Less Annoying CRM logo Less Annoying CRM LACRM
API Documentation
Getting Started
Core API Functions
Settings Functions
Advanced
Advanced

Connect With OAuth

In order to use Oauth, you'll need to be registered in our partner program. You can learn more about this and apply to be a partner here.

Once you're registered, we'll send you a ClientId and ClientSecret pair. You'll need both of those to follow the instructions on this page.

We use OAuth 2.0 with a code grant flow and no PKCE. If you need help troubleshooting or to update your information, please contact us.

1. Authorization Code

To authorize a user, redirect them to https://account.lessannoyingcrm.com/oauth/authorize.php. Include the following URL params:

  • response_type (required): must be "code"
  • client_id (required): your client id
  • state (optional): will be echoed back in response. Recommended for CSRF protection.
  • redirect_url (optional): must match the redirect URL you provided to us. If included, will also be required by the token endpoint.

We will return by redirecting to your app's redirect URL, along with these params:

  • code: the authorization code, which can be used with the token endpoint.
  • state: echoed from the initial request. If there is an error, we will include the parameter error along with a brief message.

2. Token Endpoint

To get an API token for a user, send a POST to https://script.lessannoyingcrm.com/oauth/token.php. Include the following header with your request:

  • Base64 encode the string "ClientId:ClientSecret", substituting the ID and secret for your app.
  • Add the header Authorization: Basic BASE_64_STRING_HERE The body of the request should be JSON. The same endpoint handles token and refresh requests.

Token Grant

Exchange the authorization code from step one for an API token.

Request: 

{
    "grant_type": "authorization_code",
    "code": "AUTH_CODE_HERE",
    "redirect_url": "only if included in the authorization request"
}

Response:

{
    "access_token": "ACCESS_TOKEN_HERE",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "REFRESH_TOKEN_HERE"
}

Refresh Grant

The access token expires in 1 hour. Exchange a refresh token (good for 30 days) for a new access token using the same endpoint and auth. Refresh tokens may only be used a single time; multiple uses will be assumed to indicate a man-in-the-middle attack.

Request:

{
    "grant_type": "refresh_token",
    "refresh_token": "REFRESH_TOKEN_HERE"
}

If successful, the response will look the same as the original token grant.

Errors

Failures at the token endpoint will return a 4XX HTTP code, along with a message.

3. API Access

Include the access token with an API request as a bearer token in an authorization header:

Authorization: Bearer ACCESS_TOKEN_HERE