REST · Embed · CORS

API reference

Integrate Vondaro on your website or server. Public endpoints, authentication, and copy-paste examples in one place.

Base URL

Production base URL: https://vondaro.io. All examples use this host.

JSON endpoints enable CORS for browser calls where relevant. Never expose a private API key in frontend code – it is only valid from server-side requests.

API keys (public / private)

Create keys in the Vondaro dashboard under Embed (Beágyazás).

  • Public – for embedded scripts (chat widget, embed config). Safe to use in the browser.
  • Private – for server-side integrations (e.g. REST lead API). If the request includes a browser Origin header, it will be rejected.

Embed script (chat widget)

Add the snippet before the closing body tag. The script loads the bubble UI and calls our API using data-base-url.

<script
  src="https://vondaro.io/embed.js"
  data-api-key="lgp_..."
  data-base-url="https://vondaro.io"
  async
></script>
POST
/api/v1/leads
Create a lead (REST)
Creates a lead for the company linked to the key. Public keys may be checked against allowed domains unless hostname check is disabled in script settings.

Header: x-api-key or Authorization: Bearer <key>, or JSON field api_key.

JSON body

body
NameTypeRequiredDescription
first_namestring
yes
First name or full name.
emailstring
yes
Valid email address.
last_namestringnoLast name.
phonestringnoPhone number.
servicestringnoShort service or product label.
detailsstringnoFree text; stored under details.note.
sourcestringnoOne of form | api | chat | manual. Default: api.
referral_dataobjectnoUTM / referrer fields (allowed keys only).

Response fields

response
NameTypeDescription
successbooleanWhether the lead was stored.
lead_iduuidNew lead id.
over_limitbooleanIf the plan’s lead limit is exceeded, lead may still be stored with status over_limit.

HTTP

  • 400Missing required field or invalid email.
  • 401Missing or invalid API key.
  • 403Private key from browser, or disallowed origin (public key).
  • 500Server error.

cURL (private key, server-side)

curl -sS -X POST "https://vondaro.io/api/v1/leads" \
  -H "Content-Type: application/json" \
  -H "x-api-key: lgp_PRIVATE_..." \
  -d '{
    "first_name": "Peter",
    "email": "peter@example.com",
    "phone": "+36301234567",
    "service": "Paving",
    "details": "40 m2, Budapest",
    "source": "api"
  }'
GET
/api/embed/config
Chat widget configuration
Returns AI chat UI settings (welcome text, quick buttons, contact copy). Public key only.

Query parameters

query
NameTypeRequiredDescription
api_keystring
yes
Public API key.

Response fields

response
NameTypeDescription
welcome_messagestringWelcome message.
quick_buttonsstring[]Quick reply labels.
contact_prompt_textstring | nullCustom contact prompt.
require_phonebooleanWhether phone is required.
gate_quotebooleanQuote gate setting.
chat_themeobject | nullPro: { primary_hex }. Business/Enterprise: optional accent_hex, header_title, border_radius_px (8–28), hide_powered_by. Fields match plan; otherwise null.

HTTP

  • 400Missing api_key.
  • 401Invalid key.
  • 403Private key not allowed here.

Example

curl -sS "https://vondaro.io/api/embed/config?api_key=lgp_..."
POST
/api/embed/chat
AI chat message
Sends a user message to the AI and returns the reply text. Session and lead handling is done server-side.

JSON body

body
NameTypeRequiredDescription
api_keystring
yes
Public API key.
messagestring
yes
User message.
session_idstringnoSession id (client-generated, stable).
first_namestringnoIf contact already known.
emailstringnoEmail if known.
phonestringnoPhone if known.
referral_dataobjectnoSame allowed keys as the lead API.

Response fields

response
NameTypeDescription
replystringAssistant reply text.
lead_iduuidCurrent lead id.
session_idstringSession id.
request_contactbooleanHints that contact details should be requested.

HTTP

  • 400Missing api_key or message.
  • 401Invalid key.
  • 403Private key not allowed from browser.
  • 500Server error.

Minimal JSON body

curl -sS -X POST "https://vondaro.io/api/embed/chat" \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "lgp_...",
    "message": "Hi, I need a quote for paving.",
    "session_id": "lgp_session_abc123"
  }'

CORS and errors

Documented endpoints respond with Access-Control-Allow-Origin: * for preflight where applicable.

Errors are usually JSON: { "error": "…" } (Hungarian message text).

Limits and response headers (leads)

Successful POST /api/v1/leads responses may include X-Lead-Limit and X-Lead-Count when the plan has a configured limit.