Skip to content

Initial publication

Date: 2026-05-06

The Auradonors public API has been in production for some time — what’s new is this documentation site. Before today, integrators landed on the embedded Scalar reference at /reference/ and had to reverse-engineer authentication, error handling, idempotency, and webhook delivery from the OpenAPI schema descriptions. This publication closes that gap.

  • Getting started — provision an API key, send the first request, recognize success vs. failure.
  • AuthenticationX-Api-Key header model, per-tenant scoping, scope grammar, rotation, revocation, the api-access:enabled feature flag, and what gets rejected.
  • Conventions — pagination shape, error envelope, idempotency contract on order creation, current rate-limit policies.
  • Webhooks — outbound delivery mechanics, HMAC-SHA256 signature verification, retry policy, and the full event catalog.
  • Resources — the curated public-API surface, with explicit callouts for which endpoint groups in the feed are internal-only.
  • Recipes — five end-to-end workflows (import a contact, record a donation, charge a card, run a saved report, listen for events).
  • The API itself. The OpenAPI feed at api.auradonors.com/openapi/v1.json is unchanged. Every operation was already shipping summaries and descriptions per the prior Phase C documentation sweep; this publication adds the cross-cutting narrative.
  • The base URLs (api.auradonors.com for production, api-dev.auradonors.com for sandbox).
  • The authentication model (X-Api-Key header, hashed lookup against tenant_api_keys).
  • The webhook delivery contract (signed POST, 5-attempt retry, 10-second timeout).
  • Per-operation request/response examples in the embedded reference. The Scalar UI works with the schema-only descriptions today; curated examples land in a follow-up phase once we see which shapes integrators actually want to copy.
  • Public/internal endpoint split at the OpenAPI level. The Resources page calls out which endpoint groups are part of the supported public surface, but every endpoint still appears in the feed — formal filtering belongs in a future phase.
  • SDK / typed clients. The curl and HttpClient examples in this publication are the integration story.
  • Localization. English only.

If a documented fact doesn’t match what the API actually does, that’s a bug — file an issue. If a recipe you’d want to follow isn’t covered, email [email protected]; recipes are added when integrators ask for them.