A real-time verification endpoint for STI testing credentials. One API call with a user's share token returns the verification status, panel, issuer, and recommended-retest date. Auto-expiration means a verified result is always current. Developer tier is free; paid tiers from $999/mo with no hard cap, BAA available on Enterprise.
One API call. Pass your API key in the X-API-Key header. Returns live verification status that auto-expires when the user is due for retest — so a verified badge always means something current.
Apply for an API key below. Pass it in the X-API-Key header with every request.
/api/v1/verify| Parameter | Required | Description |
|---|---|---|
token | Yes | Public URL token from the user's olow link |
format | No | json (default) or badge (HTML embed) |
All non-error responses return verified as a boolean — that is the only field you need to gate access on. Treat any non-200 status (other than 404) as a transient failure and retry.
Errors are returned as JSON with an error field and the status code in the HTTP response.
| Status | When it happens |
|---|---|
400 | Missing the `token` query parameter. |
401 | Missing `X-API-Key` header, or key format is not `olow_live_`, `olow_test_`, or `olow_badge_`, or key is not recognized. |
403 | Key has been suspended, or your application status is not approved. |
404 | Token does not match any credential in our system. |
429 | Tier quota or per-key rate limit exceeded. Developer tier hits this after 150 calls/mo; paid tiers have no hard cap but enforce a per-key rate limit. Upgrade tier or contact sales. |
500 | Server error. Retry with exponential backoff. |
Every error response includes docs and apply URLs so that unfamiliar consumers of the API get pointed to the right place.
verified: falseautomatically when the user's recommended retest date passes — no action needed from you or the user. A verified badge always means currently within testing window.Pricing is call-centric and uncapped — each tier comes with a monthly call allowance, and every call past it is billed at the per-call overage rate. There's no hard cap; your platform can verify as many users as it needs to, billed accordingly. olow's verification standard expects at least one call per active user per day, so plan call volume as active users × 30 minimum per month.
| Tier | Monthly | Calls included | Overage / call | Revenue-share |
|---|---|---|---|---|
| Developer | Free | 150 | Upgrade required | — |
| Starter | $999 | 3,000 | $0.40 | — |
| Growth | $4,999 | 30,000 | $0.20 | — |
| Scale | $19,999 | 300,000 | $0.10 | 5% annual |
| Pro | $79,999 | 3,000,000 | $0.05 | 5% annual |
| Enterprise | Custom · $1M/yr floor | Custom | Custom | 8% annual or $1M, whichever greater |
Developer tier returns a 429 with tier_quota_exceeded after 150 calls/month — upgrade to a paid tier to lift the limit. Paid tiers have no hard cap — every call past included is billed at the per-call overage rate. Runaway protection: quota alerts at 100/200/500%, per-API-key rate limits, and Stripe payment-failure-pause (402) keep you from being silently billed into the six figures. Scale and Pro include a 5% annual revenue-share true-up; Enterprise uses 8% with a $1,000,000/year minimum floor.
The simplest integration — an iframe that renders a small verified badge. Uses format=badge on the standard verify endpoint and counts toward your monthly user count.
For integrations that want richer badge options (SVG, HTML with display name, JSON for native rendering), use the dedicated Badge Display endpoint. Requires a olow_badge_ key — a separate key class from the verify-API olow_live_ key.
/api/v1/badge| Parameter | Required | Description |
|---|---|---|
token | Yes | Public URL token from the user's olow link |
format | No | json (default), html, or svg |
The JSON response includes display_name when the user has set one — useful for rendering a personalized badge alongside a user's profile.
For apps that want verification status tied to a specific olow user account (rather than a shareable link), use the OAuth 2.0 authorization code flow. The user consents in their olow account, your app receives an access token and refresh token, and you can then check verification status without the user ever sharing a link with you.
OAuth is a separate integration pathway — contact api@olow.io to onboard as a partner and receive a client_id and client_secret. PKCE (RFC 7636) is supported and strongly recommended.
The redirect_uri must exactly match one of the URIs registered with your partnership. After the user consents, they're redirected back with ?code=...&state=... appended.
PKCE: generate a random code_verifier of 43–128 chars, derive code_challenge = base64url(sha256(verifier)), send the challenge on the authorize URL and keep the verifier server-side for step 2.
Auth codes expire after 10 minutes and are one-shot — a code can only be exchanged once. Access tokens are short-lived (15 minutes); use the refresh token to mint new ones. Store both securely on your server.
Refresh tokens are rotated on every use — each refresh returns a new refresh_token and invalidates the prior one. Always store the latest. Refresh tokens live 30 days from issue; after expiry the user must re-consent.
The OAuth endpoint returns the same verification shape as the verify API but tied to the user who consented — no token-sharing required. Same auto-expiration semantics apply.
We work with dating apps on deeper integrations — native badge display, user auth flows, and co-branded verification experiences.