Developers

Documentation

Integrate Evodira merchant trust into your platform.

Overview

Evodira exposes a versioned REST API at https://api.evodira.com/api/v1. Every operator feature — merchant onboarding, evidence collection, risk scoring, review workflows, and corrective actions — is available as an API endpoint. Interactive platforms can use cookie-based sessions; machine-to-machine integrations use an X-API-Key header.

All responses are JSON. Timestamps are ISO-8601 UTC. IDs are UUIDs.

Quickstart

# Step 1: Authenticate — sets lmt_access & lmt_refresh HTTP-only cookies
curl -X POST https://api.evodira.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{"email":"ops@acme.com","password":"••••••••"}'
# Step 2: Onboard a merchant (with session cookie)
curl -X POST https://api.evodira.com/api/v1/merchants \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{
    "name": "Mama Cass Kitchen",
    "business_type": "food_vendor",
    "claimed_address": "12 Allen Ave, Ikeja, Lagos",
    "latitude": 6.5984,
    "longitude": 3.3575
  }'
# Step 3: Check merchant trust status
curl https://api.evodira.com/api/v1/merchants/{id}/trust-status \
  -b cookies.txt

The session-based flow sets two HTTP-only cookies: lmt_access (short-lived JWT) and lmt_refresh (long-lived). The platform API key flow uses the X-API-Key header — keys are scoped to a platform_api role.

Base URL & Versioning

# All requests must be prefixed with /api/v1
https://api.evodira.com/api/v1

Breaking changes are versioned. The current stable version is v1. The version prefix is required on every request.

Authentication Summary

Method	Used by	How
Cookie (JWT)	Operators, QC reviewers, admins	POST /auth/login → sets lmt_access + lmt_refresh
X-API-Key header	Platform API integrations	Admin generates key → pass as X-API-Key: <key>
Inspector cookie	Field inspectors (partner app)	Separate lmt_insp_access + lmt_insp_refresh cookies

Browse by Topic

📖

API Reference

Full REST API — authentication, merchants, evidence, complaints, risk scoring, review cases, corrective actions, platform integration, and more.

Browse all endpoints →Authentication model →Risk score components →

⚡

Webhooks

Push-based event delivery for risk status changes, review decisions, trigger firings, and corrective action issuance.

Event reference →Signature verification →Retry policy →

🏅

Trust Badges

Embed a live merchant trust badge using a single HTML snippet. Served from the public status API — no authentication required.

Embed guide →GET /badge/{merchant_id} →GET /badge/{merchant_id}/svg →

🔐

Security

HTTP-only cookies for operator sessions, X-API-Key for platform integrations, TOTP 2FA, role-based permissions, and audit trails.

Auth flow →Roles & permissions →Compliance overview →

🔌

Platform Integration

Onboard merchants, submit evidence, ingest complaints, and receive trust status updates via the Platform Integration API.

Platform API overview →Register a webhook →Order & refund events →

📡

Status

Live system availability, 90-day uptime metrics, and incident history.

View status page →

Standard Error Response

// HTTP 4xx / 5xx
{
  "detail": "string or array of validation errors"
}
// Validation error (422 Unprocessable Entity)
{
  "detail": [
    { "loc": ["body", "email"], "msg": "value is not a valid email address", "type": "value_error" }
  ]
}

Status	Meaning
400	Bad Request — malformed JSON
401	Unauthorized — missing or expired token / API key
403	Forbidden — authenticated but missing required permission
404	Not Found — resource does not exist
409	Conflict — duplicate resource or state machine violation
422	Validation Error — request body failed field validation
429	Too Many Requests — rate limit exceeded
500	Internal Server Error

Support

Having trouble? developer@evodira.com or visit the status page to check for ongoing incidents.