Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kombo.dev/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

You need to get an API key from the Kombo dashboard to call our API. You can create one on the Secrets page. You might have multiple environments in your Kombo account. Each API key is specific to an environment. This will allow you to call some general endpoints that are not integration-specific. For example, try calling the following test API key endpoint: 
curl --request GET \
  --url https://api.kombo.dev/v1/check-api-key \
  --header 'Authorization: Bearer <YOUR_API_KEY>'

Calling Integration Endpoints

To call integration-specific endpoints, you need the integration ID. An integration ID identifies a specific instance of a tool connected to Kombo. If you haven’t created an integration yet, read the creating integrations guide. Get the integration ID from the details of integration on the integrations dashboard page. Pass the integration ID with the X-Integration-Id header in your API requests. For example: 
curl --request GET \
  --url https://api.kombo.dev/v1/hris/employees \
  --header 'Authorization: Bearer <YOUR_API_KEY>' \
  --header 'X-Integration-Id: <integration_id>'
Find out more about the integration-specific endpoints for HRIS or ATS

API Key Security

Kombo provides several features to help you manage API keys securely.

Key Scoping

Each API key is scoped to a single environment (Production or Development). Keys created in Production cannot access Development data and vice versa. The key prefix reflects the environment: ks_prod_... for production, ks_dev_... for development.

Expiration

When creating an API key, you can set an optional expiration date. Once expired, any request using the key will return an authentication error. To rotate keys without downtime, you must overlap the old and new keys: create a new key, migrate all of your services to use it, and only then let the old key expire (or revoke it).

IP Allowlisting

You can restrict each API key to a set of IP addresses or CIDR ranges. When an allowlist is configured, requests from non-listed IPs are rejected. An empty allowlist (the default) permits any IP. You can update the allowlist at any time without recreating the key.

Revocation

API keys can be individually disabled from the dashboard. Disabling a key takes effect immediately — all subsequent requests using that key will fail. Disabled keys cannot be re-enabled; create a new key instead.

Audit Trail

All key operations — creation, disabling, and IP allowlist changes — are recorded in the audit log.