Conventions
A few rules hold across every endpoint. Learn them once and the rest of the API is predictable.
Requests
Section titled “Requests”-
JSON over HTTPS. Request and response bodies are JSON. Send
Content-Type: application/jsonon requests with a body. The one exception is the OAuth token and device endpoints, which useapplication/x-www-form-urlencodedper the OAuth spec. -
Authenticated. Every
/orgrequest carries either a workspace API key or a short-lived OAuth 2.1 bearer token:Authorization: Bearer bsk_live_xxxA workspace API key may also be sent as
X-API-Key. See Authentication. -
Base URL. All endpoints live under
https://engine.bindly.insure, with the workspace API at the/orgprefix.
Status codes
Section titled “Status codes”The API uses standard HTTP status codes. In general, 2xx means success, 4xx
means the request was wrong or not allowed, and 5xx means something failed on
our side.
| Code | Meaning |
|---|---|
200 OK |
The request succeeded, including creating a session. |
400 Bad Request |
The request was malformed, or the session cannot do this yet. |
401 Unauthorized |
The API key or token is missing, expired, or invalid. |
404 Not Found |
The session does not exist, or it belongs to another workspace (see Data scoping). |
422 Unprocessable Content |
Validation failed on one or more fields. |
429 Too Many Requests |
You are being rate limited. Back off and retry. |
Errors
Section titled “Errors”Errors return a JSON body with a detail field describing what went wrong:
{ "detail": "Session not found"}Read detail for a human-readable explanation, and use the HTTP status code to
decide how to react programmatically.
Data scoping
Section titled “Data scoping”Every credential is bound to exactly one workspace, and all data is scoped to that workspace. The workspace identity comes from the verified API key or token, never from the request body, so you cannot read or write another workspace’s data.