# Onboard REST API — Windsurf project rules

When this repository integrates with **Onboard**, Cascade should follow these constraints.

## Documentation

- Customer docs: https://docs.onboard.io
- OpenAPI (when available to the account): `https://rest.onboard.io/openapi.json`

## Authentication

- Use header: `Authorization: Token YOUR_API_KEY` (Token prefix, not Bearer).
- API keys from: https://app.onboard.io/settings/company
- Never hardcode keys in source. Never expose keys in client-only bundles.

## Base URL

- Default production REST host: `https://rest.onboard.io`
- If the team uses another host for non-production, match that base URL everywhere.

## Webhooks

- Validate `x-onboard-hmac-sha256` with the subscription secret before side effects.
- Return HTTP 2xx quickly; offload slow processing.

## REST behavior

- Honor pagination and throttling per Onboard docs.
- Treat the published API as the source of truth for paths and schemas.

## Hygiene

- Avoid logging secrets. Handle errors without leaking tokens in messages.