Developer guide

Vera API + MCP

Two ways to plug Vera into your stack: the REST API for push-style integrations (CRM, n8n, Slack), or the MCP server for letting your own AI agents pull live intelligence. Both are included on every plan. Manage keys in dashboard Settings.

Show samples in

Authentication

Every request takes a Bearer token. Create keys in Settings → API keys.

Authorization: Bearer vera_live_<your_key>
text

API access is included on every plan. Rate limits: 30 req/min on Starter and Individual, higher limits on Team. Over-limit responses include Retry-After and X-RateLimit-Remaining headers.

Auth

GET/api/v1/public/usage

Get usage

Current month's usage against your plan's caps: accounts researched, accounts watched, contact unlocks and more. The simplest endpoint to test your key works.

curl https://api.veraa.ai/api/v1/public/usage \
  -H "Authorization: Bearer vera_live_..."
curl

Leads

GET/api/v1/public/leads

List leads

Paginated list of leads in your pipeline. Filter by rating (hot/warm/cold) or status.

curl "https://api.veraa.ai/api/v1/public/leads?rating=hot&limit=20" \
  -H "Authorization: Bearer vera_live_..."
curl
GET/api/v1/public/leads/{lead_id}

Get a lead

Full lead record including the entire enrichment_data blob — tech stack, news, threat alerts, GTM briefing, website intel.

curl https://api.veraa.ai/api/v1/public/leads/8f4cab97-... \
  -H "Authorization: Bearer vera_live_..."
curl
GET/api/v1/public/leads/{lead_id}/briefing

Get just the briefing

Trim view that returns only the GTM briefing for piping into a CRM activity, Slack message, or email sequencer without pulling the full enrichment blob.

curl https://api.veraa.ai/api/v1/public/leads/8f4cab97-.../briefing \
  -H "Authorization: Bearer vera_live_..."
curl
POST/api/v1/public/leads

Create a lead

Add a new lead to your pool. Provide at least one of email or linkedin_url. Set enrich=true to enrich + score it inline (uses one monthly research slot).

curl -X POST https://api.veraa.ai/api/v1/public/leads \
  -H "Authorization: Bearer vera_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "email": "ceo@example.com",
    "linkedin_url": "https://linkedin.com/in/...",
    "company_name": "Example Co",
    "company_domain": "example.com",
    "enrich": true
  }'
curl
POST/api/v1/public/leads/enrich

Enrich existing leads

Trigger full enrichment + scoring for one or more existing leads. Uses one monthly research slot per lead. Returns 402 if you'd exceed your plan's monthly allowance.

curl -X POST https://api.veraa.ai/api/v1/public/leads/enrich \
  -H "Authorization: Bearer vera_live_..." \
  -H "Content-Type: application/json" \
  -d '{"lead_ids": ["8f4cab97-...", "abc12345-..."]}'
curl

Signals

GET/api/v1/public/signals

List signals

Recent signals detected across your prospects. Every row carries company_domain, company_name and person_name (when the signal names a person), so you can route by account without parsing headlines. Filter by signal_type to narrow.

curl "https://api.veraa.ai/api/v1/public/signals?signal_type=cve_in_stack&limit=50" \
  -H "Authorization: Bearer vera_live_..."
curl

Watchlist

GET/api/v1/public/watchlist

List watchlist

The accounts Vera is watching for you: name, domain, priority, monitoring state and last-monitored time. Use it to reconcile your CRM against what Vera watches. Free and read-only.

curl "https://api.veraa.ai/api/v1/public/watchlist?limit=100" \
  -H "Authorization: Bearer vera_live_..."
curl
POST/api/v1/public/watchlist

Add to watchlist

Add a company to the watchlist. Vera's weekly monitor polls watched companies for changes (new blog posts, leadership changes, breach exposure) and surfaces alerts via the signals endpoint and webhooks.

curl -X POST https://api.veraa.ai/api/v1/public/watchlist \
  -H "Authorization: Bearer vera_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "company_name": "Acme Corp",
    "company_domain": "acme.com",
    "priority": 5
  }'
curl

Webhooks

Real-time event delivery

Configure webhook endpoints in Settings → Webhooks. Vera POSTs signed JSON to your URL whenever the events you subscribed to fire.

Verify the signature (Node — recommended V2)
import crypto from "node:crypto";

const REPLAY_TOLERANCE_SECONDS = 300; // 5 min

app.post("/webhooks/vera", express.raw({type: "application/json"}), (req, res) => {
  const sig = req.headers["x-vera-signature-v2"];
  const ts = parseInt(req.headers["x-vera-timestamp"], 10);

  // 1. Reject replays — timestamp must be within 5 min of now
  if (!ts || Math.abs(Date.now() / 1000 - ts) > REPLAY_TOLERANCE_SECONDS) {
    return res.status(401).send("timestamp too old");
  }

  // 2. Verify HMAC over "{timestamp}.{raw_body}"
  const signed = Buffer.concat([Buffer.from(`${ts}.`), req.body]);
  const expected = "sha256=" + crypto
    .createHmac("sha256", VERA_WEBHOOK_SECRET)
    .update(signed)
    .digest("hex");

  if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) {
    return res.status(401).send("invalid signature");
  }

  const event = JSON.parse(req.body);
  // event.id, event.event, event.created_at, event.data
  res.sendStatus(204);
});
js

The V2 signature signs "{timestamp}.{body}" instead of just the body, which prevents replay attacks. The legacy X-Vera-Signature (body-only) header is still sent for backward compatibility — switch to V2 when you can.

Available event types
lead.createdlead.enrichedlead.scoredlead.rated_hotbrief.createdwatchlist.alert_createdsignal.detectedthreat.matched_to_leadaccount.went_hotaccount.suggestion_created

signal.detected fires for buying-trigger signal types only (breach, leadership change, funding, security hiring, person engagement) — not the full ~50 collected types. Stops the noise. account.went_hot fires when a monitor pass surfaces fresh material changes. account.suggestion_created fires when a new candidate lands in your Suggestions pool.

Retries

0s → 30s → 5min → 1hr → 6hr → 24hr, then dead. Manually replay from the dashboard.

Idempotency

Each delivery has X-Vera-Delivery — store the ID and reject duplicates.

Headers

X-Vera-Signature-V2 (replay-safe, recommended), X-Vera-Timestamp (epoch), X-Vera-Signature (legacy body-only), X-Vera-Event, X-Vera-Delivery.

Send a test payload

From Settings → Webhooks, hit the "Send" icon on any endpoint to fire a synthetic webhook.test event. Lets you confirm receiver wiring before waiting for a real event.

MCP server

Talk to Vera from your own AI surface

Connect Claude in Slack, n8n agents, ChatGPT, or any MCP-capable client. Your agent gets Vera's 17 tools (search/count accounts, signals, compare, account, ICP, watchlist) with the same RLS scoping as your dashboard.

Endpoint
https://veraa.ai/api/mcp
Authorization: Bearer <your_mcp_token>
text

Generate per-agent tokens in dashboard Settings → MCP access. One token per surface (your Slack bot, your n8n flow, etc.) so revoking one doesn't take the others down.

Claude Desktop / generic MCP client config
{
  "mcpServers": {
    "vera": {
      "type": "http",
      "url": "https://veraa.ai/api/mcp",
      "headers": {
        "Authorization": "Bearer vera_..."
      }
    }
  }
}
json
Available tools
search_accountscount_accountssearch_signalssearch_peoplecount_peopleget_accountget_icp_configget_watchlist_summaryenrich_accountfind_peoplesuggest_accountsfind_companiesaggregate_signals_over_timecompare_accountslist_signal_vocabularypropose_icp_changepropose_add_to_watchlistget_plan_usageunlock_contactget_capabilitiesremember_thisforget_memorydelete_accountdelete_person

Each tool returns structured JSON ready for downstream composition. find_companies runs ad-hoc Apollo-backed company search. The propose_* tools return a confirm card the end user has to slide-to-confirm; unlock_contact, delete_account and delete_person act immediately, so your agent should ask before calling them.

Scope

Your token only sees your own watchlist + ICP. No cross-org data is ever reachable.

Mutations

propose_icp_change + propose_add_to_watchlist always slide-to-confirm in Vera. unlock_contact and the delete tools act immediately.

Cost

Search, compare and account reads are free. enrich_account uses a monthly research slot, unlock_contact a monthly contact reveal. get_plan_usage shows what's left.

Need an endpoint we don't have? Tell us during onboarding.

Sales intelligence for cybersecurity teams.