# API contract

All protected endpoints require `Authorization: Bearer <api-key>`.

- `GET /health`
- `POST /enroll` with `biometric_id`, `suspect_id`, `finger_position`, `sample_format`, `sample_data`, and optional `scanner_model`.
- `POST /identify` with `probe`, `format`, `minimum_score`, `maximum_candidates`, and optional `finger_position`.
- `POST /verify` with `biometric_id`, `probe`, `format`, and optional `threshold`.

The `/identify` response exactly matches the existing NSCDC Version 4 contract: `engine` plus candidates containing `biometric_id` and `score`.
