Authentication

All API requests require Bearer token authentication. Create a token in Settings > Developer of your workspace. The token shown on creation is the complete token to use — copy it entirely in Authorization: Bearer, it's only shown once.

Direct REST API access, OAuth2 (Zapier and other integrations), and API token creation are reserved for paid plans (Pro, Team or Enterprise).

Authentication header

Authorization: Bearer YOUR_TOKEN

Obtain an API token

  1. Register on LetsLigo if you don't have an account yet.
  2. Go to your workspace > Settings > Developer, then create a token (Pro, Team or Enterprise plan required). Copy the complete token shown (it's shown only once) — this is what you use in Authorization: Bearer.
  3. Use the token in the Authorization header.

OAuth2 Authentication

OAuth2 allows third-party applications (e.g. Zapier integrations) to access the LetsLigo API on behalf of a user without sharing their password. Use the authorization_code flow. An active Pro, Team or Enterprise workspace is required.

1. Redirect to the authorization screen

Send the user to /oauth2/authorize with your client parameters. They log in to LetsLigo and authorize your application.

GET /oauth2/authorize
  ?response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.example/callback
  &scope=read write
  &state=RANDOM_STATE

2. Exchange the code for tokens

After authorization, you receive a code. Exchange it for an access_token and refresh_token via POST /oauth2/token.

POST /oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=CODE_FROM_CALLBACK
&redirect_uri=https://yourapp.example/callback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Response:

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "ACCESS_TOKEN",
  "refresh_token": "REFRESH_TOKEN"
}

3. Refresh the token

The access_token expires. Use the refresh_token to obtain a new one via POST /oauth2/token (grant_type=refresh_token).

POST /oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Available scopes

Scope Description
read Read — read access to contacts, tasks, pipeline and companies
write Write — create and update contacts, tasks and notes

Webhooks

Webhooks (REST Hooks) let your third-party applications — such as Zapier — react to workspace events in real time. You subscribe a URL to an event type; when the event occurs, LetsLigo sends a POST request carrying the event payload to that URL.

Event types

Event Description
contact.created A new contact was created in the workspace.
contact.updated An existing contact was updated.
task.created A new task was created for a contact.
contact.pipeline_changed A contact moved to a different CRM pipeline state.

Request signing

Every webhook request is signed. LetsLigo adds an X-LetsLigo-Signature header containing an HMAC-SHA256 of the request body, computed with the subscription secret. Verify this signature to ensure the event is authentic.

X-LetsLigo-Signature: sha256=HMAC_SHA256(body, subscription_secret)

Managing subscriptions

Use the API to create, list and delete your webhook subscriptions. The sample endpoint returns an example payload to set up field mapping on the Zapier side.

POST   /api/webhooks/subscriptions
GET    /api/webhooks/subscriptions
DELETE /api/webhooks/subscriptions/{id}
GET    /api/webhooks/samples/{event}