API Reference
Base URL: https://api.phone.cobinar.com. All bodies and responses are JSON.
"Console auth" means Authorization: Bearer <firebase-id-token>; "App auth"
means the x-client-id / x-client-secret / x-api-key triple.
See Authentication & Credentials for details on both.
Health
Confirms the API worker is reachable.
{ "data": { "status": "operational", "service": "cobinar-phone-api", "time": "2026-07-03T..." } }
Projects
Console auth on every endpoint below. Free plan: 10 projects.
List your projects, newest first.
Create a project.
{ "name": "Production", "description": "optional, up to 280 chars" }
Fetch a single project.
Update name and/or description.
{ "name": "New name", "description": "New description" }
Delete a project. Returns 409 CONFLICT if it still has applications — move or delete those first.
Applications
Console auth on every endpoint below. Free plan: 5 applications.
List applications. Optional ?projectId= query filter.
Create an application and generate all four credentials.
{ "name": "iOS App", "projectId": "...", "environment": "live" }
{
"data": {
"id": "...", "name": "iOS App", "clientId": "ph_live_client_...",
"status": "active", "environment": "live",
"clientSecret": "ph_live_secret_...",
"apiKey": "ph_live_api_...",
"webhookSecret": "whsec_...",
"warning": "Store these credentials now — the Client Secret and API Key will not be shown again."
}
}
clientSecret and apiKey only ever appear in this one response.
Fetch an application, including masked previews of the secret and API key.
Update name and/or status.
{ "name": "New name", "status": "active" }
status is active or disabled. A disabled application fails requireApiKey auth with 403 FORBIDDEN.
Delete an application, its credentials, and any webhooks registered to it.
:type is secret, api, or webhook_secret. Returns the new plaintext value once.
{ "data": { "type": "secret", "value": "ph_live_secret_...", "rotatedAt": "..." } }
Reveal the current Webhook Secret in full — the only credential retrievable after creation without rotating it.
OTP
Generate and store a 6-digit OTP. Rate-limited to 5/minute per application.
{ "phone": "+999 482 918 102" }
{ "data": { "requestId": "...", "phone": "...", "status": "pending", "expiresAt": "..." } }
Verify a code. Rate-limited to 10/minute per application; 5 attempts max per request.
{ "requestId": "...", "code": "847291" }
{ "data": { "requestId": "...", "status": "verified", "phone": "...", "verifiedAt": "..." } }
List OTP requests for your applications. Optional ?appId= and ?status= filters.
Fetch a single OTP request. The stored hash is never included in any response.
Webhooks
Console auth on every endpoint below. See Webhooks for event types and signature verification.
List webhook endpoints. Optional ?appId= filter.
Register an endpoint.
{ "appId": "...", "url": "https://example.com/webhooks/auth", "events": ["otp.verified", "otp.failed"] }
Fetch a single webhook endpoint.
Update URL, subscribed events, or status (enabled / disabled).
Remove an endpoint.
Send one signed otp.verified test event immediately and report the delivery outcome.
{ "data": { "delivered": true, "statusCode": 200 } }
Users
Virtual phone identities — not developer accounts.
List identities created across your applications. Optional ?limit= (max 200).
Look up one identity. Accepts either a console bearer token or just x-api-key (no client secret required for this read-only lookup). URL-encode the phone number.
Logs
A normalized, chronological feed of OTP events across your applications. Optional ?appId= and ?limit= (max 200).
Analytics
{ "data": { "applications": 3, "otpRequests": 412, "otpVerified": 388, "successRate": 94, "activeUsers": 210 } }
?range= one of 7d, 30d, 90d (default 30d). Returns daily buckets of sent / verified / failed.
Developer profile
Fetch your own developer profile document.
Update name and/or company. plan and virtualPhoneNumber can't be changed this way.