Product — Developers

A public REST API your engineers will not hate.

OpenAPI 3.1, HMAC-signed webhooks with retry and replay, tenant-isolated keys, per-key rate-limit overrides in the admin UI, and a real spec at /api/docs. Available on Pro and up.

Start free trial See pricing

# POST /api/v1/webhooks
curl -X POST https://YOUR-TENANT.mobieus.io/api/v1/webhooks \
  -H "Authorization: Bearer mc_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://api.you.com/hook",
    "subscribed_events": ["post.created", "report.created"]
  }'

# => 201 Created (signing_secret shown once)

0% platform fee on your commerce14-day free trial, no cardBring your own Stripe and domain4 products in one loginREST API + signed webhooks

What you get

A real API, not a screen-scraping rumor.

Available on Pro and up. Tenants on Starter get 403 plan_gated.

Cursor-paginated event log

GET /api/v1/events returns every public event newest-first. Filter by type or since. Walk the whole log with one cursor field.

Resource endpoints

Users, posts, mobieusMarket listings, files, moderation reports, moderation actions. JSON, scoped per key, paginated.

HMAC-signed webhooks

Every delivery carries Mobieus-Signature: t=<unix>,v1=<hex>. Verify with HMAC-SHA256 + your secret. Replay attack protection via 5-minute timestamp tolerance.

Exponential-backoff retry

Failed deliveries retry on 0/1/5/30/120/360/1440 minute schedule. Endpoints auto-disable after configurable failures. Replay any past delivery from /admin/webhooks.

SSRF + DNS-rebind protection

Webhook URLs blocked from loopback, RFC1918, link-local, cloud metadata. Validated at registration AND at every delivery.

Dual-signing rotation

Rotate the signing secret and both old and new signatures ride in the header for a configurable grace window. Roll over receivers without downtime.

Tenant-isolated keys

Keys are stored as SHA-256 hashes in your tenant DB. Constant-time compare. A key minted on tenant A literally cannot read tenant B.

Per-key + per-tenant rate limits

Set a rate limit per key on the admin UI. Override the tenant default. Three-layer precedence (per-key → tenant → platform). X-RateLimit headers on every response.

AI Community Manager drafts Creator Plus+

Programmatically list, approve, edit, or reject AI Community Manager drafts via the API. Wire approvals into your existing review tools. Drafts and decisions appear in the public event log so you can pipe them into Slack, audit pipelines, or analytics.

OpenAPI 3.1 + Redoc

The spec is the contract. Browse interactively at /api/docs. Feed the raw YAML at /api/openapi.yaml into any code generator.

What it looks like

Mint a key, fetch events, verify a webhook.

Fetch events

# GET /api/v1/events?limit=10
curl https://YOUR-TENANT.mobieus.io/api/v1/events?limit=10 \
  -H "Authorization: Bearer mc_live_..."

# =>
{
  "data": [
    { "id": "evt_01j...",
      "type": "post.created",
      "created_at": "2026-05-29T13:42:11Z",
      "data": { ... } }
  ],
  "next_cursor": "NDI=",
  "request_id": "req_..."
}

Verify a webhook (Node)

const crypto = require("crypto");

function verify(rawBody, header, secret) {
  const parts = Object.fromEntries(
    header.split(",").map(p => p.split("="))
  );
  const signed = parts.t + "." + rawBody;
  const expected = crypto
    .createHmac("sha256", secret)
    .update(signed).digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(parts.v1)
  );
}

Browse the OpenAPI spec Read the API guide

Start when you are ready

Try Mobieus free for 14 days.

No credit card. Bring your own Stripe. Cancel any time. Your data stays yours.

Start free trial Book a demo See pricing