COMPLIANCE API
Integrate firearm compliance verification into your dealer software. Cover all 50 US states + DC, federal NFA classification, named-banned lists, feature tests, and statute citations — through a single REST endpoint.
Who this is for: Point-of-sale vendors, e-commerce platforms, FFL transfer-management software, and dealer-network operators who want to surface compliance verdicts at the moment of sale. If you sell to FFLs, you can offer this as a value-add inside your existing UI.
Quick start
1. Get an API key
API keys are issued manually during the early-access period. Email api@fflwatch.com with your company name, expected volume, and intended use case. We'll provision a key within one business day.
Keys look like gcc_live_a3f2b7c8… for production and gcc_test_… for testing.
2. Make your first call
POST https://fflwatch.com/api/compliance
curl -X POST https://fflwatch.com/api/compliance \
-H "Authorization: Bearer gcc_live_YOUR_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"mode": "upc",
"value": "787450868106",
"stateCode": "NJ"
}'3. Read the response
{
"found": true,
"make": "Sig Sauer",
"model": "P320 Compact",
"caliber": "9mm",
"action": "semi-automatic",
"magazine_capacity": 15,
"verdict": "COMPLIANT WITH MODIFICATIONS",
"federal_classification": "Pistol",
"summary": "...",
"issues": ["Magazine capacity exceeds NJ 10-round limit"],
"modifications": ["Replace 15-round magazine with 10-round-or-less magazine before transfer"],
"permits_required": [
"Firearms Purchaser Identification Card (FPIC)",
"Permit to Purchase a Handgun (PPH)"
],
"statutes": "N.J.S.A. 2C:39-1y, 2C:58-3",
"_meta": {
"plan": "starter",
"calls_used_this_period": 1,
"calls_remaining_this_period": 4999,
"monthly_limit": 5000
}
}Authentication
Every request must include the API key in one of two headers:
Authorization: Bearer gcc_live_YOUR_KEY_HEREor
X-API-Key: gcc_live_YOUR_KEY_HERENever expose your key in client-side code. Make API requests server-side only. If a key is leaked, email us immediately and we'll rotate it.
Endpoints
POST /api/compliance
The single endpoint covers three modes via the mode field.
Mode: "upc" — Look up by UPC barcode + run compliance
{
"mode": "upc",
"value": "787450868106", // UPC-A or EAN-13, digits only
"stateCode": "NJ" // optional — if present, runs full compliance after lookup
}Mode: "mpn" — Look up by manufacturer part number / model name
{
"mode": "mpn",
"value": "Smith & Wesson M&P 9 Shield",
"stateCode": "CA"
}Mode: "compliance" — Compliance check from explicit firearm specs
{
"mode": "compliance",
"stateCode": "NJ",
"state": "New Jersey",
"firearmDescription": "Ruger AR-556 5.56mm semi-auto rifle, 16-inch barrel, telescoping stock, pistol grip, 30-round magazine, no flash suppressor"
}Response fields
verdict—"COMPLIANT","NON-COMPLIANT", or"COMPLIANT WITH MODIFICATIONS"federal_classification—"Rifle","Pistol","Shotgun", or"Other"firearm_identified— Make, model, caliber as identifiedsummary— 2-3 sentence plain-English verdictissues— Array of compliance violations, if anymodifications— Array of physical changes that would make the firearm compliantpermits_required— Array of permits the buyer must hold (always spelled out fully)statutes— Specific state and federal statute citationsnotes— Dealer-facing notes (waiting periods, age requirements, etc.)_meta— Your account's API usage info on this call
Pricing
Free
50
Starter
5,000
Pro
50,000
Enterprise
∞
Pricing for Starter, Pro, and Enterprise tiers is set per-customer based on volume and use case. Email api@fflwatch.com for a quote.
Errors
| HTTP | Error type | Meaning |
|---|---|---|
| 400 | validation_error | Required field missing or malformed JSON. |
| 401 | auth_error | API key missing, malformed, or not recognized. |
| 403 | key_suspended | API key has been suspended or revoked. |
| 429 | rate_limit | Monthly call quota exceeded. Response includes limit and used. |
| 502 | upstream_error | Compliance backend temporarily unavailable. Retry with exponential backoff. |
| 500 | server_error | Internal error. Contact support if it persists. |
Best practices
- Cache aggressively. The same UPC + state combination will return the same verdict for hours or days. Cache results in your own system to reduce calls and improve latency.
- Display the citations. Your users (the FFL) need to see the statute references — that's how dealers verify the verdict is real and how they defend their decision in an audit.
- Show the reasoning chain. When the verdict is NON-COMPLIANT or COMPLIANT WITH MODIFICATIONS, surface the
issuesandmodificationsarrays — dealers need to know why and what to do about it. - Never auto-block transfers based solely on this API. The verdict is informational. Your software should surface it to the dealer; the dealer makes the final call.
- Handle 429 gracefully. Show the dealer "compliance check temporarily unavailable" rather than silently failing.
- Use server-side calls. Browser/mobile-app calls expose the API key.
Disclaimer
Informational use only. This API does not constitute legal advice. Verdicts are AI-generated based on current statutes and regulatory guidance, but firearm law changes constantly through legislation, court rulings, and ATF determinations. Customers must verify compliance with current state statutes and consult licensed firearms counsel before completing transfers. FFL Watch and its operators disclaim liability for transfer decisions made on the basis of API output.
READY TO INTEGRATE?
Email us with your company, expected volume, and use case. Free tier keys provisioned same day.
REQUEST API KEY →FFL WATCH · COMPLIANCE API · v1.0