API Terms of Use

1. Scope and Relationship to Terms of Service

These API Terms of Use ("API Terms") apply to any individual or entity ("Developer") that accesses the Oris Application Programming Interface (API) or Software Development Kit (SDK) to build applications, automate agent operations, or integrate with the Oris payment infrastructure operated by Fluxa Ventures LLC

These API Terms are incorporated by reference into the Oris Terms of Service. By accessing the API or SDK, you confirm that you have read, understood, and agree to both documents. Capitalized terms not defined here have the meanings given to them in the Terms of Service.

2. API License Grant

Subject to your ongoing compliance with these API Terms and the Terms of Service, Fluxa Ventures LLC grants you a limited, non-exclusive, non-sublicensable, non-transferable, revocable license to:

• Access the Oris API endpoints over HTTPS for the purpose of registering Agents, executing transactions, enforcing Spending Policies, querying compliance data, and reading audit logs associated with your developer account.
• Install and use the Oris Python SDK and TypeScript SDK in applications you build for your own use or for deployment to your authorized users.
• Display Oris attribution ("Powered by Oris" or equivalent) in applications built on the platform, provided that such attribution follows the Oris brand guidelines published at useoris.xyz/brand.

This license does not permit you to: resell API access as a standalone service; white-label the Oris API as your own infrastructure product; or grant your users the ability to create Oris developer accounts on your behalf.

3. Authentication and Security

3.1 HMAC-SHA256 Signing

All requests to authenticated API endpoints must be signed using HMAC-SHA256. The canonical request format, signing algorithm, and header requirements are specified in the Oris API authentication documentation. Requests must include the following headers:

• Authorization: Your API key in the format oris_sk_live_... (live) or oris_sk_test_... (sandbox).
• X-Request-Signature: HMAC-SHA256 of the canonical request string, hex-encoded.
• X-Timestamp: Unix epoch timestamp in seconds. Requests with a timestamp outside a thirty (30) second tolerance window will be rejected.
• X-Nonce: A unique token per request. Nonces are validated against a Redis-backed store with a thirty (30) second TTL. Replayed nonces will be rejected.
• X-Agent-ID: Required for all agent-scoped operations. Must be a valid UUID corresponding to a registered Agent in your account.

3.2 Key Security Obligations

You must store API keys and signing secrets in environment variables or a secrets management system. You must not embed API keys in source code, client-side JavaScript, mobile application binaries, or public code repositories. You acknowledge that exposure of your API key in a public repository or to unauthorized parties constitutes a security incident and must be reported to security@useoris.xyz and the key rotated immediately. Fluxa Ventures LLC may automatically revoke keys detected in public repositories.

3.3 Sandbox vs. Live Environments

The Oris API is available in two environments. The sandbox environment (accessed with oris_sk_test_... keys) does not process real transactions and is intended exclusively for development and testing. The live environment (accessed with oris_sk_live_... keys) processes real stablecoin transactions with real settlement. You are responsible for ensuring that your applications use the correct environment.

4. Rate Limits and Quotas

API usage is subject to rate limits enforced at the account level. Default rate limits by plan tier:

Rate limit status is communicated via response headers: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset. Requests that exceed the rate limit receive an HTTP 429 response. You must implement exponential backoff retry logic in your applications.

Attempts to circumvent rate limits through credential rotation, IP address rotation, or request distribution across multiple accounts without explicit written authorization from Fluxa Ventures LLC constitute a violation of these API Terms and may result in permanent account termination.

5. API Key Management

Each developer account may create multiple API keys with different permission scopes. Available scopes include: agents:read, agents:write, transactions:read, transactions:write, policies:read, policies:write, compliance:read, and wallets:read. You should issue keys with the minimum scope required for each integration.

You may rotate API keys from the developer dashboard at any time. Rotation generates a new key and immediately invalidates the old key. You are responsible for updating all dependent applications after a key rotation. Fluxa Ventures LLC is not liable for service interruptions caused by failure to update API key references following a rotation you initiate.

Fluxa Ventures LLC may revoke API keys at any time for violation of these API Terms or the Terms of Service, or where required by applicable law. We will provide advance notice of revocation where operationally feasible and legally permitted.

6. Agent Registration via API

Agents are registered via the POST /v1/agents endpoint. Each Agent must be associated with a valid developer account and must include an accurate description of the Agent's purpose, authorized scope, and transaction authorization model. You must not register Agents intended to circumvent spending controls, evade compliance screening, or operate outside the authorization bounds you define.

KYA Level 0 is assigned to all newly registered Agents by default and permits limited transaction volume. KYA Level 1 through Level 3 require additional verification steps that may include developer account verification, scope documentation, and transaction pattern review. Transaction limits by KYA level are documented at docs.useoris.xyz/kya.

7. Compliance Integration Requirements

The Oris API is designed to be the single point of payment initiation for your Agents. You must not route Agent transactions through external payment rails to circumvent Oris compliance screening. Every transaction initiated by an Agent must flow through the Oris POST /v1/transactions endpoint so that AML pre-screening and Spending Policy evaluation can occur before settlement.

Applications built on the Oris API must present clear disclosures to end users about the compliance checks applied to their transactions, consistent with applicable regulatory requirements in the jurisdictions where you operate.

You must not build applications that suppress, modify, or present false compliance outcomes to your users. Compliance data returned by the API reflects the actual output of the Veris Engine and must not be altered before presentation.

8. Prohibited API Uses

The following uses of the Oris API are prohibited:

• Building applications designed to facilitate transactions for sanctioned persons, entities, or jurisdictions.
• Automating API calls to probe, test, or map Oris compliance screening logic for the purpose of evading it.
• Using the API to build a competing payment infrastructure product without express written authorization from Fluxa Ventures LLC.
• Submitting false, synthetic, or fraudulent agent registration data.
• Initiating transaction requests with forged or replayed request signatures.
• Using the sandbox API for production transactions or submitting live credentials to the sandbox environment.
• Building applications that aggregate, scrape, or export Oris compliance data for resale or redistribution without a separate data licensing agreement.
• Deploying Agents that operate without any human oversight or accountability mechanism in violation of applicable AI governance requirements.

9. Intellectual Property

The Oris API, all API endpoints, data schemas, response formats, authentication protocols, and compliance screening logic are the intellectual property of Fluxa Ventures LLC. These API Terms do not transfer any ownership of Oris intellectual property to you.

If you provide feedback, suggestions, or feature requests regarding the API, you grant Fluxa Ventures LLC a perpetual, royalty-free, worldwide license to use that feedback without restriction or compensation.

You retain ownership of the applications you build using the Oris API. Fluxa Ventures LLC claims no ownership interest in your applications, provided they comply with these API Terms and the Terms of Service.

10. Service Level and Uptime

Fluxa Ventures LLC targets the following service levels for API endpoints in the live environment:

• Payment pre-screen endpoint (POST /v1/transactions): p95 latency under 200 milliseconds, 99.9% monthly uptime.
• Spending Policy evaluation: p99 latency under 10 milliseconds.
• Agent registration and management endpoints: p95 latency under 500 milliseconds, 99.5% monthly uptime.

Uptime is measured as the percentage of minutes in a calendar month in which the API is available and returning non-error responses. Service credits for failure to meet SLA targets are available to Growth and Enterprise plan subscribers under a separate SLA agreement. Contact sales@useoris.xyz for details.

Planned maintenance windows, emergency downtime, and outage updates are published at status.useoris.xyz.

11. API Versioning and Deprecation

The Oris API uses URL-based versioning. The current stable version is /v1. Fluxa Ventures LLC will maintain support for a given API version for a minimum of twelve (12) months following the release of a successor version, except in cases where continued support would create security or compliance risks.

Deprecation notices will be communicated via: (a) email to the address on your developer account; (b) an X-API-Deprecation-Date header included in responses from deprecated endpoints; and (c) posts in the Oris developer changelog at docs.useoris.xyz/changelog.

You are responsible for migrating to current API versions within the deprecation window. Fluxa Ventures LLC is not liable for disruptions caused by failure to migrate before a deprecated endpoint is removed.

12. SDK License

The Oris Python SDK and TypeScript SDK are distributed under the MIT License. The license terms are included in each SDK package and in the SDK repositories. The MIT License permits use, modification, and redistribution subject to attribution requirements. You may not remove or alter the Fluxa Ventures LLC copyright notice from SDK source files.

SDK versions are published to PyPI (Python) and npm (TypeScript/JavaScript). You are responsible for keeping your SDK dependency version current. Fluxa Ventures LLC provides security patches for SDK versions released within the preceding twelve (12) months.

13. Disclaimer of Warranties

THE ORIS API AND SDK ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. FLUXA VENTURES LLC DOES NOT WARRANT THAT THE API WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF SECURITY VULNERABILITIES. FLUXA VENTURES LLC DOES NOT WARRANT THAT COMPLIANCE SCREENING RESULTS RETURNED BY THE API WILL BE COMPLETE, ACCURATE, OR SUFFICIENT TO MEET YOUR REGULATORY OBLIGATIONS. YOU ARE SOLELY RESPONSIBLE FOR INDEPENDENTLY VERIFYING YOUR COMPLIANCE WITH APPLICABLE LAW.

14. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, FLUXA VENTURES LLC'S LIABILITY TO YOU FOR CLAIMS ARISING FROM API USAGE IS LIMITED AS SET FORTH IN SECTION 14 OF THE TERMS OF SERVICE. FLUXA VENTURES LLC IS NOT LIABLE FOR: (A) IRREVERSIBLE BLOCKCHAIN TRANSACTIONS RESULTING FROM API MISUSE; (B) FINANCIAL LOSSES ARISING FROM AGENT MISCONFIGURATION OR POLICY ERRORS IN YOUR APPLICATIONS; OR (C) REGULATORY PENALTIES RESULTING FROM YOUR FAILURE TO IMPLEMENT ADEQUATE COMPLIANCE CONTROLS IN YOUR APPLICATIONS.

15. Suspension and Termination of API Access

Fluxa Ventures LLC may suspend or terminate your API access immediately and without advance notice where: (a) your API usage poses a security risk to the platform; (b) you violate Section 8 of these API Terms; (c) we are required to do so by applicable law or a regulatory authority; or (d) your account has outstanding unpaid fees.

On termination, your API keys are immediately revoked, all active Agent sessions are suspended, and pending unsettled transactions are cancelled where technically feasible. Settled transactions and compliance records associated with your account are retained per our data retention obligations.

16. Contact

API support questions: engineering@fluxa.ventures

Security disclosures: security@useoris.xyz

Enterprise API agreements: sales@useoris.xyz

API documentation: docs.useoris.xyz