Skip to main content

What This API Is For

Use Cora’s API to let your systems read and update account data in Cora. Main use cases:
  • Fetch one account by externalId
  • Fetch multiple accounts by externalId
  • Update account fields from your CRM or servicing platform
  • Manage organization API keys in the dashboard

How To Read These Docs

Read in this order:
  1. API Overview
  2. Implementation Guide
  3. Authentication & Signing
  4. Account
  5. Get one account
  6. Get multiple accounts
  7. Update one account
  8. Status codes and errors

Base Paths

External account endpoints:
  • /external-api/accounts

API Key Lifecycle

Create and manage keys in Cora at Settings > Integrations > External API Keys. Important behavior:
  • Full key value is shown only once at creation
  • Keys do not auto-rotate
  • Rotate manually by creating a new key and revoking the old one

Request Authentication Model

  • GET /external-api/...: API key only
  • PATCH /external-api/...: API key + HMAC signature
See full details in Authentication & Signing.

Response Contract

All external account endpoints return:
  • success: boolean
  • code: machine-readable code
  • message: human-readable summary
Success responses include endpoint data (for example account, accounts). Error responses always include success: false and a specific code. Example:
{
  "success": false,
  "code": "INVALID_API_KEY",
  "message": "Invalid API key"
}