Public REST API • v1

MWG CRM API

The MWG CRM API lets external applications read and modify CRM data. Generate an API key from /admin/api-keys (admin access required), then pass it as a Bearer token in theAuthorizationheader.

Authentication

All requests require a Bearer token in theAuthorizationheader.

curl https://mwg-crm.vercel.app/v1/leads \
  -H "Authorization: Bearer mwg_live_..."

Keys are scoped per-environment. Treat them like passwords — never commit them to source control.

Rate limits

Default limit is 60 requests per minute, per key. Higher limits are configurable on each key. Every response carries the current state in headers:

X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset

Exceeding the limit returns429with aRetry-Afterheader indicating seconds to wait.

Error format

Errors return a canonical envelope:

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Field 'email' is invalid.",
    "details": { "field": "email" }
  }
}

Codes:

UNAUTHORIZED
FORBIDDEN
NOT_FOUND
VALIDATION_ERROR
RATE_LIMITED
CONFLICT
INTERNAL_ERROR
KEY_REVOKED
KEY_EXPIRED

Pagination

Collection endpoints accept ?page=N&pageSize=M. MaximumpageSizeis 200; default is 50.

{
  "data": [ ... ],
  "meta": {
    "page": 1,
    "pageSize": 50,
    "total": 1287
  }
}

Versioning

Every endpoint is namespaced under /v1. We commit to 12 months notice before deprecating any /v1 endpoint. Breaking changes ship as /v2; the old contract continues to work during the deprecation window.

Contact

Questions, key requests, or integration support:
crm-support@morganwhite.com

The interactive reference below is generated from the live OpenAPI spec at /api/openapi.json. Use the Try it panel on any operation — paste your own bearer token; we never store credentials in the page.