What's exposed
- REST API v1. CRUD on CRM, Catalog, Quotations, Contracts, Invoices, Projects. Authenticated with API keys.
- Webhooks. Subscribe to events (lead.created, quote.sent, invoice.paid, contract.signed, project.milestone_reached). HMAC-signed with replay protection.
- OAuth. For partner apps acting on behalf of customers. Scoped permissions.
- Agent runtime hooks. Plug custom tools into AI agents — give them access to your internal systems while keeping guardrails.
- SDKs. PHP, Node, Python — thin clients over the REST API.
Authentication
Two modes. API keys for backend integrations (scoped to a tenant, rotatable, with audit log). OAuth for partner apps acting on behalf of users (granular scopes, refresh tokens, revocation).
Rate limits
Generous by default — 1000 requests/min per API key. Enterprise customers get dedicated allocations. We publish current limits in the response headers.
Webhook reliability
Webhooks retry with exponential backoff for 24 hours. Each delivery carries an idempotency key. Failed deliveries are visible in your developer dashboard with replay ability.
What's not exposed (yet)
The agent runtime is currently customer-tuneable through configuration, not through code injection. We're working on a programmable agent toolkit; reach out if you want early access.
Documentation
Full API reference, webhook payload spec, and quickstarts are available to customers. Talk to sales to get developer access.