Developer Docs

Connect your site to FortiVox in minutes: API quick-start, DNS records, WordPress, security and troubleshooting.

1Quick Start

Three steps to connect your site to the FortiVox API. Replace YOUR_API_TOKEN with the token from your client dashboard.

1Copy the snippet

Pick JavaScript or PHP below and copy the code block.

2Add your API token

Get it from Client Dashboard → Privacy & Integration → API Token.

3Paste into your site

Place the <script> tag just before the closing </head> tag of every page.

Browser snippet (JavaScript)

<script>
  (function(){
    const FORTIVOX_TOKEN = "YOUR_API_TOKEN";
    fetch("https://fortivox.cloud/api/live_threats.php?token=" + FORTIVOX_TOKEN)
      .then(r => r.json())
      .then(d => window.__fv = d);
  })();
</script>

Server snippet (PHP)

// Pull the last 100 security events for your account.
$token    = "YOUR_API_TOKEN";
$endpoint = "https://fortivox.cloud/api/client_logs.php?token=" . $token;
$ch = curl_init($endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$res = json_decode(curl_exec($ch), true);
curl_close($ch);
print_r($res["logs"]);

Where to paste the script

Place the <code>&lt;script&gt;</code> tag inside the <code>&lt;head&gt;</code> of every page, ideally right before the closing <code>&lt;/head&gt;</code>. On WordPress, use a header-injection plugin or your theme&rsquo;s <code>header.php</code>.

2DNS Configuration

To route your traffic through the FortiVox edge, replace your existing A record with the one below. Propagation usually completes within 5&ndash;30 minutes.

TypeHost / NameValue / DestinationTTL
A @ 93.127.202.75300
CNAME www edge.fortivox.cloud300
Why two different record types? The apex (<code>@</code>) requires an A record pointing to the edge IP. The <code>www</code> sub-domain uses a CNAME to <code>edge.fortivox.cloud</code> &mdash; if the edge IP ever changes, you will not need to touch your DNS.
Remove any stray A records pointing to your origin server &mdash; otherwise the edge can be bypassed. The Admin Panel flags this as <b>BYPASS_RISK</b>.

Optional: protect every sub-domain

If you want FortiVox to cover every sub-domain (<code>shop.</code>, <code>blog.</code>, <code>app.</code> &hellip;), add a wildcard CNAME. Skip this if your mail or third-party sub-domains must keep their own DNS.

TypeHost / NameValue / DestinationTTL
CNAME * edge.fortivox.cloud300

Verify your setup

  1. Use a tool like <code>dig yourdomain.com</code> or dnschecker.org to confirm the A record returns <code>93.127.202.75</code>.
  2. Open <code>https://yourdomain.com</code> &mdash; the browser padlock confirms the SSL certificate is live on the edge.
  3. In your client dashboard the website status will switch to <b>PROTECTED</b> once we detect propagation (usually within minutes).

3WordPress Integration Latest Version: 1.0.0 Download Plugin (.zip) 16 KB

The official <b>FortiVox Security</b> plugin is now available for WordPress 5.6+. Install it in seconds to unlock a native dashboard widget, real-time threat alerts, and zero-config API integration &mdash; or keep using the manual snippet above for any non-WordPress stack.

Install in 3 steps

  1. Click <b>Download Plugin (.zip)</b> above (you must be signed in to your FortiVox account).
  2. In your WordPress admin go to <b>Plugins → Add New → Upload Plugin</b>, choose the file, then click <b>Install Now</b> and <b>Activate</b>.
  3. Open <b>Settings → FortiVox</b>, paste your API token, click <b>Test Connection</b> and save. The dashboard widget appears immediately.

Manual integration (any CMS)

  • Paste the JavaScript snippet into <b>Appearance → Theme File Editor → header.php</b>, right before <code>&lt;/head&gt;</code>.
  • Or use a header-injection plugin (e.g. <i>Insert Headers and Footers</i>) and paste the snippet in the &ldquo;Header&rdquo; field.
  • Elementor compatibility: the snippet runs at the browser level, it does not touch your DOM or CSS, so designs stay identical.
The plugin is GPL v2, ~16 KB on disk, adds zero front-end weight, and writes nothing to your database. Every download is logged against your FortiVox account.

4Security & Privacy

A few rules to keep your API token safe and your integration compliant.

Protect your API token

  • Never commit your token to a public Git repository. Store it in an environment variable on the server.
  • Browser snippets expose the token by design &mdash; that is fine, the read-only endpoints accept this. Use server-side calls for any sensitive endpoint.
  • Rotate the token at any time from <b>Client Dashboard → Privacy & Integration → Regenerate Token</b>. Old tokens stay valid until you revoke them.

Privacy &amp; cookies

  • The script sends no personal data &mdash; only the visitor IP, which we use for threat-intel lookups in line with our Privacy Policy.
  • A FortiVox-managed first-party cookie is set only after the visitor passes a challenge (JS check / CAPTCHA). No tracking, no cross-site identifiers.
  • PDPL / GDPR compliance: the public PDPL endpoints (<code>/api/pdpl_dsar.php</code>, <code>/api/pdpl_consent.php</code>) let your users exercise their data rights directly.

5Troubleshooting

Most integration issues fall into one of these buckets.

HTTP error codes

CodeMeaningFix
401Missing or malformed API tokenAppend <code>?token=&hellip;</code> to the request URL or set the <code>Authorization</code> header.
403Invalid token / quota exceededVerify the token in your dashboard; check the plan limits page for monthly quotas.
404Endpoint or resource not foundConfirm you are calling one of the documented <code>/api/*.php</code> endpoints.
419CSRF token expiredPOST endpoints require a fresh CSRF token; refresh the page that obtained it.
429Too many requestsBack off and retry after the <code>Retry-After</code> header value (seconds).
5xxFortiVox upstream errorStatus page: status.fortivox.cloud &mdash; or contact support if the issue persists.

Common issues

  • API connection fails: Curl the endpoint directly to rule out CORS &mdash; if curl works, allow our origin in your CSP / browser settings.
  • DNS update not visible: Propagation can take up to 24 hours globally. Flush your local DNS cache (<code>ipconfig /flushdns</code> on Windows, <code>sudo dscacheutil -flushcache</code> on macOS).
  • Script does not appear in HTML: Some caching plugins serve a stale copy. Clear the page cache and the CDN cache, then reload with <kbd>Ctrl+Shift+R</kbd>.
Protected by FortiVoxAdvanced Security Verification Enabled