v1.0.1
Post-launch fixes
Fix:deals PATCH ignoring stage_id when pipeline_id is omitted: when updating a deal’s stage via PATCH /v1/deals/:id, omitting pipeline_id from the body caused stage_id to be silently ignored. The endpoint now correctly updates the stage when only stage_id is provided, as long as the stage belongs to the deal’s current pipeline.Improvement: X-RateLimit-Reset header now returns Unix timestamp: previously the header returned seconds remaining until reset. It now returns the Unix timestamp of the reset moment, which is easier to use in client-side countdown logic.v1.0.0
Public API v1 launch
Vendaze API v1 is now available to all developers. This is the initial release with full OAuth 2.1 support and the complete set of CRM resources.OAuth 2.1 Authorization Code flow
The authorization system is built on OAuth 2.1 withclient_secret. All token exchanges happen server-side. The client_secret is never returned in any API response: it is delivered once via a secure email link that expires in 15 minutes.GET /oauth/authorize: initiates the authorization flow, redirecting the user to the Vendaze consent screenPOST /oauth/token: exchanges an authorization code for anaccess_tokenandrefresh_token, or renews an expiredaccess_tokenusing arefresh_tokenPOST /oauth/revoke: immediately invalidates anaccess_tokenand its associated authorization grantPOST /v1/auth/register-app: registers a new integrator app and triggers the credential delivery email (public endpoint, no authentication required)POST /v1/auth/rotate-app: rotates theclient_secretfor an existing app, invalidating the previous secret immediately and sending a new credential link to the registered email
Resources available in v1
| Resource | Scopes | Operations |
|---|---|---|
| People | people:read, people:write | Full CRUD |
| Companies | companies:read, companies:write | Full CRUD |
| Deals | deals:read, deals:write | Full CRUD |
POST (create), GET /:id (read by ID), PATCH /:id (update), and DELETE /:id (soft delete). There are no listing endpoints in v1.Idempotency
POST /v1/people, POST /v1/companies, and POST /v1/deals support the Idempotency-Key header. Keys are stored for 24 hours. Sending the same key with the same body returns the original response without reprocessing. Sending the same key with a different body returns 422 with code idempotency_conflict.Webhooks
Workspace owners can configure webhook endpoints in the Vendaze dashboard. Events are signed with HMAC-SHA256 using a per-endpoint secret. Delivery uses at-least-once semantics with 5 retry attempts on failure. Available events at launch:person.created, person.updated, company.created, company.updated, deal.created, deal.updated, activity.created, task.created, task.updated, product.created.MCP Server
The Vendaze MCP server is available athttps://api.vendaze.com/mcp for integration with AI tools such as Claude, Cursor, and GitHub Copilot. The MCP server uses the same OAuth 2.1 authorization as the REST API. See the AI and Automations documentation for setup instructions.