Developer Docs

Connect your site to FortiVox in minutes: API quick-start, DNS records, WordPress, security and troubleshooting.

1Quick Start

Three steps to connect your site to the FortiVox API. Replace YOUR_API_TOKEN with the token from your client dashboard.

1Copy the snippet

Pick JavaScript or PHP below and copy the code block.

2Add your API token

Get it from Client Dashboard → Privacy & Integration → API Token.

3Paste into your site

Place the <script> tag just before the closing </head> tag of every page.

Browser snippet (JavaScript)

<script>
  (function(){
    const FORTIVOX_TOKEN = "YOUR_API_TOKEN";
    fetch("https://www.fortivox.cloud/api/live_threats.php?token=" + FORTIVOX_TOKEN)
      .then(r => r.json())
      .then(d => window.__fv = d);
  })();
</script>

Server snippet (PHP)

// Pull the last 100 security events for your account.
$token    = "YOUR_API_TOKEN";
$endpoint = "https://www.fortivox.cloud/api/client_logs.php?token=" . $token;
$ch = curl_init($endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$res = json_decode(curl_exec($ch), true);
curl_close($ch);
print_r($res["logs"]);

Where to paste the script

Place the <code>&lt;script&gt;</code> tag inside the <code>&lt;head&gt;</code> of every page, ideally right before the closing <code>&lt;/head&gt;</code>. On WordPress, use a header-injection plugin or your theme&rsquo;s <code>header.php</code>.

2DNS Configuration

To route your traffic through the FortiVox edge, replace your existing A record with the one below. Propagation usually completes within 5&ndash;30 minutes.

TypeHost / NameValue / DestinationTTL
A @ 93.127.202.75300
CNAME www edge.fortivox.cloud300
Why two different record types? The apex (<code>@</code>) requires an A record pointing to the edge IP. The <code>www</code> sub-domain uses a CNAME to <code>edge.fortivox.cloud</code> &mdash; if the edge IP ever changes, you will not need to touch your DNS.
Remove any stray A records pointing to your origin server &mdash; otherwise the edge can be bypassed. The Admin Panel flags this as <b>BYPASS_RISK</b>.

Optional: protect every sub-domain

If you want FortiVox to cover every sub-domain (<code>shop.</code>, <code>blog.</code>, <code>app.</code> &hellip;), add a wildcard CNAME. Skip this if your mail or third-party sub-domains must keep their own DNS.

TypeHost / NameValue / DestinationTTL
CNAME * edge.fortivox.cloud300

Verify your setup

  1. Use a tool like <code>dig yourdomain.com</code> or dnschecker.org to confirm the A record returns <code>93.127.202.75</code>.
  2. Open <code>https://yourdomain.com</code> &mdash; the browser padlock confirms the SSL certificate is live on the edge.
  3. In your client dashboard the website status will switch to <b>PROTECTED</b> once we detect propagation (usually within minutes).

3WordPress Integration Latest Version: 1.3.0 Download Plugin (.zip) 32 KB

The official <b>FortiVox Security</b> plugin v1.3.0 is available for WordPress 5.8+. It includes the native security dashboard, local findings audit, reversible hardening, Site Health checks, WP-CLI commands, incident alerts, and the secure FortiVox API bridge.

Install in 3 steps

  1. Click <b>Download Plugin (.zip)</b> above (you must be signed in to your FortiVox account).
  2. In your WordPress admin go to <b>Plugins → Add New → Upload Plugin</b>, choose the file, then click <b>Install Now</b> and <b>Activate</b>.
  3. Open <b>FortiVox → Settings</b>, paste your API token, click <b>Test Connection</b> and save. The dashboard widget appears immediately.

Manual integration (any CMS)

  • Paste the JavaScript snippet into <b>Appearance → Theme File Editor → header.php</b>, right before <code>&lt;/head&gt;</code>.
  • Or use a header-injection plugin (e.g. <i>Insert Headers and Footers</i>) and paste the snippet in the &ldquo;Header&rdquo; field.
  • Elementor compatibility: the snippet runs at the browser level, it does not touch your DOM or CSS, so designs stay identical.
The plugin is GPL v2-or-later, adds no front-end scripts, creates no custom database tables, and stores only its settings, encrypted token, status cache, and notice preferences through WordPress APIs. Every download is logged against your FortiVox account.

4Security & Privacy

A few rules to keep your API token safe and your integration compliant.

Protect your API token

  • Never commit your token to a public Git repository. Store it in an environment variable on the server.
  • Browser snippets expose the token by design &mdash; that is fine, the read-only endpoints accept this. Use server-side calls for any sensitive endpoint.
  • Rotate the token at any time from <b>Client Dashboard → Privacy & Integration → Regenerate Token</b>. Old tokens stay valid until you revoke them.

Privacy &amp; cookies

  • The script sends no personal data &mdash; only the visitor IP, which we use for threat-intel lookups in line with our Privacy Policy.
  • A FortiVox-managed first-party cookie is set only after the visitor passes a challenge (JS check / CAPTCHA). No tracking, no cross-site identifiers.
  • PDPL / GDPR compliance: the public PDPL endpoints (<code>/api/pdpl_dsar.php</code>, <code>/api/pdpl_consent.php</code>) let your users exercise their data rights directly.

5Troubleshooting

Most integration issues fall into one of these buckets.

HTTP error codes

CodeMeaningFix
401Missing or malformed API tokenAppend <code>?token=&hellip;</code> to the request URL or set the <code>Authorization</code> header.
403Invalid token / quota exceededVerify the token in your dashboard; check the plan limits page for monthly quotas.
404Endpoint or resource not foundConfirm you are calling one of the documented <code>/api/*.php</code> endpoints.
419CSRF token expiredPOST endpoints require a fresh CSRF token; refresh the page that obtained it.
429Too many requestsBack off and retry after the <code>Retry-After</code> header value (seconds).
5xxFortiVox upstream errorStatus page: status.fortivox.cloud &mdash; or contact support if the issue persists.

Common issues

  • API connection fails: Curl the endpoint directly to rule out CORS &mdash; if curl works, allow our origin in your CSP / browser settings.
  • DNS update not visible: Propagation can take up to 24 hours globally. Flush your local DNS cache (<code>ipconfig /flushdns</code> on Windows, <code>sudo dscacheutil -flushcache</code> on macOS).
  • Script does not appear in HTML: Some caching plugins serve a stale copy. Clear the page cache and the CDN cache, then reload with <kbd>Ctrl+Shift+R</kbd>.
Protected by FortiVoxAdvanced Security Verification Enabled