Developer

API Reference

REST API documentation for developers. Authentication, endpoints, webhooks, and integration patterns.

Overview

CMO ALTO exposes a RESTful API that allows you to integrate with third-party systems, build custom workflows, and extend the platform's functionality.

Base URL

https://www.cmogroup-alto.io/api/v1

Key concepts

Authentication — JWT bearer tokens for all requests
Rate Limiting — 100 requests/minute per user (configurable)
Pagination — cursor-based pagination on list endpoints
Versioning — API version in URL path (/api/v1)

Authentication

Obtaining Tokens

POST /api/v1/auth/login
Content-Type: application/json

{
  "email": "admin@example.com",
  "password": "your-password"
}

Response includes accessToken and refreshToken.

Using Tokens

Authorization: Bearer <accessToken>

Refreshing Tokens

POST /api/v1/auth/refresh
{ "refreshToken": "<refreshToken>" }

Core Endpoints

GET/usersList users (paginated)

POST/usersCreate a new user

GET/users/:idGet user by ID

PATCH/users/:idUpdate user

GET/tenantsList tenants (Super Admin)

POST/tenantsCreate tenant

GET/employeesList employees

GET/invoicesList invoices

POST/invoicesCreate invoice

GET/leadsList CRM leads

POST/leadsCreate lead

GET/projectsList projects

Webhooks

Configure webhooks to receive real-time notifications when events occur in CMO ALTO.

Setting Up Webhooks

Navigate to Admin → Developer → Webhooks.
Click “Add Webhook”.
Enter the endpoint URL, select events, and set a secret key.
CMO ALTO sends a POST request with a JSON payload for each event.

Available Events

user.created, user.updated
invoice.created, invoice.paid
lead.created, lead.converted
leave.requested, leave.approved
payroll.processed

Best Practices

Always use HTTPS for API calls.
Implement token refresh logic — access tokens expire in 15 minutes by default.
Handle rate limits gracefully — implement exponential backoff on 429 responses.
Validate webhook signatures using the HMAC-SHA256 header to prevent spoofing.
Use pagination for list endpoints — never fetch all records at once.
Test in sandbox before deploying to production.

FAQ

Is there a sandbox environment?

Yes. Your admin can provision a sandbox tenant from Admin → Developer → Sandbox. API keys for sandbox are separate from production.

What's the rate limit?

100 requests per minute per user by default. Contact your admin for elevated limits for integrations.

Can I use GraphQL?

Currently, CMO ALTO offers REST APIs only. GraphQL is on the roadmap.

All Documentation