CallMineAI Docs
Home
  • Introduction
  • Architecture
  • Installation
  • Web installer
  • Configuration
  • Deployment
  • Customer panel
  • Admin panel
  • Agents & Voices
  • Campaigns & Calls
  • Billing & Credits
  • Telephony (Twilio)
  • Voice & AI
  • SIP trunks
  • Messaging
  • REST API
Home
  • Introduction
  • Architecture
  • Installation
  • Web installer
  • Configuration
  • Deployment
  • Customer panel
  • Admin panel
  • Agents & Voices
  • Campaigns & Calls
  • Billing & Credits
  • Telephony (Twilio)
  • Voice & AI
  • SIP trunks
  • Messaging
  • REST API
  • Getting started

    • Introduction
    • Architecture
    • Installation
    • Web installer
    • Configuration
    • Deployment
  • Using CallMineAI

    • Customer Guide
    • Agents & Voices
    • Campaigns & Calls
    • Billing & Credits
  • Administration

    • Admin Guide
    • Roles & permissions
    • Localization
  • Integrations

    • Telephony (Twilio)
    • Voice & AI
    • SIP trunks
    • Messaging
    • REST API
  • Help

    • FAQ & troubleshooting

REST API

The REST API add-on exposes a workspace's calling data — calls, contacts, campaigns, agents, credits, analytics, and webhooks — over an authenticated, scoped, rate-limited HTTP API under /api/v1.

It is plan-gated by the api_enabled feature; the customer-facing key management screen and routes are protected by plan.feature:api. Plans also expose api_keys_limit (how many keys a workspace may hold) and api_rate_limit_per_min (the default per-key rate limit). See Billing & credits for plan features.

Creating an API key

Generate keys in the customer panel at /app/api-keys. When creating a key you set:

  • a name (label),
  • the scopes it may use,
  • an optional IP whitelist (requests from other IPs are rejected),
  • a per-key rate limit (requests per minute; defaults to 100).

A key is issued as prefix.secret, where the prefix looks like cmk_XXXXXXXX. The full token is shown once at creation and only the bcrypt hash of the secret is stored.

Copy the token now

The secret is displayed a single time immediately after creation and can never be retrieved again. If lost, revoke the key and issue a new one.

Keys can be revoked (disabled but retained for audit) or deleted. A workspace cannot create more keys than its plan's api_keys_limit.

Authentication

Send the full token as a Bearer credential:

curl https://your-app.example.com/api/v1/calls \
  -H "Authorization: Bearer cmk_ab12cd34.PLAINTEXT_SECRET_SHOWN_ONCE"

The key is resolved by prefix and the secret verified against its hash; revoked, expired, or IP-mismatched keys are rejected with 401.

Scopes

Each route requires a scope. A key with the admin scope satisfies every scope check (wildcard).

ScopeGrants
calls:readList and read calls
calls:writeTrigger and hang up calls
campaigns:readList and read campaigns
campaigns:writeCreate, launch, and pause campaigns
agents:readList and read agents
agents:writeReserved for agent writes
contacts:readList and read contacts
contacts:writeCreate, bulk-import, and delete contacts
credits:readRead the credit balance
analytics:readRead analytics
webhooks:readList webhooks
webhooks:writeCreate and delete webhooks
adminWildcard — satisfies all scopes

A request with a valid key but a missing scope returns 403.

Rate limiting

Every key is throttled at its own rate_limit_per_min. Responses carry the standard headers, and an exceeded limit returns 429 with a Retry-After header.

HeaderMeaning
X-RateLimit-LimitRequests allowed per minute
X-RateLimit-RemainingRequests left in the current window
Retry-AfterSeconds to wait after a 429

Endpoints

All endpoints live under /api/v1 and are scoped to the calling key's workspace.

MethodPathScopePurpose
GET/api/v1/callscalls:readList calls
POST/api/v1/callscalls:writeTrigger a call (queues it)
GET/api/v1/calls/{call}calls:readGet one call
POST/api/v1/calls/{call}/hangupcalls:writeHang up a call
GET/api/v1/campaignscampaigns:readList campaigns
POST/api/v1/campaignscampaigns:writeCreate a campaign
GET/api/v1/campaigns/{campaign}campaigns:readGet one campaign
POST/api/v1/campaigns/{campaign}/launchcampaigns:writeLaunch a campaign
POST/api/v1/campaigns/{campaign}/pausecampaigns:writePause a campaign
GET/api/v1/agentsagents:readList agents
GET/api/v1/agents/{agent}agents:readGet one agent
GET/api/v1/contactscontacts:readList contacts
POST/api/v1/contactscontacts:writeCreate a contact
POST/api/v1/contacts/bulkcontacts:writeBulk import contacts (deduped)
GET/api/v1/contacts/{contact}contacts:readGet one contact
DELETE/api/v1/contacts/{contact}contacts:writeDelete a contact
GET/api/v1/creditscredits:readCurrent credit balance
GET/api/v1/analyticsanalytics:readCalling analytics
GET/api/v1/webhookswebhooks:readList webhooks
POST/api/v1/webhookswebhooks:writeCreate a webhook
DELETE/api/v1/webhooks/{webhook}webhooks:writeDelete a webhook

Example: trigger a call

curl -X POST https://your-app.example.com/api/v1/calls \
  -H "Authorization: Bearer cmk_ab12cd34.PLAINTEXT_SECRET_SHOWN_ONCE" \
  -H "Content-Type: application/json" \
  -d '{"agent_id": 1, "contact_id": 42}'

Audit logging

Every /api/v1 request is recorded to an audit log (method, path, key, status, and a per-request X-Request-Id), giving a full trail of API activity per key.

Interactive docs

The OpenAPI spec and a Swagger playground are public (no key required to view):

GET /api/docs                 # OpenAPI 3 JSON spec
GET /api/docs/playground      # Swagger UI — try requests in the browser

Paste a Bearer token into the playground's authorize dialog to exercise the endpoints live against your own workspace.

Last Updated: 7/9/26, 7:12 AM
Prev
Messaging