API REFERENCE
Overview
The Lorica API has three primary endpoints plus a health check. Every request is synchronous. Every response is HMAC-SHA256 signed.
Endpoints
| Method & Path | Purpose | Latency (median) |
|---|---|---|
POST /v1/enroll | Capture biometric reference at user creation | ~310ms |
POST /v1/verify | Run step-up check at high-risk action moment | 292ms |
DELETE /v1/delete | GDPR/CCPA right-to-erasure | ~40ms |
GET /v1/health | Endpoint status | ~5ms |
Reference material
JWT Structure
Header, payload, signature — every claim documented.
Errors
Stable error codes, idempotency rules, retry semantics.
Rate Limiting
Per-tenant and per-action-class caps with response headers.
Versioning
What's a breaking change. Why no webhooks.
Conventions
- All requests use
Content-Type: application/json. - All responses, including errors, are JSON with a stable
error/codefield. - POST requests accept
X-Lorica-Idempotency-Keyfor safe retries within a 24-hour window. - Every response includes
X-Request-Idfor support correlation. - The
v1path segment is required. Future major versions ship asv2alongsidev1.