AI & coding assistants

AI assistant rules

Copy, download, or bundle Onboard integration rules for Cursor, Claude, and Windsurf.

Use this page to view, copy, or download the same Onboard REST API guidelines in formats suited to common AI coding tools. Rules cover authentication, base URLs, webhooks, pagination, and safe handling of secrets.

Export everything

  • Download ZIP bundle — includes Cursor, Claude, and Windsurf files plus README.txt with install paths.

Pack contents (by tool)

Each subsection below matches a file in the bundle. You can copy from the block or use the Download link for the raw file (for example to “Save link as…” or to fetch in automation).

Cursor

Cursor loads project rules from .cursor/rules/ as .mdc files (YAML frontmatter + Markdown body).

  • Install: save the file below as .cursor/rules/onboard-rest-api.mdc in your repository (create folders if needed). Adjust globs in the frontmatter if you want the rule scoped to specific paths.
  • Download: onboard-rest-api.mdc
---
description: Onboard REST API — customer integration conventions
globs: "**/*.{ts,tsx,js,jsx,mjs,cjs,py,go,rs,java,kt,rb,php}"
alwaysApply: false
---

# Onboard REST API

When this project integrates with **Onboard**, follow these rules.

## Documentation

- Customer docs: https://docs.onboard.io
- OpenAPI (when available to your environment): `https://rest.onboard.io/openapi.json`

## Authentication

- Send: `Authorization: Token YOUR_API_KEY` (Token scheme, **not** Bearer).
- Keys: https://app.onboard.io/settings/company
- Store keys in env vars or a secrets manager. Never commit keys. Never ship keys to untrusted clients.

## Base URL

- Production REST API is typically `https://rest.onboard.io`.
- Use the base URL your Onboard account was given if it differs (sandbox, etc.).

## Webhooks

- Verify `x-onboard-hmac-sha256` with your subscription secret before acting on payloads.
- Return `2xx` quickly; do heavy work asynchronously.

## HTTP behavior

- Implement pagination per docs (`page`, `page_size`, `max_page_size` where applicable).
- On `429`, back off and retry with jitter.
- Prefer documented paths and fields from the API reference; do not invent enums or payloads.

## Code quality

- Handle non-2xx responses and invalid JSON explicitly.
- Never log full API keys or webhook signing secrets.

Claude (Claude Code / project context)

Claude projects often use a root CLAUDE.md (or team equivalents) so the assistant consistently applies your integration constraints.

  • Install: save as CLAUDE.md in the repository root, or merge these sections into your existing file.
  • Download: CLAUDE.md
# Onboard REST API — Claude / Claude Code

Use this file as project context when building or reviewing Onboard integrations.

## Documentation

- Customer docs: https://docs.onboard.io
- OpenAPI (when available): `https://rest.onboard.io/openapi.json`

## Authentication

- Header: `Authorization: Token YOUR_API_KEY` (Token scheme, **not** Bearer).
- Keys from: https://app.onboard.io/settings/company
- Never commit API keys. Use environment variables or a secrets manager. Do not expose keys in browser-only code.

## Base URL

- Typical production base: `https://rest.onboard.io`
- Confirm the correct host for your environment if you use staging or sandbox.

## Webhooks

- Verify `x-onboard-hmac-sha256` before trusting the body.
- Respond with `2xx` promptly; process asynchronously when work is slow.

## API usage

- Follow pagination and rate-limit guidance in the official docs.
- Use the API reference for request/response shapes; do not guess field names or event types.

## Safety

- Do not log API keys or webhook signing material.
- Prefer least-privilege keys and rotation if a key may be exposed.

Windsurf

Windsurf reads project-level instructions from a .windsurfrules file in the repository root (plain Markdown / text, no frontmatter).

  • Install: download onboard.windsurfrules, then place it at the repo root and rename to .windsurfrules (leading dot). On some systems you may need to rename from a terminal.
  • Alternative: paste the same text into Windsurf Project Rules if you prefer UI-managed rules.
# Onboard REST API — Windsurf project rules

When this repository integrates with **Onboard**, Cascade should follow these constraints.

## Documentation

- Customer docs: https://docs.onboard.io
- OpenAPI (when available to the account): `https://rest.onboard.io/openapi.json`

## Authentication

- Use header: `Authorization: Token YOUR_API_KEY` (Token prefix, not Bearer).
- API keys from: https://app.onboard.io/settings/company
- Never hardcode keys in source. Never expose keys in client-only bundles.

## Base URL

- Default production REST host: `https://rest.onboard.io`
- If the team uses another host for non-production, match that base URL everywhere.

## Webhooks

- Validate `x-onboard-hmac-sha256` with the subscription secret before side effects.
- Return HTTP 2xx quickly; offload slow processing.

## REST behavior

- Honor pagination and throttling per Onboard docs.
- Treat the published API as the source of truth for paths and schemas.

## Hygiene

- Avoid logging secrets. Handle errors without leaking tokens in messages.

How is this guide?

Errors and Troubleshooting

Common API error patterns and how to resolve them.

GET history/{type}/Z GET

GET operation for history/{type}/Z

On this page

Export everythingPack contents (by tool)CursorClaude (Claude Code / project context)WindsurfRelated