FiniteSkills CRM REST API
Automate your CRM from scripts, integrations and internal tools. Every record module is available over a simple JSON REST API with organization-scoped API keys, role permissions and audit logging built in.
Base URL and format
All requests use JSON over HTTPS against your CRM workspace:
https://crm.finiteskills.comResponses are JSON. Create returns HTTP 201, delete returns HTTP 204, validation problems return HTTP 400 with an error message.
Authentication
1. Create a key
A workspace Admin opens Admin → API Keys in the CRM and creates a named key. The full key is shown exactly once — copy it immediately.
2. Send the header
Pass the key on every request:Authorization: Bearer fsk_…
3. Revoke anytime
Keys can be revoked instantly from the same panel. Only a salted hash is stored server-side; lost keys cannot be recovered, only replaced.
Scoped by design
A key acts inside its own organization only, inherits CRM role and module permissions, and every call is covered by the audit log and your Finite Accounts entitlement.
Secrets encrypted at rest
Webhook signing secrets and mailbox passwords are encrypted in our database, not stored as plain text. Keys are only ever shown to you once, at creation.
Endpoints
| Method | Path | Purpose |
|---|---|---|
| GET | /api/records/{module} | List records (supports paging and search query parameters) |
| POST | /api/records/{module} | Create a record |
| PUT | /api/records/{module}/{id} | Update a record (optimistic version checks supported) |
| DELETE | /api/records/{module}/{id} | Delete a record |
| GET | /api/export/{module}.csv | Export a module as CSV |
| GET | /api/me | Identity behind the key (organization, role) |
Available modules
leads contacts accounts deals pipeline activities tickets campaigns documents products price_books quotes sales_orders purchase_orders invoices vendors cases solutions salesinbox social visits
Examples
List leads:
curl -H "Authorization: Bearer fsk_..." \
https://crm.finiteskills.com/api/records/leadsCreate a lead:
curl -X POST -H "Authorization: Bearer fsk_..." \
-H "Content-Type: application/json" \
-d '{"name": "Asha Rao", "company": "Acme Pumps", "email": "asha@acmepumps.in", "value": 50000}' \
https://crm.finiteskills.com/api/records/leadsWebhooks
Get notified the moment records change instead of polling. A workspace Admin creates webhooks in Admin → Webhooks (or via POST /api/webhooks) with a target URL and optional module/event filters.
Events
create, update and delete for any module, plus a ping test event. Filter by module list or subscribe to everything with *.
Signed payloads
Every delivery carries X-Finite-Signature: sha256=<hmac> — an HMAC-SHA256 of the raw body using your webhook secret. Verify it before trusting the payload.
Automatic retries
Failed deliveries retry with increasing back-off (1 min → 6 h, 6 attempts) before being marked dead. Delivery history is visible per webhook for debugging.
Safe by default
Target URLs must be public http(s) endpoints — private and internal addresses are rejected. Secrets are shown once at creation and can be rotated by recreating the webhook.
Example payload:
{
\"event\": \"create\",
\"module\": \"leads\",
\"record_id\": 42,
\"occurred_at\": \"2026-06-12T10:30:00+00:00\",
\"data\": { \"id\": 42, \"name\": \"Asha Rao\", \"company\": \"Acme Pumps\", \"status\": \"New\" }
}Rate limits and fair use
API requests per minute and webhook endpoints scale with your CRM plan. Exceeding the limit returns HTTP 429 — back off and retry after a minute.
| Plan | API requests / minute | Webhook endpoints |
|---|---|---|
| Free / expired trial | 60 | 1 |
| Standard | 120 | 3 |
| Professional | 240 | 10 |
| Enterprise (and active trials) | 480 | 25 |
| CRM Plus | 600 | 30 |
| Ultimate | 960 | 50 |
Your current limits are returned in the limits object of GET /api/keys and GET /api/webhooks. Higher limits are available on request.