Environments
Zenoo provides separate staging and production environments. Each environment has its own base URL, API keys, and provider connections.
Base URLs
| Environment | Base URL |
|---|
| Production | https://instance.prod.onboardapp.io |
| Staging | https://instance.staging.onboardapp.io |
API keys
API keys are environment-specific. A staging key does not work against the production URL, and vice versa. Your project hash is the same across both environments, but the keys are different.
Staging and production API keys are not interchangeable. Using a staging key against the production URL (or vice versa) will return 401 Unauthorized.
Endpoints
All endpoints follow the gateway pattern:
{base_url}/api/gateway/execute/{project_hash}/{action}
| Method | Path | Purpose | Mode |
|---|
POST | /api/gateway/execute/{project_hash}/api | Initiate verification (sync) | Blocks until complete or timeout |
POST | /api/gateway/execute/{project_hash}/init | Initiate verification (async) | Returns tokens immediately |
GET | /api/gateway/sharable-payload/{pull_token} | Retrieve async results | Returns results or 204 if pending |
Sync mode
Add the X-SYNC-TIMEOUT header (value in milliseconds) to make the /api endpoint block until checks complete:
curl -X POST \
"https://instance.prod.onboardapp.io/api/gateway/execute/{project_hash}/api" \
-H "Content-Type: application/json" \
-H "X-API-KEY: your-api-key" \
-H "X-SYNC-TIMEOUT: 30000" \
-d '{ ... }'
If the timeout is reached before all checks finish, you may receive partial results or tokens for polling.
Async mode
Call the /init endpoint without X-SYNC-TIMEOUT. The response contains two tokens:
{
"tokens": {
"pull": "eyJhbGciOiJIUzI1NiJ9.pull-token...",
"start": "eyJhbGciOiJIUzI1NiJ9.start-token..."
}
}
pull — Retrieve results via the /sharable-payload/{pull_token} endpoint.start — Construct a verification URL for user-facing flows: {base_url}/{project_hash}/?t={start_token}
Pulling results
Poll the pull endpoint until you receive a 200 with results:
curl "https://instance.prod.onboardapp.io/api/gateway/sharable-payload/{pull_token}"
| Status | Meaning |
|---|
200 | Results ready. Response body contains full compliance report. |
204 | Still processing. Retry after 10-30 seconds. |
404 | Invalid or expired token. |
Environment differences
| Aspect | Staging | Production |
|---|
| Providers | Sandbox/mock APIs | Live provider APIs |
| Screening | Mock data based on test patterns | Real WorldCheck results |
| Webhooks | Full delivery | Full delivery |
| Rate limits | Lower | Production limits |
| Data retention | May be purged periodically | Standard retention |
Staging is for integration testing only. Do not use staging results for compliance decisions. Staging providers return mock or sandbox data that does not reflect real-world verification outcomes.
