Fetch the Verdict

In one sentence

Your backend reads the verdict with one authenticated, server-to-server request keyed by sessionRef, then applies your policy.

This is step 3 of three, after embedding the collector and deploying the edge.

The request

Your backend calls Octet's API directly — server-to-server, out of the browser's sight — using the sessionRef you minted in step 1 and the partner key Octet issued you:

curl -s "https://<your-octet-api-url>/v1/verdict/sess_abc123?waitMs=2000" \
  -H "x-octet-partner-key: <your-partner-key>"

Part	Detail
Method / path	`GET /v1/verdict/{sessionRef}`
Auth header	`x-octet-partner-key: <your-partner-key>`
`waitMs` (query)	Optional. Long-poll up to this many milliseconds (max 10000) while the browser's collection is still in flight.

The response

On success you get the verdict for that session:

{ "country": "DE", "confidence": 0.91, "alarm": "none" }

The supported, stable fields are country, confidence, and alarm — see Verdict Schema. Treat anything else in the response as internal and unsupported; build only on those three.

If the verdict isn't ready yet (the browser is still collecting, or never did), you get a pending response:

{ "status": "pending", "ref": "sess_abc123" }

with HTTP 404. Use waitMs to wait for it, or poll again shortly. Verdicts are held briefly after collection, so fetch reasonably soon after the page view.

Examples

Node (fetch)
const r = await fetch(
  `https://<your-octet-api-url>/v1/verdict/${sessionRef}?waitMs=2000`,
  { headers: { 'x-octet-partner-key': process.env.OCTET_PARTNER_KEY } },
);
if (r.ok) {
  const { country, confidence, alarm } = await r.json();
  // apply your policy
}

Python (requests)
r = requests.get(
    f"https://<your-octet-api-url>/v1/verdict/{session_ref}",
    params={"waitMs": 2000},
    headers={"x-octet-partner-key": os.environ["OCTET_PARTNER_KEY"]},
)
if r.ok:
    v = r.json()  # {"country": ..., "confidence": ..., "alarm": ...}

Apply your policy

What you do with the verdict is entirely yours. A common shape:

if (alarm === 'high') {
  // step up: challenge, MFA, manual review
} else if (confidence >= 0.8 && allowedCountries.includes(country)) {
  // allow
} else {
  // log / soft-gate / your call
}

Octet decides nothing — it reports { country, confidence, alarm } and you choose. See Verdicts for how to read the fields.

Never trust the browser

The result verify() resolves with in the browser is client-controlled. Always read the verdict here, on your backend. The sessionRef is the only thing that crosses the browser, and it carries no verdict.

Where to go next

Verdict Schema. Field types and ranges.
Verdicts. The conceptual read.
Licensing. Where your keys come from.

The request​

The response​

Examples​

Apply your policy​

Never trust the browser​

Where to go next​