Authentication
All API requests require Bearer token authentication. Create a token in Settings > Developer of your workspace. The token shown on creation is the complete token to use — copy it entirely in Authorization: Bearer, it's only shown once.
Direct REST API access, OAuth2 (Zapier and other integrations), and API token creation are reserved for paid plans (Pro, Team or Enterprise).
Authentication header
Authorization: Bearer YOUR_TOKEN
Obtain an API token
- Register on LetsLigo if you don't have an account yet.
- Go to your workspace > Settings > Developer, then create a token (Pro, Team or Enterprise plan required). Copy the complete token shown (it's shown only once) — this is what you use in Authorization: Bearer.
- Use the token in the Authorization header.
OAuth2 Authentication
OAuth2 allows third-party applications (e.g. Zapier integrations) to access the LetsLigo API on behalf of a user without sharing their password. Use the authorization_code flow. An active Pro, Team or Enterprise workspace is required.
1. Redirect to the authorization screen
Send the user to /oauth2/authorize with your client parameters. They log in to LetsLigo and authorize your application.
GET /oauth2/authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://yourapp.example/callback
&scope=read write
&state=RANDOM_STATE
2. Exchange the code for tokens
After authorization, you receive a code. Exchange it for an access_token and refresh_token via POST /oauth2/token.
POST /oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=CODE_FROM_CALLBACK
&redirect_uri=https://yourapp.example/callback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Response:
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "ACCESS_TOKEN",
"refresh_token": "REFRESH_TOKEN"
}
3. Refresh the token
The access_token expires. Use the refresh_token to obtain a new one via POST /oauth2/token (grant_type=refresh_token).
POST /oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
Available scopes
| Scope | Description |
|---|---|
| read | Read — read access to contacts, tasks, pipeline and companies |
| write | Write — create and update contacts, tasks and notes |
Webhooks
Webhooks (REST Hooks) let your third-party applications — such as Zapier — react to workspace events in real time. You subscribe a URL to an event type; when the event occurs, LetsLigo sends a POST request carrying the event payload to that URL.
Event types
| Event | Description |
|---|---|
| contact.created | A new contact was created in the workspace. |
| contact.updated | An existing contact was updated. |
| task.created | A new task was created for a contact. |
| contact.pipeline_changed | A contact moved to a different CRM pipeline state. |
Request signing
Every webhook request is signed. LetsLigo adds an X-LetsLigo-Signature header containing an HMAC-SHA256 of the request body, computed with the subscription secret. Verify this signature to ensure the event is authentic.
X-LetsLigo-Signature: sha256=HMAC_SHA256(body, subscription_secret)
Managing subscriptions
Use the API to create, list and delete your webhook subscriptions. The sample endpoint returns an example payload to set up field mapping on the Zapier side.
POST /api/webhooks/subscriptions
GET /api/webhooks/subscriptions
DELETE /api/webhooks/subscriptions/{id}
GET /api/webhooks/samples/{event}