> ## Documentation Index
> Fetch the complete documentation index at: https://developers.vendaze.com/llms.txt
> Use this file to discover all available pages before exploring further.

# April 2026

> Launch of Vendaze API v1.0.0 with full OAuth 2.1 support, all CRM resources, and MCP Server.

<Update label="v1.0.1" date="2026-04-15">
  ## Post-launch fixes

  **Fix: `deals` PATCH ignoring `stage_id` when `pipeline_id` is omitted:** when updating a deal's stage via `PATCH /v1/deals/:id`, omitting `pipeline_id` from the body caused `stage_id` to be silently ignored. The endpoint now correctly updates the stage when only `stage_id` is provided, as long as the stage belongs to the deal's current pipeline.

  **Improvement: `X-RateLimit-Reset` header now returns Unix timestamp:** previously the header returned seconds remaining until reset. It now returns the Unix timestamp of the reset moment, which is easier to use in client-side countdown logic.
</Update>

<Update label="v1.0.0" date="2026-04-01">
  ## Public API v1 launch

  Vendaze API v1 is now available to all developers. This is the initial release with full OAuth 2.1 support and the complete set of CRM resources.

  ### OAuth 2.1 Authorization Code flow

  The authorization system is built on OAuth 2.1 with `client_secret`. All token exchanges happen server-side. The `client_secret` is never returned in any API response: it is delivered once via a secure email link that expires in 15 minutes.

  * `GET /oauth/authorize`: initiates the authorization flow, redirecting the user to the Vendaze consent screen
  * `POST /oauth/token`: exchanges an authorization code for an `access_token` and `refresh_token`, or renews an expired `access_token` using a `refresh_token`
  * `POST /oauth/revoke`: immediately invalidates an `access_token` and its associated authorization grant
  * `POST /v1/auth/register-app`: registers a new integrator app and triggers the credential delivery email (public endpoint, no authentication required)
  * `POST /v1/auth/rotate-app`: rotates the `client_secret` for an existing app, invalidating the previous secret immediately and sending a new credential link to the registered email

  ### Resources available in v1

  | Resource  | Scopes                              | Operations |
  | --------- | ----------------------------------- | ---------- |
  | People    | `people:read`, `people:write`       | Full CRUD  |
  | Companies | `companies:read`, `companies:write` | Full CRUD  |
  | Deals     | `deals:read`, `deals:write`         | Full CRUD  |

  Each resource supports `POST` (create), `GET /:id` (read by ID), `PATCH /:id` (update), and `DELETE /:id` (soft delete). There are no listing endpoints in v1.

  ### Idempotency

  `POST /v1/people`, `POST /v1/companies`, and `POST /v1/deals` support the `Idempotency-Key` header. Keys are stored for 24 hours. Sending the same key with the same body returns the original response without reprocessing. Sending the same key with a different body returns `422` with code `idempotency_conflict`.

  ### Webhooks

  Workspace owners can configure webhook endpoints in the Vendaze dashboard. Events are signed with HMAC-SHA256 using a per-endpoint secret. Delivery uses at-least-once semantics with 5 retry attempts on failure. Available events at launch: `person.created`, `person.updated`, `company.created`, `company.updated`, `deal.created`, `deal.updated`, `activity.created`, `task.created`, `task.updated`, `product.created`.

  ### MCP Server

  The Vendaze MCP server is available at `https://api.vendaze.com/mcp` for integration with AI tools such as Claude, Cursor, and GitHub Copilot. The MCP server uses the same OAuth 2.1 authorization as the REST API. See the [AI and Automations](/en/ai/overview) documentation for setup instructions.

  ### SDKs

  No official SDKs are available at this time. The API follows standard REST and HTTP conventions and works with any HTTP client. Community SDKs are welcome.
</Update>
