Skip to main content
The Corsair SDK is TypeScript-only, but Hub itself is a plain HTTP service. A Go, Python, or Ruby backend integrates by calling these endpoints directly. Credentials are still delivered to your endpoint and stored in your database — Hub stores none. Every request authenticates with your project API key:

Create a connect session

Returns { "connectUrl", "token", "projectId", "expiresAt" }. Redirect the user’s browser to connectUrl. Hub hosts the connect page and the OAuth callback.

Receive the delivery

When the user finishes connecting, Hub POSTs a signed JSON envelope to your deliveryUrl. The body is { "type", "payload" }, with these headers:
HeaderValue
x-corsair-signaturesha256=<hex> — HMAC-SHA256 of the raw request body, keyed with your signing secret
x-corsair-timestampUnix seconds when Hub sent it; reject if older than a few minutes (replay guard)
x-corsair-projectYour project id
x-corsair-nonceUnique per delivery
Verify before trusting the body — recompute the HMAC over the raw bytes and compare in constant time:
Only after verify passes: parse the body, exchange or store the credential, and respond 200.

List connections

Returns an array of { tenantId, plugin, status, authKind, connectedAt, expiresAt }, deduplicated by tenantId:plugin.

Rate limits

Connect and permission session creation share a limit of 100 sessions per hour per project. Over the limit returns HTTP 429. Malformed requests do not consume quota.