Skip to main content
Projects are the top-level resource in Bondify — each project has its own ID, secret key, webhook URL, and analytics. You use the Projects API to manage projects programmatically from your server or CI/CD pipeline. Every endpoint in this group requires your developer Bearer token; never call these from client-side code.

Authentication

All Projects API endpoints require an Authorization header: 
Authorization: Bearer <token>
You receive this token after signing in to your Bondify developer account.

Base path

https://api.bondify.dev/api/v1/dev/projects

GET /api/v1/dev/projects

List all projects belonging to the authenticated developer.

Example request

curl https://api.bondify.dev/api/v1/dev/projects \
  -H "Authorization: Bearer <token>"

Response

{
  "projects": [
    {
      "id": "proj_xxxxxxxx",
      "name": "My App",
      "secret_key": "sk_live_••••••••",
      "webhook_url": "https://example.com/hooks/bondify",
      "is_active": true,
      "public_access": false,
      "created_at": "2024-01-15T10:30:00.000Z",
      "sessions_count": 1234,
      "confirmed_count": 980
    }
  ]
}
id
string
The unique identifier for the project. Pass this as project_id in session endpoints.
name
string
The human-readable project name you set when creating the project.
secret_key
string
A partial/masked preview of the project’s secret key. The full key is only returned once, at creation time or after a key rotation.
webhook_url
string
The URL Bondify posts auth.confirmed and auth.cancelled events to. Empty string if no webhook is configured.
is_active
boolean
Whether the project accepts new session requests. false means the project is paused and will reject new session requests.
public_access
boolean
Whether unauthenticated session requests (from the public endpoints) are allowed for this project.
created_at
string
ISO 8601 timestamp of when the project was created.
sessions_count
number
Total number of auth sessions ever initiated for this project.
confirmed_count
number
Total number of sessions that reached confirmed status.

POST /api/v1/dev/projects

Create a new project. The response includes the full secret_key — this is the only time it is returned in plaintext. Store it securely (for example, as an environment variable) immediately.

Request body

name
string
required
A display name for the project, such as your application’s name.
webhook_url
string
An HTTPS URL that Bondify will POST auth.confirmed and auth.cancelled events to. Defaults to an empty string if omitted. You can add or change this later via PATCH.

Example request

curl -X POST https://api.bondify.dev/api/v1/dev/projects \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "My App", "webhook_url": "https://example.com/hooks/bondify"}'

Response

The created project object, including the full secret_key: 
{
  "id": "proj_xxxxxxxx",
  "name": "My App",
  "secret_key": "sk_live_xxxxxxxxxxxxxxxxxxxx",
  "webhook_url": "https://example.com/hooks/bondify",
  "is_active": true,
  "public_access": false,
  "created_at": "2024-01-15T10:30:00.000Z",
  "sessions_count": 0,
  "confirmed_count": 0
}
Copy the secret_key from this response and store it as an environment variable immediately. Subsequent calls to GET /api/v1/dev/projects will return only a masked preview of the key.

PATCH /api/v1/dev/projects/:id

Update one or more settings on an existing project. All body fields are optional — only the fields you include are changed.

Request body

name
string
New display name for the project.
webhook_url
string
New webhook URL. Pass an empty string to remove the webhook.
active
boolean
Set to false to pause the project and reject new session requests, or true to re-enable it.
public_access
boolean
Set to true to allow the public session endpoints to accept requests for this project.

Example request

curl -X PATCH https://api.bondify.dev/api/v1/dev/projects/proj_xxxxxxxx \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "My App v2", "active": true}'

Response

The updated project object (same shape as the POST response above).

DELETE /api/v1/dev/projects/:id

Permanently delete a project and all associated data, including sessions and analytics. This action is irreversible.

Example request

curl -X DELETE https://api.bondify.dev/api/v1/dev/projects/proj_xxxxxxxx \
  -H "Authorization: Bearer <token>"

Response

{ "ok": true }
ok
boolean
true when the project was successfully deleted.
Deleting a project immediately invalidates its id and secret_key. Any live integrations using those values will begin failing. Make sure no active users or services depend on the project before you delete it.

POST /api/v1/dev/projects/:id/regenerate

Rotate the project’s secret key. The previous key is invalidated immediately — update your environment variables and redeploy any services that depend on it before calling this endpoint.

Example request

curl -X POST https://api.bondify.dev/api/v1/dev/projects/proj_xxxxxxxx/regenerate \
  -H "Authorization: Bearer <token>"

Response

{
  "secret_key": "sk_live_new_xxxxxxxxxxxxxxxxxxxx"
}
secret_key
string
The new secret key in full plaintext. Store it securely — it will not be shown again.
After rotating a key, update the BONDIFY_SECRET environment variable in every service that verifies proofs or webhook signatures, then redeploy. Webhook deliveries and proof verifications will fail until services are updated.