# Onboard REST API — Paperclip Skill

Use this skill when a task involves integrating with Onboard REST endpoints or
webhooks.

## Documentation

- Customer docs: https://docs.onboard.io
- OpenAPI (when available): `https://resources.onboard.io/openapi.json`

## Authentication

- Header: `Authorization: Token YOUR_API_KEY` (Token scheme, **not** Bearer).
- Keys from: https://app.onboard.io/settings/company
- Store keys in environment variables or a secrets manager. Never hardcode or commit keys.

## Base URL

- Typical production host: `https://rest.onboard.io`
- Use your account-provided host for sandbox/non-production if it differs.

## Webhooks

- Verify `x-onboard-hmac-sha256` before side effects.
- Return `2xx` quickly; move slow processing to async jobs.

## API behavior

- Implement pagination as documented (`page`, `page_size`, `max_page_size` where applicable).
- Retry `429` responses with exponential backoff and jitter.
- Do not invent fields, enums, or event types not present in docs/OpenAPI.

## Safety

- Never log API keys or webhook signing secrets.
- Handle non-2xx responses and invalid JSON explicitly.