Reputation

Reputation is the score the acceptance gate consults. It is bidirectional — agents and merchants are scored — and lives on a hot path, so it follows one hard rule: never 404, never block. An unknown id, a DB outage, or a timeout all return the same neutral 200, because the SDK treats known:false and a failure identically and degrades safely.

{ "agentId": "…", "score": 500, "tier": "standard", "known": false }

The tier is one of risky, standard, trusted, elite. known:false means there's no history yet — not an error.

GET /v1/reputation/agent/:agentId

Canonical agent lookup.

{ "agentId": "11111111-…", "score": 540, "tier": "trusted", "known": true }

curl https://api.veto-ai.com/v1/reputation/agent/11111111-1111-1111-1111-111111111111

GET /v1/reputation/merchant/:merchantId

Canonical merchant lookup. Same shape, with the merchantId echoed back.

{ "merchantId": "mrch_01J…", "score": 520, "tier": "trusted", "known": true }

GET /v1/reputation/:agentId

The bare lookup the SDK uses. Same neutral-on-miss behavior. (The literal sub-paths agent and merchant are reserved for the canonical routes above.)

curl https://api.veto-ai.com/v1/reputation/11111111-1111-1111-1111-111111111111

GET /api/v1/reputation/:agentId/ — legacy alias

The unmodified shipped SDK builds ${base}/api/v1/reputation/${agentId}/ (note the trailing slash) and sends an X-Veto-Api-Key header. Both slash variants are registered, and the handler resolves leniently — a reputation outage must never block a checkout.

curl https://api.veto-ai.com/api/v1/reputation/11111111-1111-1111-1111-111111111111/ \
  -H "X-Veto-Api-Key: veto_test_8f2c…"