Launch offer: 50% off.Paid plans only.See pricing
Skip to content
Lamba
Open menu
Get started

Documentation

Reference

API Overview

Host split, public contract shapes, and the difference between customer and platform surfaces.

Base URLs

Customer auth

  • Test: https://test.id.uselamba.com
  • Production: https://id.uselamba.com

Customer API

  • Test: https://test.api.uselamba.com
  • Production: https://api.uselamba.com

Platform console/app API

  • Test: https://test.platformapi.uselamba.com
  • Production: https://platformapi.uselamba.com

platformapi is for the Lamba app and console. Customer products should use only id and api.

Public host ownership

  • id.* serves customer auth, OIDC discovery, token exchange, and session operations.
  • api.* serves customer self and admin runtime APIs.
  • platformapi.* serves the Lamba console/app backend only.

Customer public request shape

Authorization: Bearer <customer-session-token>
X-Correlation-Id: <guid-or-string>

Do not send X-Tenant-Id or X-Project-Id to the customer surface.

The customer session token comes from the customer auth host:

  • directly from password, register, magic-link, phone, refresh, and switch-context
  • indirectly after OIDC by exchanging into a scoped session with POST /v1/sessions/switch-context

Customer success and error contracts

  • Resource success: plain JSON object
  • List success: { items, nextCursor }
  • Errors: ProblemDetails with errorCode and traceId

Customer core surfaces

  • Auth: register, password login, magic-link, phone OTP, social callback, Web3, MFA, refresh, logout, switch-context, OIDC
  • Self: me/context, me/authorization, me/security, me/profile
  • Admin: members, invitations, roles, permissions, applications, domains, webhooks
  • Events: endpoint CRUD, delivery logs, event catalog

Platform console/app notes

platformapi still carries internal console/app routes and may still require X-Tenant-Id and X-Project-Id.

That header-scoped contract is internal. Do not copy it into customer products.

Implementation notes

  • Keep customer auth and customer API clients separate.
  • Always pass correlation IDs for distributed tracing.
  • Build typed adapters around the public contract instead of scattering raw fetch calls.

Related docs

  • Request scoping: /docs/concepts/request-scoping
  • Error contracts: /docs/reference/errors
  • OpenAPI and Postman: /docs/reference/openapi-postman