The Ashby API is an RPC-style API, where endpoints follow the form /CATEGORY.method. Most endpoints take POST requests, even for what in a REST-style API would typically be a GET request.

Except as noted elsewhere, all endpoints in this API use Basic authentication, meaning requests must include an Authorization: Basic <base64(your api key + ":")> header. If you are using a GUI for making requests (such as Postman), the Basic Auth dialog may prompt you for a username and password. You can supply the API key as the username and leave the password field blank.

Additionally, request parameters must be sent in JSON bodies, and request Content-Type headers must be explicitly set to application/json (except as where noted otherwise, for example in the applicationForm.submit endpoint).

Note: Because this API uses a long-lived key, it is not recommended for use in browsers. Additionally, CORS is not configured to allow it. It is recommended that you proxy requests from the browser through your own backend service.