Base URL
/v1 path prefix — we add new fields additively and
avoid breaking changes within v1.
API keys
Create a key from the dashboard:Sign in
Log into the ThunderPhone Dashboard.
Making a request
Send the key as a bearer token in theAuthorization header. The API
infers your organization from the key, so you don’t need an org id in
the URL path.
Successful JSON responses use
200 OK for reads and 201 Created for
writes. Deletes return 204 No Content. Errors use the standard HTTP
status codes listed below.Health check
Verify API connectivity without authentication:Response
Dashboard access (X-ThunderPhone-Org)
The dashboard at app.thunderphone.com authenticates users with a personal session/token (one user can belong to many organizations). Those requests identify the target organization via theX-ThunderPhone-Org header:
sk_live_ key should omit
it; the key already carries an org binding and the header, if present, is
ignored for API-key requests.
ID format
Resource ids are 64-bit integers (agent id, phone number id, call id, etc.). Tokens (invites, API keys) are strings. Every successful write returns the persisted object including its assigned id:Pagination
List endpoints return a plain JSON array by default. Endpoints that can produce very large result sets (currently calls and transactions) acceptlimit and offset query parameters and return a wrapped
envelope:
limit to the current offset on each request
and stop when offset + limit >= total. See each endpoint’s page for
the maximum limit it accepts.
Errors
The API uses conventional HTTP status codes:| Status | Meaning |
|---|---|
200 | OK |
201 | Created |
204 | No Content — operation succeeded with no body |
400 | Bad Request — invalid parameters. Body contains detail or field-specific messages |
401 | Unauthorized — missing or invalid API key |
402 | Payment Required — insufficient balance |
403 | Forbidden — valid credentials but the resource is out of scope or policy denies the action |
404 | Not Found — resource doesn’t exist (or isn’t visible to this key) |
409 | Conflict — optimistic-concurrency / unique-constraint failures |
410 | Gone — deprecated URL shape, see new_path in body |
429 | Too Many Requests — rate limit (response includes Retry-After) |
500 | Internal Server Error |
502 | Bad Gateway — upstream provider (Stripe, LiveKit, VoIP) failed |
Error body
Validation error
Rate limiting
The API currently imposes a soft rate limit of 100 requests per second per API key. When exceeded, the response is429 Too Many Requests
with a Retry-After header in seconds. Bursty workloads should back off
and retry after the advertised delay; idempotent operations (GET,
PUT, and explicitly-keyed POSTs noted on each endpoint) can be
safely retried.
Migration from /v1/orgs/<id>/... paths
The API previously nested every resource under your organization id in
the URL path — e.g. /v1/orgs/42/agents. Those URLs now return 410 Gone with a body pointing to the new flat shape:
/orgs/<id>
from every URL. Your sk_live_ key is unchanged and continues to
identify your organization automatically.
Next steps
Quickstart
Create your first agent, provision a number, and take a test call.
Agents
Configure voices, prompts, and tool integrations.
Calls
List, inspect, and export call history.
Webhooks
Subscribe to real-time events.