Base URL
All endpoints live under /wp-json/auto-form-crm/v1 (WordPress REST root + namespace). In PHP, rest_url('auto-form-crm/v1') returns the prefix.
Authentication
Browser session: Logged-in users call the API with WordPress REST authenticationβtypically the X-WP-Nonce header populated from autoFormCrmData.nonce plus cookies.
API tokens: Server-side scripts send Authorization: Bearer <token>. ApiTokenAuthentication only intercepts routes whose REST path starts with /auto-form-crm/v1; other namespaces are untouched. A valid token sets the current user to the token owner for the duration of the request.
Major resource groups
- Contacts β CRUD, search, activity, bulk, export/import.
- Tags, lists, filters β Segmentation and saved views.
- Custom fields & values β Schema and picklists.
- Deals & pipeline β Opportunities and stages.
- Tasks β Task CRUD and queries.
- Dashboard β Summary widgets/data.
- Workflows β Workflow CRUD, logs, test endpoints.
- Email β Templates, campaigns, settings.
- Meetings β Types, meetings, booking, availability.
- Integrations & WooCommerce β Connection management and ecommerce analytics.
- Settings, roles, profile β Configuration and user CRM role.
- Webhooks β Under
/profile/webhooksREST paths. - Chat & conversations β Widget and SMS threads.
- Notifications β In-app notification feeds.
Each controller extends shared permission checks. Responses generally follow { success: true, data: β¦ } or a WordPress WP_Error with HTTP status.
Example (curl):
curl -s -H "Authorization: Bearer YOUR_TOKEN" \
"https://example.com/wp-json/auto-form-crm/v1/contacts?per_page=5"Inspect controller files under includes/WordPress/REST/ for exact paths, query args, and required capabilities.
Related: API tokens.