source SDK or binary, circumvent rate limits or access controls, or use bots or automated tools to scrape merchant or transaction data.
6. Test mode and sandbox limitations
Test mode and sandbox environments are provided for development and integration only. They may be reset, capped, or removed at any time. Test mode transactions do not settle and are not legally binding payments. Some production behaviors (settlement timing, dispute lifecycle, network-issued decisioning) cannot be fully replicated in test mode; you remain responsible for production behavior verification before going live.
7. Customer and transaction data
Data accessible to your integration belongs to your merchant scope. You will not log, persist, or share data outside that scope. You will not log or store raw card primary account numbers, full PAN, CVC, CAVV, ECI, AAV, dsTransactionId, 3-D Secure values, or Basis Theory tokens to any system that is not specifically authorized in writing by Veyra. You will not include such data in error reports, logs, screenshots, analytics events, or support tickets. If you discover any inadvertent capture of such data, you will purge it from your systems and notify Veyra promptly.
8. Logging, monitoring, and observability
Veyra may log and monitor API calls, webhook deliveries, and request metadata for security, abuse-prevention, support, debugging, billing, and compliance purposes. We do not log raw card data. Request bodies may be redacted at our edge before retention.
9. Webhook replay and idempotency
You will design your integration to be idempotent against retried deliveries. Veyra may replay webhooks for any reason, including delivery retries, partner re-delivery, operator-initiated replays, and post-incident reconciliation. You will not treat repeated deliveries of the same event id as separate authoritative events.
10. Vulnerability disclosure
We welcome responsible reports of security issues. Report vulnerabilities to support@veyragate.comwith subject prefix “security:” and we will respond as outlined on our Security & Compliance page. Do not test, exploit, or attempt to exfiltrate data without authorization. Do not access data that is not yours. Do not publicly disclose a vulnerability without giving us a reasonable opportunity to remediate.
11. Breach notification
You will notify Veyra promptly — and in any event within seventy-two (72) hours — upon discovering any actual or reasonably suspected compromise of API keys, webhook secrets, HMAC signing material, payment data, or any other security incident with the potential to affect Veyra, our partners, or cardholders.
12. Audit cooperation
Where required by network rules, sponsor-bank requirements, applicable law, or reasonable risk inquiry, you will cooperate with security and compliance audits of your integration. This may include providing architecture descriptions, evidence of HMAC verification, evidence of API-key rotation cadence, deletion of forbidden logged data, and timing of security patches.
13. Suspension, termination, and post-termination
We may suspend or terminate your access to the APIs, webhooks, embeds, or any other developer surface at any time for breach, risk, compliance, or operational reasons. On termination, you will stop calling the APIs, take down embeds, and rotate or destroy any secrets in your possession.
14. Disclaimers and limitation of liability
The developer surfaces are provided “as is” and “as available.” To the fullest extent permitted by law, we disclaim all warranties, including merchantability, fitness for a particular purpose, and non-infringement. Liability is limited as set forth in the Merchant Services Agreement and the Terms of Service.
15. Indemnification
You agree to indemnify and hold harmless Veyra, our affiliates, and our and their officers, directors, employees, and agents from any claim arising from your use of the developer surfaces, your integration design, your handling of API keys or signing material, your violation of these Developer Terms, or your violation of law or third-party rights.
16. Contact
Developer questions:
support@veyragate.com
Version 2026.05.13. Operator-authored draft pending external legal review.