Introduction
These API & Developer Terms ("Developer Terms") govern access to and use of the ICONIC Board Credential Verification API and related developer services ("API"). By registering for API access, you ("Developer," "you") agree to be bound by these terms, as well as the ICONIC Board Terms of Service and Privacy Policy.
The ICONIC Board of Holistic Health ("Board") provides the API to enable authorized third parties to verify the credential status of practitioners within the Board's registry. These Developer Terms supplement and are incorporated into the Board's general Terms of Service.
API Access Tiers
The API is available at the following access tiers. Each tier includes specific rate limits, features, and obligations:
| Tier | Rate Limit | Registration | Features |
|---|---|---|---|
| Anonymous | 10 requests/day per IP | Not required | Single credential verification only |
| Free | 100 requests/day | Required; email verification required | Single credential verification |
| Standard | 5,000 requests/day | Required; monthly fee as published | Batch verification available |
| Enterprise | Unlimited | Required; custom pricing | Dedicated support, webhook subscriptions |
The Board reserves the right to modify tier offerings, rate limits, and pricing with 30 days' advance notice to registered developers.
Registration & Authentication
- A developer account is required for the Free tier and above. Accounts are created through the developer portal.
- API keys are personal and non-transferable. Each key is bound to a single developer account and must not be shared with third parties.
- API keys must be stored securely. Keys must never be embedded in client-side code, public repositories, or any location accessible to end users.
- Compromised keys must be reported immediately to developers@iconicboard.health. The Board will revoke compromised keys and issue replacements upon verification.
Permitted Use
The API may be used for the following purposes:
- Verify the credential status of practitioners listed in the ICONIC Board registry.
- Integrate credential verification into employer and hiring workflows.
- Build credential verification functionality into health and wellness platforms.
- Display verified credential badges on websites and applications, subject to the Board's badge usage guidelines.
- Subscribe to webhook notifications for credential status changes (Enterprise tier only).
Prohibited Use
The following activities are expressly prohibited and may result in immediate revocation of API access:
- Bulk harvesting of practitioner data beyond what is necessary for permitted verification purposes.
- Building competing directory services or credential registries using data obtained through the API.
- Selling, licensing, or redistributing API data to third parties.
- Attempting to reverse-engineer the API, its underlying systems, or its data structures.
- Circumventing rate limits, authentication controls, or other technical safeguards.
- Using the API to send spam, unsolicited communications, or any form of automated outreach to practitioners.
- Accessing, storing, or processing data beyond what the API explicitly returns in its documented responses.
Rate Limits & Fair Use
- Rate limits are enforced per API key and are calculated on a rolling 24-hour window.
- Requests that exceed the applicable rate limit will receive an HTTP 429 (Too Many Requests) response with a
Retry-Afterheader. - Repeated or deliberate abuse of rate limits may result in temporary suspension or permanent revocation of API access.
- Standard and Enterprise tier developers may request rate limit increases by contacting developers@iconicboard.health. Increases are evaluated on a case-by-case basis.
Data Usage & Privacy
- API responses contain only publicly available credential information, including credential type, status, and issuance date. No personally sensitive data is exposed through the API.
- Developers must not cache or store credential data obtained through the API for longer than 24 hours. Data must be re-fetched for any use beyond this cache window.
- Developers must comply with all applicable data protection and privacy laws, including but not limited to GDPR, CCPA, and HIPAA where applicable.
- Applications that display credential verification results must include clear attribution: "Verified by ICONIC Board" with a link to iconicboard.health.
Webhooks (Enterprise)
Enterprise tier developers may subscribe to real-time webhook notifications for credential status changes. The following terms apply to webhook subscriptions:
- Webhook endpoints must use HTTPS with a valid TLS certificate. HTTP endpoints are not supported.
- All webhook payloads include a cryptographic signature for verification. Developers should validate signatures before processing payloads.
- The Board's retry policy delivers failed webhook notifications up to 3 times with exponential backoff (30 seconds, 5 minutes, 30 minutes).
- Webhook subscriptions are managed through the developer dashboard. Developers may subscribe to specific credential types or status change events.
- Webhook endpoints that consistently fail to respond (5xx errors) for 72 hours will be automatically disabled. Developers will be notified via email.
Uptime & Support
- The Board targets 99.9% API uptime, excluding scheduled maintenance windows.
- Scheduled maintenance is communicated at least 48 hours in advance via the developer dashboard and email.
- Current API status is available at status.iconicboard.health.
Support by Tier
| Tier | Support Channel | Response Time |
|---|---|---|
| Free | Community forum | Best effort |
| Standard | Email support | 48 hours |
| Enterprise | Dedicated support contact | 4 hours |
Fees & Billing
- Free tier: No charge. Subject to rate limits and feature restrictions.
- Standard tier: Monthly billing at the rate published on the developer portal. Subscriptions may be cancelled at any time with effect at the end of the current billing period.
- Enterprise tier: Annual contract with custom pricing negotiated on a case-by-case basis.
- All fees are denominated and payable in United States Dollars (USD).
- Billing is processed via Stripe. Developers are responsible for maintaining valid payment methods on file.
Changes to API
- Breaking changes to the API will be communicated at least 90 days in advance via the developer dashboard, email, and the API changelog.
- The API uses semantic versioning. Deprecated API versions will be supported for a minimum of 12 months from the date of deprecation notice.
- Non-breaking additions (new fields, new endpoints) may be introduced without advance notice. Developers should design integrations to handle new fields gracefully.
Termination
- Either party may terminate the developer relationship with 30 days' written notice.
- The Board may terminate API access immediately and without notice if the Developer materially violates these Developer Terms, including but not limited to prohibited use violations or security breaches.
- Upon termination, the Developer must: (a) delete all cached API data; (b) destroy all API keys; (c) remove all "Verified by ICONIC Board" badges and attribution from their applications.
- Sections relating to data privacy, intellectual property, limitation of liability, and indemnification survive termination.
Limitation of Liability
The API is provided on an "as-is" and "as-available" basis. The Board makes no warranties, express or implied, regarding the availability, accuracy, or completeness of API data.
The Board shall not be liable for any decisions made by the Developer or its end users based on data obtained through the API. Credential verification results should be used as one factor among many in any decision-making process.
To the maximum extent permitted by law, the Board's total liability for any claims arising from or relating to these Developer Terms or the use of the API shall not exceed the total fees paid by the Developer to the Board during the twelve (12) months preceding the event giving rise to the claim.
Intellectual Property
- The API, its documentation, and all associated intellectual property are and shall remain the exclusive property of the ICONIC Board of Holistic Health.
- The Developer retains all rights to applications and integrations built using the API, provided such applications comply with these Developer Terms.
- The Board grants the Developer a limited, non-exclusive, non-transferable, revocable license to access and use the API solely in accordance with these terms and for the permitted uses described herein.
Contact
For questions, concerns, or to report issues related to these API & Developer Terms, please contact the Board through any of the following channels:
- Email: developers@iconicboard.health
- Developer Portal: /developers
- Support: /support