Before your app can authenticate Vendaze users, you need to register it. Registration is open to any developer with no approval process. Your credentials arrive by email within seconds.
Don’t have a Vendaze account yet? Create one free. New
accounts include a 14-day trial so you can build and test your integration before requesting
access from real users.
Each email address can only be associated with one registered app. If you need to update your
app’s name, redirect URIs, or rotate credentials, use the rotate app
endpoint instead of registering again.
What you need
- A valid email address to receive the credentials (one app per email address)
- At least one HTTPS redirect URI for your OAuth callback
- A decision on which scopes your integration needs
Register via API
Send a POST to /v1/auth/register-app:
curl -X POST https://api.vendaze.com/v1/auth/register-app \
-H "Content-Type: application/json" \
-d '{
"app_name": "My Integration",
"email": "dev@yourapp.com",
"description": "Syncs contacts and deals between Vendaze and MyApp",
"avatar_url": "https://yourapp.com/assets/logo.webp",
"redirect_uris": ["https://yourapp.com/oauth/callback"],
"scopes": ["people:read", "people:write", "deals:read"]
}'
Response (201):
{
"data": {
"app_name": "My Integration",
"client_id": "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
"avatar_url": "https://storage.vendaze.com/assets/integrations/myintegration.jpg",
"message": "Credentials sent by email."
}
}
If the email address is already associated with a registered app, the request is rejected:
Response (409):
{
"error": {
"code": "conflict",
"message": "An app is already registered with this email address.",
"request_id": "01966b3e-7c2a-7000-8f1e-4d3b2a1c0e9f"
}
}
To update an existing app or rotate its credentials, use the rotate app endpoint with your client_id and registered email.
Your client_secret is sent only by email and never returned in the API response. Store it securely as soon as you receive it.
Request parameters
| Parameter | Type | Required | Description |
|---|
app_name | string | Yes | Integration name shown to users on the consent screen. Max 100 chars. |
email | string | Yes | Email where credentials will be sent. Each address can only be associated with one registered app. |
description | string | No | Short description of what your app does. Max 500 chars. |
avatar_url | string | No | HTTPS URL of your app logo. Accepted formats: JPEG, PNG, WebP, GIF, BMP, TIFF. Max 2MB. |
redirect_uris | string[] | Yes | One or more HTTPS URIs for the OAuth callback. Exact match required. |
scopes | string[] | Yes | Scopes your app needs. The user sees the full list on the consent screen and approves or denies everything at once. |
The avatar_url in the response is always a https://storage.vendaze.com URL.
Redirect URIs
URIs must be exact HTTPS URLs. Wildcards and patterns are not accepted:
Accepted: https://yourapp.com/oauth/callback
Accepted: https://yourapp.com/integrations/vendaze/callback
Rejected: https://yourapp.com/oauth/*
Rejected: http://yourapp.com/callback
During local development, http://localhost and http://127.0.0.1 are accepted.
You can register multiple redirect URIs for different environments. At authorization time, the redirect_uri in the request must exactly match one of the registered URIs.
Available scopes
| Scope | Description |
|---|
people:read | Read contacts (people) |
people:write | Create, update, delete people |
companies:read | Read companies |
companies:write | Create, update, delete companies |
deals:read | Read deals |
deals:write | Create, update, delete deals |
tasks:read | Read tasks |
tasks:write | Create, update, delete tasks |
activities:read | Read activities |
activities:write | Create, delete activities |
products:read | Read products |
products:write | Create, update, delete products |
tags:read | Read tags |
tags:write | Create, update, delete tags |
lists:read | Read lists |
lists:write | Create, update, delete lists |
custom_fields:read | Read custom fields and their values |
custom_fields:write | Create, update, delete custom fields |
Requesting a scope during registration does not guarantee access will be granted. On the consent screen, the user sees all requested scopes and can only approve or deny access in full. Individual scope selection is not possible.
Your client_secret is shown only once, in the email you receive after registration. If you lose
it, you can rotate your credentials using your client_id and registered email. Never commit it
to version control or include it in client-side code.
Next step
With your client_id and client_secret, you are ready to implement the OAuth flow. See Authentication to authorize your first user, or Rotate app credentials if you need to update your app later.
Once your integration is fully built and live, you can apply for the Verified badge to have your app listed in the Vendaze marketplace and marked as trusted on the consent screen.