1. Introduction

The Backend API is designed for integration with your secure backend (e.g. regular web app running on PHP or Node.js), meaning that your application can securely store secrets without exposing them to user clients. It handles all server-side operations and acts with databases, executes business logic and more. Via the Backend API, you can individually modify and read user, session and authentication data.

Never use the Backend API with API secrets in “insecure” frontend applications like native apps or single page applications running entirely in the browser.

The Backend API adheres to a commonly recognized RESTful structure, which should make its usage fairly intuitive. However, should you require any assistance, you are always welcome to contact us.

2. Configuration

To call our Backend API, you need the Backend API URL, the Corbado project ID and the API secret (both are used for HTTP basic authentication) which you can find in the developer panel.

All requests accept form-encoded request bodies, and respond with a JSON-encoded body.

Your Backend API can be accessed at the following URL (default value):


You can generate an API secret from the developer panel at any time at “Settings” - “Credentials” - “API secrets”.

Be aware that API secrets are only visible once and afterwards masked due to security reasons. If you lose an API secret, you will need to create a new one.

Corbado API Secrets

API secrets are sensitive information that must be protected at all costs to avoid potential attacks

  • Never embed an API secret directly into your code. Version control systems, such as GitHub, would upload them to public repositories. Implement the configuration via environment variables or files that are outside the version control system instead.
  • If you do not need an API secret any longer, try to delete them in order to minimize the risk of attacks.

3. Authorization

The Backend API uses basic authentication to authenticate requests. You can use your Corbado project ID as the username and the API secret as the password.

Include an authorization header with the value Basic <base64-encoded-credentials> in each request.

The input for the base64 encoding should be: <Corbado Project ID>:<Corbado API Secret>

4. API Reference

Corbado Logo