Fetch the Verdict
Your backend reads the verdict with one authenticated, server-to-server request keyed by sessionRef, then applies your policy.
This is step 3 of three, after embedding the collector and deploying the edge.
The request
Your backend calls Octet's API directly — server-to-server, out of the browser's sight — using the sessionRef you minted in step 1 and the partner key Octet issued you:
curl -s "https://<your-octet-api-url>/v1/verdict/sess_abc123?waitMs=2000" \
-H "x-octet-partner-key: <your-partner-key>"
| Part | Detail |
|---|---|
| Method / path | GET /v1/verdict/{sessionRef} |
| Auth header | x-octet-partner-key: <your-partner-key> |
waitMs (query) | Optional. Long-poll up to this many milliseconds (max 10000) while the browser's collection is still in flight. |
The response
On success you get the coarse verdict for that session:
{
"country": "DE",
"confidence": 0.91,
"alarm": "none",
"estimatedLocation": { "lat": 52.52, "lon": 13.40 },
"confidenceRadiusKm": 35
}
The verdict is country, confidence, alarm, and a coarse location region (estimatedLocation, confidenceRadiusKm, and feasibleRegion when a polygon was computed) — see the Verdict Schema for every field. That's the whole response: the reasoning behind it never crosses, so there are no hidden fields. The country and location fields are optional — handle their absence.
If the verdict isn't ready yet (the browser is still collecting, or never did), you get a pending response:
{ "status": "pending", "ref": "sess_abc123" }
with HTTP 404. Use waitMs to wait for it, or poll again shortly. Verdicts are held briefly after collection, so fetch reasonably soon after the page view.
Examples
const r = await fetch(
`https://<your-octet-api-url>/v1/verdict/${sessionRef}?waitMs=2000`,
{ headers: { 'x-octet-partner-key': process.env.OCTET_PARTNER_KEY } },
);
if (r.ok) {
const { country, confidence, alarm } = await r.json();
// apply your policy
}
r = requests.get(
f"https://<your-octet-api-url>/v1/verdict/{session_ref}",
params={"waitMs": 2000},
headers={"x-octet-partner-key": os.environ["OCTET_PARTNER_KEY"]},
)
if r.ok:
v = r.json() # {"country": ..., "confidence": ..., "alarm": ...}
Apply your policy
What you do with the verdict is entirely yours. A common shape:
if (alarm === 'high') {
// step up: challenge, MFA, manual review
} else if (confidence >= 0.8 && allowedCountries.includes(country)) {
// allow
} else {
// log / soft-gate / your call
}
Octet decides nothing — it reports the verdict and you choose. (country, confidence, and alarm are the usual policy drivers; the location region is there when you also want to display or geofence the coarse estimate.) See Verdicts for how to read the fields.
Never trust the browser
The result verify() resolves with in the browser is client-controlled. Always read the verdict here, on your backend. The sessionRef is the only thing that crosses the browser, and it carries no verdict.
Where to go next
- Verdict Schema. Field types and ranges.
- Verdicts. The conceptual read.
- Licensing. Where your keys come from.