Skip to Content
AdministrationTroubleshooting & FAQ

Administration FAQ

Users & Access

How do I add a new user to my organization?

Navigate to Settings → Members → Invite member. Enter the user’s email and choose an initial role. They will receive an invitation email with a time-limited sign-up link (valid for 72 hours). Only CustomerAdmin can send invitations.

If the invitation expires, open Settings → Members, find the pending invitation, and click Resend.

What role should I assign to a new user?

Assign the minimum role the user needs for their job function:

  • External auditors → CustomerAuditor
  • Compliance team members → CustomerComplianceOfficer
  • Finance / cost oversight → CustomerBusinessOwner
  • Read-only stakeholders → CustomerViewer
  • IT administrators → CustomerAdmin

See the full Roles & Permissions matrix.

How do I remove a user who has left the organization?

Go to Settings → Members, find the user, click ···Deactivate. This immediately terminates their active sessions and blocks future sign-ins. Their historical records (audit log entries, session reviews, etc.) are preserved.

Can I have more than one admin?

Yes — you can have as many CustomerAdmin users as your organization needs. There is no maximum. However, there must always be at least one active admin. The system prevents deactivating or downgrading the last admin.

Can a user have more than one role?

Yes. Role grants are additive. For example, an external auditor who also needs standard read-only portal access can hold both CustomerAuditor and CustomerViewer. Assign additional roles from the user’s profile Roles tab.

How do I reset a user’s password?

Veriproof does not store passwords directly. Password resets are handled by the user through the Forgot password flow on the sign-in page. If the user authenticates via SSO, password management is handled by their identity provider.

API Keys

How do I rotate an API key without downtime?

Use the zero-downtime rotation flow:

  1. Issue a secondary key for the same application — both keys work simultaneously.
  2. Update your secret store and deploy the new key to your application.
  3. Confirm traffic is flowing through the new key.
  4. Revoke the original key.

See API Keys → Key Rotation.

What happens when I revoke an API key?

Revocation is immediate. Any request using the revoked key returns 401 Unauthorized within seconds of the revocation. There is no grace period.

I accidentally committed an API key to a Git repository. What should I do?

  1. Immediately submit a revoke request from Settings → Account → Security in the Customer Keys panel.
  2. Issue a replacement key.
  3. Update your secrets store with the new key.
  4. Remove the key from the Git history using git filter-branch or BFG Repo Cleaner, then force-push.
  5. Assume the key was seen and treat it as compromised regardless of whether your repository is private.

Why can I only see the key prefix, not the full value?

For security, Veriproof displays the full key value only once — at the moment it is created. Afterwards, only the first 8 characters (the prefix) are shown. This protects keys even if an admin account is compromised. Always copy keys to a secrets manager immediately upon creation.

What is the difference between vp_live_ and vp_test_ keys?

  • vp_live_ keys target the production environment. Sessions are blockchain-anchored on Solana mainnet.
  • vp_test_ keys target the sandbox environment. Sessions are not anchored to the real blockchain, making them safe for CI pipelines and automated testing.

SSO & Authentication

Can I configure more than one SSO provider?

Yes. Each enabled SSO configuration appears as a separate sign-in button on the portal login page. This is useful for organizations with multiple identity systems.

After configuring SSO, users still see email/password login. How do I enforce SSO only?

SSO enforcement (disabling email/password for SSO-provisioned users) is an Enterprise plan feature. Contact sales@veriproof.app to enable it. Until then, both sign-in methods remain available.

A user signed in via SSO but has no access to features. Why?

New SSO sign-ins are created with the CustomerAuditor role (least privilege). An admin must assign the appropriate role from Settings → Members → [User] → Roles.

My SSO configuration test passes but users get an error when signing in. What should I check?

  • Verify the callback URL https://app.veriproof.app/auth/callback is allowlisted in your IdP.
  • Check that the IdP application is not restricted to specific users or groups that exclude the signing-in user.
  • Confirm the client secret has not expired in the IdP — expired secrets cause authentication failures.

Data Lifecycle

What is the 7-day grace period when I delete an application?

After you initiate an application deletion, the application enters a pending deletion state for 7 days. During this time, the deletion can be cancelled and all data is preserved. The actual purge (permanent data deletion) only occurs after the grace period expires. See Data Deletion.

Can I cancel an application deletion in progress?

Yes — but only during the 7-day grace period. Once the purge worker starts executing (after the grace period), it cannot be interrupted.

Does deleting an application remove its blockchain anchors?

No. Blockchain commitment anchors are permanent by design. Only session payloads, cryptographic key material, and portal metadata are deleted. After purge, the commitment hashes remain on-chain but cannot be linked back to any personal data because the encryption keys are gone.

How long is my data retained?

Retention periods depend on your plan:

  • Builder: 7 days
  • Team: 90 days
  • Enterprise: up to 365 days (configurable per application)

Audit logs have a fixed 90-day retention regardless of plan. See Data Retention.

What happens to data under a GDPR erasure request?

The data subject’s encryption salt is destroyed, making all their session payloads cryptographically unreadable. This constitutes erasure under GDPR recital 26 (anonymisation). An erasure certificate is issued. See GDPR Erasure.

Webhooks & Alerts

My webhook endpoint is not receiving events. How do I debug this?

  1. Open Settings → Webhooks → [endpoint] → Delivery logs.
  2. Check whether deliveries are listed. If no deliveries appear, the event may not have been triggered yet — use the Test button to send a sample event.
  3. If deliveries appear with non-2xx responses, check your endpoint’s logs for the error.
  4. Verify the endpoint URL is reachable from the internet and that your server returns a 2xx response within 10 seconds.

How do I verify that a webhook payload is genuine?

Add a signing secret to your webhook configuration. Veriproof will include an X-Veriproof-Signature: sha256=... header with every delivery. Verify this header using HMAC-SHA256 with your secret. See Webhooks → Verifying Signatures.

I’m receiving the same event twice. What should I do?

This is expected retry behaviour. Each event has a unique id field — record processed IDs and skip re-processing if the same id arrives again. See Webhooks → Idempotency.

Billing & Plan

How do I see my current plan and usage?

Navigate to Settings → Plan & Billing. This page shows your current plan, included quotas, current period usage, and the next billing date.

How do I get a cost alert before reaching my spending limit?

Create a cost budget in Settings → Cost & Budgets. Set the threshold to your limit and optionally set an Alert at 80% early-warning trigger. See Spend & Usage Alerts.

I need data retention longer than my current plan allows. What should I do?

Retention limits are tied to your plan tier. Enterprise customers can configure up to 365 days per application. Contact sales@veriproof.app to discuss Enterprise plans.

Last updated on
Spend & Usage AlertsOverview