API Reference
Authentication
All API endpoints (except public tracking/unsubscribe URLs, webhooks, and reports) require authentication via JWT token or API key.
Login
bash
curl -X POST https://YOUR_SERVER/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin@company.com", "password": "yourpassword"}'Response sets an auth_token HttpOnly cookie (7-day expiry). The JWT token is used for subsequent requests.
Register
bash
curl -X POST https://YOUR_SERVER/api/v1/auth/register \
-H "Content-Type: application/json" \
-d '{"name": "Admin User", "email": "admin@company.com", "password": "yourpassword"}'The first registered user automatically becomes super_admin. A default workspace is created on registration.
Using the Token
Two methods:
Cookie (browser/curl)
bash
curl https://YOUR_SERVER/api/v1/workspaces \
-H "Cookie: auth_token=YOUR_JWT_TOKEN"API Key (programmatic access)
bash
curl https://YOUR_SERVER/api/v1/workspaces \
-H "Authorization: Bearer cm_live_YOUR_API_KEY"API keys use the cm_live_ prefix and are hashed with bcrypt before storage. Generate them from Settings → API & MCP.
Check Current User
bash
curl https://YOUR_SERVER/api/v1/auth/me \
-H "Cookie: auth_token=YOUR_JWT_TOKEN"Workspace Scoping
Most API endpoints are scoped to a workspace. Include the workspace ID in the URL path:
bash
# All workspace-scoped endpoints follow this pattern:
curl https://YOUR_SERVER/api/v1/workspaces/:workspace_id/campaigns \
-H "Cookie: auth_token=YOUR_JWT_TOKEN"
# Example: List campaigns in workspace 1
curl https://YOUR_SERVER/api/v1/workspaces/1/campaigns \
-H "Cookie: auth_token=YOUR_JWT_TOKEN"Roles
| Role | Access |
|---|---|
super_admin | Full access to all workspaces, admin panel, system updates |
admin | Admin panel access, manage employees and clients |
employee | Access only assigned workspaces |
client | Limited access to their own workspace |
Rate limiting
Login/register attempts are rate-limited to 5 requests per IP per minute. Authenticated endpoints are limited to 60 requests per user per minute.
Session Management
- JWT tokens expire after 7 days
- API keys do not expire (revoke manually from the dashboard)
- Workspace access is enforced via middleware on every request
- Admin endpoints require
super_adminoradminrole
Public Endpoints (No Auth Required)
| Endpoint | Purpose |
|---|---|
GET /health | System health check |
POST /api/v1/auth/login | User login |
POST /api/v1/auth/register | User registration |
GET /api/v1/setup/status | Onboarding status check |
POST /api/v1/webhooks/ses | AWS SES bounce/complaint webhook |
POST /api/v1/webhooks/resend | Resend webhook |
GET /api/v1/report/:slug/* | Public campaign report |
GET /t/:id/pixel.png | Open tracking pixel |
GET /t/:id/link/* | Click tracking redirect |
GET /unsubscribe/:token | Unsubscribe page |