Build Anything on Top of Your CRM Data
Per-org API keys with rate limiting, a webhook lead-capture endpoint, and HMAC-signed outgoing webhooks for 7 event types. Wire Smarfle into your custom dashboards, internal tools, or any third-party automation.
Live in 5 minutes · No setup fee · No long-term contract
When data lives behind a wall
Every service business eventually wants something the CRM doesn't ship — a custom dashboard, a Zapier workflow, a lead pipe from their website. Without an API, you're stuck.
Vendor Lock-In
Without API access, your CRM is a black box. You can't run your own analytics, you can't sync to other tools, you can't automate the things only you would think to automate.
Lead Capture Is Manual
Your website form, your Google Ads landing page, your Facebook lead ad — every channel drops leads into a different inbox and your team retypes them into the CRM.
Integrations Need Webhooks
Modern automation tools (Zapier, Make, n8n) and internal scripts work on push, not pull. Without webhooks, every integration burns API calls polling for changes.
How the API plugs into your stack
Generate an API Key
From org settings, click Generate API Key. Smarfle issues a unique key scoped to your organization. Copy it once — it's hashed at rest and you can rotate it any time.
Hit the Lead Capture Endpoint
POST to /api/webhook/leads with your API key in the header and the lead's contact info. A client record auto-creates with status 'lead' and your team gets a notification.
Subscribe to Outgoing Webhooks
Add a webhook URL in org settings, pick which events to subscribe to (client_created, work_order_completed, invoice_paid, and 4 more), and Smarfle posts HMAC-signed payloads with retry on failure.
Verify the Signature
Every webhook payload is signed with HMAC-SHA256 using your secret. Verify the signature on receive to confirm the request is from Smarfle and not spoofed.
What the API exposes
Per-Org API Keys
Each organization issues and rotates its own API keys. Keys scope to the issuing org — no cross-tenant access, ever, even with a leaked key.
Lead Capture Endpoint
POST /api/webhook/leads accepts contact info from any source — your website form, Google Ads, Facebook, a paper form your receptionist transcribes. Auto-creates a client with status 'lead'.
7 Outgoing Webhook Events
client_created, client_updated, work_order_created, work_order_completed, invoice_sent, invoice_paid, and booking_received. Subscribe to all or just the ones you need.
HMAC-SHA256 Signatures
Every outgoing webhook is signed with HMAC-SHA256 using your shared secret. Verify on receive to reject spoofed requests.
Automatic Retry With Backoff
If your endpoint returns a non-2xx, Smarfle retries with exponential backoff up to 5 times before giving up. Failures are logged and visible in org settings.
Sliding-Window Rate Limiting
API endpoints run behind Upstash Redis sliding-window rate limits. One noisy script can't degrade the service for the rest of your team or other tenants.
cURL Examples in Settings
The API key page in org settings ships with copy-paste cURL examples for the lead capture endpoint and webhook subscription so you can test in 30 seconds.
Industries using API Access
The service businesses that get the most out of this feature, and the specific way each one uses it.
A real API request and response
Real API and webhook usage from Smarfle service businesses running custom integrations.
API Calls
Leads Captured
Webhooks Delivered
Website Form → Lead
94 leads from /contact in last 30 days
Zapier: Job Complete → Slack
247 deliveries, 0 failures
Custom Dashboard Sync
Hourly polls for invoice paid events
Failed Delivery: ngrok endpoint
Retried 5x, dropped after 24h
API questions
REST. Standard HTTP verbs, JSON request and response bodies, predictable resource URLs. Works with any HTTP client in any language.
Include your API key in the Authorization header as 'Bearer <key>' or in the X-API-Key header. Both work. Keys are scoped to your organization and can be rotated from org settings any time.
Smarfle retries with exponential backoff up to 5 attempts over 24 hours. Failures are logged in org settings so you can re-deliver manually once your endpoint is back up.
Yes. Point your webhook URL at an ngrok or webhook.site endpoint. Trigger a test event from org settings and verify the signature against your secret.
Standard rate limits are sliding-window via Upstash Redis. Most workloads never hit them. If you have high-volume integration needs, contact support to discuss elevated limits.
Today the only inbound endpoint is /api/webhook/leads. Outgoing webhooks cover the 7 lifecycle events. Tell us what you need next and we'll add it.
Pricing
API Access Is Included
API keys, lead capture, and outgoing webhooks are included on every plan. Standard pay-as-you-go rates apply to side effects (SMS sent via API, emails sent via API).
$0.003/API call
View all plansPairs well with
Outgoing Webhooks
HMAC-SHA256 signed webhooks for 7 event types with retry and backoff.
Workflow Automation
Trigger webhooks as part of a multi-step automation chain instead of writing your own.
Audit Log
Every API call and webhook delivery is recorded in the org audit trail.
Integrations
Native Stripe, Twilio, Resend, Google, Claude, and more so most use cases never need a custom API call.
Stripe Payments
Programmatic invoicing and Connect payouts pair well with API workflows when you build your own billing dashboard.