Reference

API Reference

Base URL: https://api.phone.cobinar.com. All bodies and responses are JSON. "Console auth" means Authorization: Bearer <firebase-id-token>; "App auth" means the x-client-id / x-client-secret / x-api-key triple. See Authentication & Credentials for details on both.

Health

GET /v1/health No auth

Confirms the API worker is reachable.

{ "data": { "status": "operational", "service": "cobinar-phone-api", "time": "2026-07-03T..." } }

Projects

Console auth on every endpoint below. Free plan: 10 projects.

GET/v1/projects

List your projects, newest first.

POST/v1/projects

Create a project.

{ "name": "Production", "description": "optional, up to 280 chars" }
GET/v1/projects/:id

Fetch a single project.

PATCH/v1/projects/:id

Update name and/or description.

{ "name": "New name", "description": "New description" }
DELETE/v1/projects/:id

Delete a project. Returns 409 CONFLICT if it still has applications — move or delete those first.

Applications

Console auth on every endpoint below. Free plan: 5 applications.

GET/v1/applications

List applications. Optional ?projectId= query filter.

POST/v1/applications

Create an application and generate all four credentials.

{ "name": "iOS App", "projectId": "...", "environment": "live" }
{
  "data": {
    "id": "...", "name": "iOS App", "clientId": "ph_live_client_...",
    "status": "active", "environment": "live",
    "clientSecret": "ph_live_secret_...",
    "apiKey": "ph_live_api_...",
    "webhookSecret": "whsec_...",
    "warning": "Store these credentials now — the Client Secret and API Key will not be shown again."
  }
}

clientSecret and apiKey only ever appear in this one response.

GET/v1/applications/:id

Fetch an application, including masked previews of the secret and API key.

PATCH/v1/applications/:id

Update name and/or status.

{ "name": "New name", "status": "active" }

status is active or disabled. A disabled application fails requireApiKey auth with 403 FORBIDDEN.

DELETE/v1/applications/:id

Delete an application, its credentials, and any webhooks registered to it.

POST/v1/applications/:id/rotate/:type

:type is secret, api, or webhook_secret. Returns the new plaintext value once.

{ "data": { "type": "secret", "value": "ph_live_secret_...", "rotatedAt": "..." } }
GET/v1/applications/:id/webhook-secret

Reveal the current Webhook Secret in full — the only credential retrievable after creation without rotating it.

OTP

POST/v1/otp/send App auth

Generate and store a 6-digit OTP. Rate-limited to 5/minute per application.

{ "phone": "+999 482 918 102" }
{ "data": { "requestId": "...", "phone": "...", "status": "pending", "expiresAt": "..." } }
POST/v1/otp/verify App auth

Verify a code. Rate-limited to 10/minute per application; 5 attempts max per request.

{ "requestId": "...", "code": "847291" }
{ "data": { "requestId": "...", "status": "verified", "phone": "...", "verifiedAt": "..." } }
GET/v1/otp Console auth

List OTP requests for your applications. Optional ?appId= and ?status= filters.

GET/v1/otp/:id Console auth

Fetch a single OTP request. The stored hash is never included in any response.

Webhooks

Console auth on every endpoint below. See Webhooks for event types and signature verification.

GET/v1/webhooks

List webhook endpoints. Optional ?appId= filter.

POST/v1/webhooks

Register an endpoint.

{ "appId": "...", "url": "https://example.com/webhooks/auth", "events": ["otp.verified", "otp.failed"] }
GET/v1/webhooks/:id

Fetch a single webhook endpoint.

PATCH/v1/webhooks/:id

Update URL, subscribed events, or status (enabled / disabled).

DELETE/v1/webhooks/:id

Remove an endpoint.

POST/v1/webhooks/:id/test

Send one signed otp.verified test event immediately and report the delivery outcome.

{ "data": { "delivered": true, "statusCode": 200 } }

Users

Virtual phone identities — not developer accounts.

GET/v1/users Console auth

List identities created across your applications. Optional ?limit= (max 200).

GET/v1/users/:phoneNumber Console auth OR App auth

Look up one identity. Accepts either a console bearer token or just x-api-key (no client secret required for this read-only lookup). URL-encode the phone number.

Logs

GET/v1/logs Console auth

A normalized, chronological feed of OTP events across your applications. Optional ?appId= and ?limit= (max 200).

Analytics

GET/v1/analytics/summary Console auth
{ "data": { "applications": 3, "otpRequests": 412, "otpVerified": 388, "successRate": 94, "activeUsers": 210 } }
GET/v1/analytics/timeseries Console auth

?range= one of 7d, 30d, 90d (default 30d). Returns daily buckets of sent / verified / failed.

Developer profile

GET/v1/developer/me Console auth

Fetch your own developer profile document.

PATCH/v1/developer/me Console auth

Update name and/or company. plan and virtualPhoneNumber can't be changed this way.