Summary and recommendation
BombBomb exposes a REST API at https://api.bombbomb.com/v2, authenticated via Bearer token (API key). The API is oriented toward contact and CRM management - not internal team user provisioning.
Public documentation is sparse: endpoint paths, required fields, response schemas, rate limits, and pagination parameters are either partially documented or require direct engagement with BombBomb support to confirm. All endpoint details in available references should be validated against official docs before production use.
Teams needing automated user lifecycle management at scale should evaluate Stitchflow's MCP server with ~100 deep IT/identity integrations as an alternative to building directly against BombBomb's underdocumented API.
API quick reference
| Has user API | Yes |
| Auth method | API Key (Bearer token) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | Enterprise |
Authentication
Auth method: API Key (Bearer token)
Setup steps
- Log in to your BombBomb account.
- Navigate to Settings > Integrations or Developer Settings.
- Generate an API key from the API section.
- Pass the API key as a Bearer token in the Authorization header: 'Authorization: Bearer {api_key}'.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique identifier for the user/contact. | auto-generated | immutable | Used as primary key in API calls. |
| string | User's email address. | required | optional | Primary identifier for contacts. | |
| firstName | string | User's first name. | optional | optional | |
| lastName | string | User's last name. | optional | optional | |
| phone | string | User's phone number. | optional | optional |
Core endpoints
List Contacts
- Method: GET
- URL:
https://api.bombbomb.com/v2/contacts - Watch out for: Endpoint structure inferred from developer portal patterns; confirm exact path with official docs.
Request example
GET /v2/contacts
Authorization: Bearer {api_key}
Response example
{
"contacts": [
{"id": "abc123", "email": "user@example.com", "firstName": "Jane"}
]
}
Create Contact
- Method: POST
- URL:
https://api.bombbomb.com/v2/contacts - Watch out for: Exact required fields and response schema not fully documented publicly.
Request example
POST /v2/contacts
Authorization: Bearer {api_key}
{"email": "user@example.com", "firstName": "Jane", "lastName": "Doe"}
Response example
{
"id": "abc123",
"email": "user@example.com",
"firstName": "Jane"
}
Get Contact
- Method: GET
- URL:
https://api.bombbomb.com/v2/contacts/{contactId} - Watch out for: Contact ID must be known in advance; no search-by-email endpoint confirmed publicly.
Request example
GET /v2/contacts/abc123
Authorization: Bearer {api_key}
Response example
{
"id": "abc123",
"email": "user@example.com",
"firstName": "Jane"
}
Update Contact
- Method: PUT
- URL:
https://api.bombbomb.com/v2/contacts/{contactId} - Watch out for: Whether PATCH is supported in addition to PUT is not confirmed in public docs.
Request example
PUT /v2/contacts/abc123
Authorization: Bearer {api_key}
{"firstName": "Janet"}
Response example
{
"id": "abc123",
"email": "user@example.com",
"firstName": "Janet"
}
Delete Contact
- Method: DELETE
- URL:
https://api.bombbomb.com/v2/contacts/{contactId} - Watch out for: Deletion may be soft-delete; behavior not confirmed in public documentation.
Request example
DELETE /v2/contacts/abc123
Authorization: Bearer {api_key}
Response example
{
"success": true
}
Rate limits, pagination, and events
Rate limits: No publicly documented rate limit tiers found in official documentation.
Rate-limit headers: Unknown
Retry-After header: Unknown
Rate-limit notes: Rate limit details are not publicly documented. Contact BombBomb support for specifics.
Pagination method: offset
Default page size: Not documented
Max page size: Not documented
Pagination pointer: Not documented
Webhooks available: Unknown
Webhook notes: No publicly documented webhook support found in official BombBomb developer or help center documentation.
Alternative event strategy: Use polling against the contacts or activity endpoints as a workaround.
SCIM API status
- SCIM available: No
- SCIM version: 2.0
- Plan required: Enterprise
- Endpoint: Not documented
Limitations:
- SCIM provisioning is available only on the Enterprise plan.
- Okta is the confirmed IdP; Entra ID, Google Workspace, and OneLogin are not confirmed.
- No public SCIM endpoint URL or detailed operation documentation found.
- SSO is a prerequisite for SCIM provisioning.
Common scenarios
Three integration patterns are supported with caveats. First, contact creation via POST /v2/contacts with email, firstName, and lastName - exact required fields are not fully confirmed, so test with a minimal payload before building automation.
Second, contact sync from an external CRM using GET /v2/contacts to retrieve existing IDs, then PUT /v2/contacts/{contactId} for updates - no confirmed bulk upsert endpoint exists, so individual calls per contact may surface undocumented rate limits at scale.
Third, Enterprise-tier user provisioning via Okta SCIM - SSO must be configured first, and the SCIM endpoint URL and token are only obtainable through BombBomb Enterprise support, not public documentation.
Add a new contact via API
- Obtain API key from BombBomb Settings > Integrations.
- POST to /v2/contacts with email, firstName, lastName in the request body.
- Store the returned contact ID for future updates or lookups.
Watch out for: Exact required fields are not fully documented; test with minimal payload first.
Provision enterprise users via Okta SCIM
- Upgrade to BombBomb Enterprise plan.
- Configure SSO with Okta as the identity provider.
- Enable SCIM provisioning in Okta for the BombBomb app integration.
- Assign users/groups in Okta to trigger provisioning to BombBomb.
Watch out for: SCIM endpoint URL and token must be obtained from BombBomb Enterprise support; not publicly documented.
Sync contacts from external CRM
- Authenticate with API key.
- GET /v2/contacts to retrieve existing contacts and their IDs.
- For new contacts, POST to /v2/contacts.
- For existing contacts, PUT to /v2/contacts/{contactId} with updated fields.
Watch out for: No confirmed bulk upsert endpoint; individual API calls per contact may hit undocumented rate limits at scale.
Why building this yourself is a trap
The primary API risk is documentation opacity: many endpoint behaviors - including soft-delete versus hard-delete on DELETE /v2/contacts/{contactId}, PATCH support on update endpoints, and search-by-email availability - are unconfirmed in public sources. Rate limits are entirely undocumented, making it difficult to design reliable retry logic.
SCIM provisioning is restricted to Enterprise with custom pricing, and only Okta is confirmed as a supported IdP; Entra ID, Google Workspace, and OneLogin are not confirmed. Teams that build automation against the BombBomb API directly should treat all inferred endpoint paths and field names as provisional until verified with BombBomb support.
Automate BombBomb workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
