Collector API
The collector's public API is a single function, verify(config), which collects signals and posts them to your edge.
verify(config)
import { verify } from '@octetproof/collector';
await verify(config);
Collects the browser signals and posts them to ${config.apiUrl}/v1/signals, opening a short-lived latency channel at ${config.apiUrl}/v1/ws. Returns a promise that resolves when collection completes.
Designed to run in a secure (HTTPS) context and triggers no permission prompts.
config
| Field | Type | Required | Description |
|---|---|---|---|
apiUrl | string | yes | Base URL of your edge. The collector posts to ${apiUrl}/v1/signals and connects the WebSocket at ${apiUrl}/v1/ws. |
sessionRef | string | recommended | Opaque, partner-issued reference for this session. Required if you intend to fetch the verdict server-to-server. |
wsUrl | string | no | Override the latency-channel URL. Defaults to the ws/wss form of apiUrl + /v1/ws. |
passiveOnly | boolean | no | Skip the active network measurements for a faster, lighter pass. Lowers confidence. |
signal | AbortSignal | no | Abort an in-flight verify() (e.g. on navigation). |
Return value
The promise resolves when collection finishes. Do not use the resolved value to make a security decision — anything produced in the browser is client-controlled. Read the authoritative verdict on your backend via Fetch the Verdict. Treat verify() as fire-and-forget from the page's side, and catch errors so a failed collection doesn't surface to the user:
verify({ apiUrl: 'https://yourapp.com/octet', sessionRef }).catch(() => {
/* collection failed; the backend verdict fetch will simply be "pending" */
});
Where to go next
- Embed the Collector. The integration walkthrough.
- Verdict Schema. What your backend reads.