Auto Form CRM

API Tokens

Create tokens for server-to-server access to the REST API.

Overview

API tokens let external systems call auto-form-crm/v1 without a browser cookie. Tokens are hashed at rest; you copy the secret once when generated.

Creating tokens

Use the CRM UI section dedicated to API keys/tokens (under profile or settings, depending on version). Assign the minimum scopes required.

Using tokens

Send Authorization: Bearer <token>. The service validates the secret, loads the linked WordPress user, and applies permission checks like a normal session.

Scopes vs capabilities

BaseController maps some WordPress capabilities to token scopes for extra enforcementβ€”for example auto_form_crm_view_contacts β†’ contacts:read, create/edit β†’ contacts:write, delete β†’ contacts:delete, auto_form_crm_manage_tags β†’ tags:manage, and auto_form_crm_manage_settings β†’ custom_fields:manage for tokenized requests. Capabilities without a mapping still rely on the underlying user role.

Rotate or revoke compromised tokens immediately; only store hashes server-side after creation.

Related: REST API reference.

Back to Documentation