Skip to content
Verbitas Docs

Enterprise Onboarding

Enterprise Onboarding

This guide covers enterprise-specific features: multi-tenant setup, BYOK KMS, SIEM integration, custom audit retention, and the agent self-onboard flow.

Account setup

Enterprise accounts are set up with Verbitas’s sales team. After setup you receive:

  • A primary tenant ID (t_live_...)
  • An admin-scoped API key (vb_live_... with admin scope)
  • A link to the admin console at https://verbitas.io/admin

Multi-tenant configuration

If you are building a platform that re-sells Verbitas to your end customers, create a separate sub-tenant for each downstream customer. This provides:

  • Isolated audit logs per customer
  • Per-customer rate limits and spending caps
  • Separate API keys per customer
  • Row-level security enforced at the database layer

Create a sub-tenant

Terminal window
curl -X POST https://api.verbitas.io/v1/tenants \
  -H "Authorization: Bearer $VERBITAS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Customer A",
    "email": "[email protected]",
    "plan": "growth",
    "spending_cap_usd": 500
  }'

Response:

{
  "tenant_id": "t_01j...",
  "name": "Customer A",
  "plan": "growth",
  "spending_cap_usd": 500
}

Mint an API key for a sub-tenant

Terminal window
curl -X POST https://api.verbitas.io/v1/tenants/t_01j.../keys \
  -H "Authorization: Bearer $VERBITAS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "scope": "sign",
    "description": "Customer A production key",
    "expires_at": "2027-05-09T00:00:00Z"
  }'

Response:

{
  "key_id": "key_01j...",
  "api_key": "vb_live_01j...",
  "scope": "sign",
  "expires_at": "2027-05-09T00:00:00Z"
}

The api_key is shown once.

Agent self-onboard

Autonomous agents and CI pipelines can onboard themselves without a human:

Terminal window
curl -X POST https://api.verbitas.io/v1/onboard \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(python3 -c 'import uuid; print(uuid.uuid4())')" \
  -H "User-Agent: my-pipeline/1.0" \
  -d '{
    "email": "[email protected]",
    "payment_method_id": "pm_test_...",
    "plan": "developer",
    "tenant_name": "image-generation-pipeline"
  }'

Requirements:

  • Idempotency-Key header must be present (rejects if missing)
  • User-Agent must not match a known browser pattern
  • payment_method_id must be a valid Stripe payment method token

The response includes the API key once:

{
  "tenant_id": "t_01j...",
  "api_key": "vb_live_01j...",
  "recipe_defaults": ["image-genai-v1"],
  "rate_limits": { "rps": 5, "daily": 1000 },
  "next_steps_url": "https://docs.verbitas.io/quickstart"
}

SIEM integration

Continuous S3 export

On the Enterprise plan, enable continuous audit log export to your S3 bucket:

  1. In the admin console: Settings > Audit Export > Enable S3 Export
  2. Provide your S3 bucket ARN and the IAM role Verbitas should assume
  3. Verbitas writes NDJSON files partitioned as s3://your-bucket/verbitas-audit/year=2026/month=05/day=09/<batch>.ndjson

Each file contains audit log entries for a 15-minute window.

Splunk

Point Splunk’s S3 input at your audit export bucket:

[monitor://s3://your-bucket/verbitas-audit/]
sourcetype = _json
index = verbitas

Elastic / OpenSearch

Use the S3 River or Logstash S3 input to ingest the NDJSON files.

Direct API polling

For smaller volumes, poll GET /v1/audit directly:

import verbitas, time
from datetime import datetime, timezone, timedelta


client = verbitas.Client()
last_poll = datetime.now(timezone.utc) - timedelta(minutes=5)


while True:
    entries = client.audit.list(
        from_dt=last_poll,
        to_dt=datetime.now(timezone.utc),
        limit=1000
    )
    for entry in entries:
        send_to_siem(entry)
    last_poll = datetime.now(timezone.utc)
    time.sleep(300)

Audit log retention

PlanRetention
Free / Developer30 days
Growth365 days
EnterpriseUp to 7 years (2555 days), configurable

To configure retention on Enterprise:

Terminal window
curl -X PATCH https://api.verbitas.io/v1/tenants/t_01j.../settings \
  -H "Authorization: Bearer $VERBITAS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"audit_retention_days": 2555}'

Custom trust list

Enterprise tenants can configure a custom trust list for verification. By default, Verbitas uses its own trust list (which includes its own signing CA plus major C2PA-registered authorities).

Terminal window
curl -X POST https://api.verbitas.io/v1/trust-list \
  -H "Authorization: Bearer $VERBITAS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "entries": [
      {
        "issuer_cn": "ACME Corp Signing CA",
        "certificate_pem": "-----BEGIN CERTIFICATE-----\n..."
      }
    ]
  }'

When a custom trust list is set, verification against third-party signed content uses the custom list instead of the default.

Spending caps

All tenants can set a spending cap to prevent unexpected billing:

Terminal window
curl -X PATCH https://api.verbitas.io/v1/tenants/t_01j.../settings \
  -H "Authorization: Bearer $VERBITAS_API_KEY" \
  -d '{"spending_cap_usd": 1000}'

When the cap is reached, the API returns 402 verbitas.billing.spending_cap_reached for any metered operation. Cap alerts are sent at 80% utilisation.

DPA and data processing

Enterprise customers can request a Data Processing Agreement (DPA) at [email protected]. The DPA covers:

  • What data Verbitas processes on your behalf
  • Data residency (Hetzner, eu-central-1)
  • Sub-processors
  • GDPR rights procedures
  • Breach notification

See Compliance: GDPR and Compliance: Sub-Processors.

Dedicated support

Enterprise plans include a dedicated Slack channel and a technical account manager. After onboarding, request your Slack invite at [email protected].

For urgent issues, use the P1 escalation path documented in your service agreement.