API overview
Base URLs
| Surface | URL | Use |
|---|---|---|
| Workflow API | https://api.kyc.xibodev.com | Customer-facing workflow runs, customer metadata, webhook subscription config. |
| Engine API | https://engine.kyc.xibodev.com | Internal verification engine health and orchestration surface. Not required for normal customer integrations. |
Authentication
Customer integrations use bearer API-key auth:
Authorization: Bearer <customer-api-key>Keys are customer-scoped. Round 2 will document sandbox key issuance; for now, thibit ops issues keys manually.
First workflow call
John’s happy path starts with:
POST /api/v1/external/workflows/runSend a workflowId, applicant context, and optional webhook subscription config. thibit returns identifiers immediately and reports asynchronous status changes through webhooks.
Rate limits
Public rate limits are not finalized. Treat workflow creation as a server-side action, retry with exponential backoff, and avoid client-side direct calls with your secret API key.
Idempotency
Round 2 will finalize an idempotency header. Until then, store your own applicant-to-workflow mapping and do not blindly retry run calls after network timeouts without checking whether a workflow was created.