# Onboard REST API — Claude / Claude Code

Use this file as project context when building or reviewing Onboard integrations.

## Documentation

- Customer docs: https://docs.onboard.io
- OpenAPI (when available): `https://rest.onboard.io/openapi.json`

## Authentication

- Header: `Authorization: Token YOUR_API_KEY` (Token scheme, **not** Bearer).
- Keys from: https://app.onboard.io/settings/company
- Never commit API keys. Use environment variables or a secrets manager. Do not expose keys in browser-only code.

## Base URL

- Typical production base: `https://rest.onboard.io`
- Confirm the correct host for your environment if you use staging or sandbox.

## Webhooks

- Verify `x-onboard-hmac-sha256` before trusting the body.
- Respond with `2xx` promptly; process asynchronously when work is slow.

## API usage

- Follow pagination and rate-limit guidance in the official docs.
- Use the API reference for request/response shapes; do not guess field names or event types.

## Safety

- Do not log API keys or webhook signing material.
- Prefer least-privilege keys and rotation if a key may be exposed.