Skip to content
VeraFrame Docs

Managing source groups

The Sources tab in the Admin dashboard is where you organize the source material your team verifies against. For the concept, see Source groups.

Create a source group

  1. In the Sources tab, click New source group.
  2. Enter a label — the name users will see in the tool. Keep labels short and topical: pricing-2026, master-agreements, hr-policies.
  3. Enter a group ID — a stable internal identifier. It appears in audit exports and API calls.
  4. (Optional) Set the group as default so it is preselected on every request.
  5. (Optional, enterprise JWT/OIDC deployments) Define allowed roles if the group should be available only to users whose identity-provider roles or claims match the group.
  6. Choose the type:
    • S3 — file-based. Most common.
    • API — live data fetched from a REST endpoint at request time. Integration tier only.
  7. Save.

If allowed roles is left empty, the group is available to all users in the tenant.

Upload files (S3 groups)

Open the group and click Upload file. Supported formats:

  • PDF — full text + layout extraction.
  • Word (.docx) — paragraphs, tables, headers, footers.
  • Excel (.xlsx) — worksheet cells.
  • Plain text (.txt) and Markdown (.md).
  • URLs — VeraFrame fetches the URL content and indexes it.

Each file is indexed immediately. Large documents may take a few seconds before they become searchable.

Organize within a group

A group can be flat (just a list of files) or structured with prefixes — S3 key prefixes that act like folders inside the group. Prefixes help organize large groups without creating dozens of separate groups.

For example, a single contracts group can have prefixes for 2024/, 2025/, 2026/ so that retrieval can be scoped to a year when needed.

Configure an API-backed group

API-backed groups do not store files. Instead, you configure:

  • Endpoints — one or more REST URLs VeraFrame should call.
  • Query inputs — named parameters that are passed from the request into the endpoint call. For example, a customer_id parameter lets you fetch data for the specific customer the request concerns.
  • Authentication — bearer token or custom header.
  • Optional user-context forwarding — per endpoint, you can forward user_id, customer_id, data_access_roles, and, when explicitly enabled, the original bearer token to the downstream REST API.

API-backed groups fetch data at request time. There is no persistent copy of the fetched data in VeraFrame, which makes this type a good fit for data that must stay in a system of record.

In enterprise JWT/OIDC deployments, a common pattern is:

  • VeraFrame first enforces whether the current user is allowed to use the source group at all.
  • Then the downstream REST API receives selected user context and applies its own finer-grained authorization rules.

This is the preferred design when the customer already has document-level rights logic in an existing platform. VeraFrame does not try to take ownership of those rules; it integrates into them by forwarding the needed user context and letting the downstream API remain authoritative.

Delete files

From the group detail view, select the file row and click Delete. The file is removed from the S3 bucket. Past validations that referenced the file keep a copy of the reference (file name, hash, location) in the audit trail for reconstructability, but the file content is gone.

Delete a group

Click Delete group. You will be asked whether to also delete the files stored in the group’s prefix. Choose Delete files for a full purge; choose Keep files if you are only removing the grouping and will use the files in another group.

Best practices

  • Keep groups topical. A group that mixes pricing, HR, and contracts is noisy. VeraFrame’s retrieval is good but narrower groups produce sharper verification.
  • Label clearly. Users will pick from a dropdown. pricing-2026 is easier to pick than data-v2.
  • Make one or two groups default. If every user has to pick a group every time, they will pick wrong sometimes. Default groups cover routine verifications.
  • Use allowed roles for sensitive groups. If HR, finance, or legal data should not be queried by everyone, set role limits on the group instead of relying only on user training.
  • Delete aggressively. Outdated source material is a liability: verification can match against documents that are no longer authoritative. Remove old files when they are superseded.