Onboarding grant
Use the zero-config onboarding grant immediately after OTP verification to create mapping sessions and issue the first deployment bundle.
Loading…
API documentation
Authentication
Decionis separates public docs and share-safe verification routes from onboarding-grant, org-scoped, and webhook-trust surfaces. Production integrations should assume OTP verify -> onboarding grant -> deployment bundle -> org API key -> POST /v1/protocol/evaluate-decision unless a route is explicitly documented as public or onboarding-scoped.
Auth model
Decionis keeps trust boundaries explicit. Integrations should not infer public access for any route that mutates state or reveals governed artifacts.
API key
Use an org-scoped bearer token after the deployment bundle is issued for canonical decision evaluation, mapping progression, callback management, protocol artifact submission, and org-scoped artifact retrieval.
Public access
Use only for published docs, marketplace entry pages, and share-safe dossier verification routes.
Webhook trust
Treat Decionis-issued connector secrets as write-path credentials for inbound provider traffic, and treat x-decionis-signature as the verification surface for outbound callback delivery.
Onboarding flow
Public onboarding is a two-step auth sequence. OTP verification returns the onboarding grant. The org API key is issued later by the deployment bundle and becomes the bearer credential for the canonical decision route.
POST
/v1/public/auth/register/startPublicSend a 6-digit verification code to the sponsor email.
curl -X POST https://api.decionis.com/v1/public/auth/register/start \
-H "Content-Type: application/json" \
-d '{
"owner_email": "risk@example.com",
"owner_name": "Partner Risk",
"org_name": "Partner Inc"
}'POST
/v1/public/auth/register/verifyPublicVerify the email OTP and return the onboarding grant plus resolved workspace paths.
curl -X POST https://api.decionis.com/v1/public/auth/register/verify \
-H "Content-Type: application/json" \
-d '{
"owner_email": "risk@example.com",
"otp_code": "123456"
}'What each auth step returns
OTP verify returns the onboarding grant token and org ID. It does not return the org API key. The org API key, connector ID, webhook secret, webhook URL, and policy version are issued by POST /v1/public/pilot/signal-mapping/sessions/:sessionId/deployment-bundle. Persist that API key and use it for POST /v1/protocol/evaluate-decision.
Headers
These are the default request headers for authenticated calls.
Authorization: Bearer onboard_xxx # during onboarding
Authorization: Bearer dcy_org_xxx # after deployment bundle
Idempotency-Key: cfd-order-001 # recommended for evaluation writes
Content-Type: application/json
Accept: application/jsonPOST
/v1/public/pilot/signal-mapping/sessions/:sessionId/deployment-bundleOnboarding grant or org API keyRepresentative authenticated request shape for issuing runtime credentials from the zero-config onboarding flow.
curl -X POST https://api.decionis.com/v1/public/pilot/signal-mapping/sessions/<session_id>/deployment-bundle \
-H "Authorization: Bearer <onboarding_or_org_key>" \
-H "Content-Type: application/json" \
-d '{"provider_key":"partner_webhook","workflow_key":"decision_intake","source_label":"primary_stream"}'POST
/v1/protocol/evaluate-decisionAPI keyCanonical authenticated decision call once the deployment bundle has issued the org API key.
curl -X POST https://api.decionis.com/v1/protocol/evaluate-decision -H "Authorization: Bearer dcy_org_xxx" -H "Idempotency-Key: cfd-order-001" -H "Content-Type: application/json" -d '{
"org_id": "<org_uuid>",
"decision_type": "CFD_TRADE_EXECUTION",
"workflow_key": "cfd_trade_execution",
"context": {
"instrument": "EURUSD",
"side": "BUY",
"order_type": "MARKET",
"notional": 18000,
"leverage": 12,
"margin_available": 5400,
"approval_path": ["desk_risk", "finance_control"],
"policy_version": "cfd_trade_execution-v1"
}
}'Decision evaluation guide
Use the dedicated Decision Evaluation page for the canonical payload shape, the full Geminix Capital CFD example, and the wrapper-route guidance.
/docs/decision-evaluationRoute boundaries
Integrators should model Decionis around route trust classes rather than product packaging.
| Route class | Examples | Auth posture |
|---|---|---|
| Public account bootstrap | /v1/public/auth/register/start, /v1/public/auth/register/verify | Public |
| Canonical decision evaluation | /v1/protocol/evaluate-decision, /v1/action-gate/evaluate | Bearer API key with decision write scope; prefer /v1/protocol/evaluate-decision as the primary route |
| Org-scoped write and read | /v1/protocol/policies/bundles, /v1/protocol/dossiers/:id | Bearer API key |
| Connector webhook ingress | /v1/signals/webhooks/:connectorId | Webhook secret or signature header |
| Public verification | /v1/public/decision-dossiers/:dossierId/verify | Public with verification token in query |
| Pilot bootstrap | /v1/public/pilot/signal-mapping/sessions, /v1/public/pilot/signal-mapping/sessions/:sessionId/deployment-bundle | Onboarding grant or org-scoped API key |
| Outbound callback management | /v1/orgs/:orgId/integrations/WEBHOOK/connect | Bearer API key with org integration write scope |
Webhook trust
Webhook verification is part of the API contract because production signal ingress is webhook-based today and outbound callbacks are first-class.
# Inbound signal ingress
curl -X POST https://api.decionis.com/v1/signals/webhooks/<connector_id> \
-H "Content-Type: application/json" \
-H "x-webhook-secret: whsec_xxx" \
-d '{"events":[{"type":"eligibility_assessed","timestamp":"2026-03-11T10:30:00Z","data":{"case_id":"case_123"}}]}'
# Outbound callback verification
# Validate x-decionis-signature against the raw request body using the stored callback secret.