Home Integration API reference

Integration API reference

REST API for integrations and external apps

Team management

Team management endpoints cover staff users, business roles, and sales commission agents. They use the same permission checks as the web Team management area (Users, Roles, and commission agents).

List users

Lists staff users for the current business. Commission agents are excluded from this endpoint.

Endpoint summary

PropertyValue
MethodGET
Path/api/v1/integration/users
AuthenticationBearer token or API key + secret required.
Permissionuser.view or user.create
ScopeOnly user_type = user rows with is_cmmsn_agnt = 0 are returned.
CSV behaviorformat=csv streams all matching rows with a UTF-8 BOM and ignores pagination.
Success response200 with paginated UserListItem rows.

Query parameters

ParameterTypeRequiredDescription
per_pageintegerNoResults per page from 1 to 100. Defaults to 20.
pageintegerNoPagination page number.
role_idintegerNoFilter by a business role id.
statusstringNoactive, inactive, 1, or 0.
qstringNoMinimum 2 characters when sent. Matches full name, email, username, or contact number.
searchstringNoLegacy free-text search alias used when q is absent.
sortstringNoname, username, email, status, or created_at. Defaults to created_at.
directionstringNoasc or desc. Defaults to desc.
formatstringNojson (default) or csv.

UserListItem object

FieldTypeDescription
idintegerStaff user id.
usernamestring | nullLogin username when login is enabled.
emailstring | nullUser email address.
full_namestringDisplay name assembled from surname, first name, and last name.
contact_numberstring | nullContact number stored on the user record.
statusstringactive or inactive.
allow_loginbooleanWhether the user can log in.
role_namestring | nullCurrent role display name.
created_atstring | nullISO-8601 creation timestamp.

Top-level JSON response

FieldTypeDescription
dataarray<UserListItem>Paginated staff user rows.
meta.current_page, meta.last_page, meta.per_page, meta.totalintegerPagination metadata.

Status codes

StatusWhen it happensResponse shape
200Users were returned successfully.JSON { "data": [...], "meta": { ... } } or CSV download.
403The token user lacks list access.{ "message": "Unauthorized" }
422The query string failed validation, such as a 1-character q.Laravel validation JSON or { "message": string }.
500The list query or CSV export failed unexpectedly.{ "message": "Could not list users" }

Get user

Returns one staff user from the current business.

Endpoint summary

PropertyValue
MethodGET
Path/api/v1/integration/users/{id}
Permissionuser.view
ScopeSame staff-user scope as List users.
CSV behaviorformat=csv streams one row with a data_json column.
Success response200 with a UserDetail object.

Query parameters

ParameterTypeRequiredDescription
formatstringNojson (default) or csv.

UserDetail object

FieldTypeDescription
idintegerStaff user id.
usernamestring | nullLogin username.
surname, first_name, last_namestring | nullName fields stored on the user.
full_namestringCollapsed display name.
email, contact_numberstring | nullPrimary communication fields.
statusstringactive or inactive.
allow_loginbooleanWhether the user can log in.
languagestring | nullUser language key.
role_idinteger | nullCurrent role id.
role_namestring | nullCurrent role display name.
selected_contactsbooleanWhether the user is limited to a selected contact list.
contact_accessarray<object>Allowed contact rows. Each item contains id and name.
permitted_locations.scopestringall or locations.
permitted_locations.location_idsarray<integer> | nullLocation ids when the scope is locations.
created_at, updated_atstring | nullISO-8601 timestamps.

Success response

FieldTypeDescription
dataUserDetailDetailed staff user payload.

Status codes

StatusWhen it happensResponse shape
200The user was returned successfully.{ "data": UserDetail } or CSV download.
403The token user lacks user.view.{ "message": "Unauthorized" }
404The user id does not exist in the current business or is not a staff user.{ "message": "Not found" }

Create user

Creates a new staff user using the same core workflow as the web Users screen.

Endpoint summary

PropertyValue
MethodPOST
Path/api/v1/integration/users
Permissionuser.create
Demo modeReturns 403 in demo environments.
Subscription ruleReturns 402 when package enforcement is active and the business is not subscribed.
User quotaChecks the business user quota before creation and returns 422 when the quota is exhausted.
Request encodingapplication/json
Success response201 with a UserDetail object.

Request body

FieldTypeRequiredDescription
first_namestringYesPrimary user name field.
surname, last_namestring | nullNoOptional additional name fields.
emailstring | nullNoEmail address.
roleintegerYesRole id belonging to the current business.
allow_loginbooleanNoWhether the user should be login-capable. Defaults to false.
usernamestring | nullNoOptional username. When login is enabled and this is blank, the platform generates one.
passwordstring | nullConditionalRequired when allow_login is true. Minimum length is 6 characters.
is_activebooleanNoDefaults to true.
location_access.scopestringYesall or locations.
location_access.location_idsarray<integer> | nullConditionalRequired when location_access.scope is locations. All ids must belong to the current business.
selected_contactsbooleanNoWhether the user should be limited to a chosen set of contacts.
selected_contact_idsarray<integer> | nullNoOptional contact ids for the current business.

Status codes

StatusWhen it happensResponse shape
201The user was created successfully.{ "data": UserDetail }
402The business is not subscribed when package enforcement is active.{ "message": string }
403Demo mode is active or the token user lacks user.create.{ "message": string }
422The payload failed validation, the user quota is exhausted, referenced locations/contacts do not belong to the business, or the create pipeline rejected the request.Laravel validation JSON or { "message": string }.
500The create pipeline returned an unexpected result.{ "message": "something_went_wrong" }

Update user

Updates an existing staff user and replaces role, location access, and selected contact access using the same core workflow as the web edit form.

Endpoint summary

PropertyValue
MethodsPATCH or PUT
Path/api/v1/integration/users/{id}
Permissionuser.update
Demo modeReturns 403 in demo environments.
Subscription ruleReturns 402 when package enforcement is active and the business is not subscribed.
Request encodingapplication/json
Success response200 with the updated UserDetail object.

Request body

FieldTypeRequiredDescription
roleintegerYesReplacement role id belonging to the current business.
location_access.scopestringYesall or locations.
location_access.location_idsarray<integer> | nullConditionalRequired when location_access.scope is locations.
surname, first_name, last_name, emailstring | nullNoOptional profile fields. Omitted values keep their current values.
allow_loginbooleanNoWhen false, the controller clears username and password and disables login.
usernamestring | nullNoOptional replacement username when login remains enabled.
passwordstring | nullNoOptional new password. Minimum length is 6 characters.
is_activebooleanNoMaps to the user's status field.
selected_contactsbooleanNoWhether the user should be limited to selected contacts.
selected_contact_idsarray<integer> | nullNoReplacement selected contacts. Send an empty array to clear access when selected_contacts is true.

Important update rules

RuleDescription
User quotaThe controller only checks quota when allow_login is sent truthy during the update.
Last admin protectionChanging the role of the last remaining admin user returns 422 with the same message used by the web app.
Role replacementThe user's previous role is removed and the new role is assigned when the role id changes.
Contact access syncselected_contact_ids replaces the saved contact list when selected contact mode is enabled.

Status codes

StatusWhen it happensResponse shape
200The user was updated successfully.{ "data": UserDetail }
402The business is not subscribed when package enforcement is active.{ "message": string }
403Demo mode is active or the token user lacks user.update.{ "message": string }
404The user id does not exist in the current business or is not a staff user.{ "message": "Not found" }
422The payload failed validation, the login quota check failed, a location/contact id is outside the business, or a business rule such as last-admin protection blocked the update.Laravel validation JSON or { "message": string }.

Delete user

Deletes a staff user from the current business.

Endpoint summary

PropertyValue
MethodDELETE
Path/api/v1/integration/users/{id}
Permissionuser.delete
Demo modeReturns 403 in demo environments.
Self-delete ruleThe authenticated user cannot delete their own account.
Success response200 with the deleted user id.

Status codes

StatusWhen it happensResponse shape
200The user was deleted successfully.{ "message": string, "data": { "id": integer } }
403Demo mode is active or the token user lacks user.delete.{ "message": string }
404The user id does not exist in the current business or is not a staff user.{ "message": "Not found" }
422The authenticated user attempted to delete their own account.{ "message": "Cannot delete your own user account" }
500The delete transaction failed unexpectedly.{ "message": "something_went_wrong" }

List roles

Lists roles for the authenticated business, using the same role rows shown in the web Roles screen.

Endpoint summary

PropertyValue
MethodGET
Path/api/v1/integration/roles
AuthenticationBearer token or API key + secret required.
Permissionroles.view
CSV behaviorformat=csv streams all matching rows with a UTF-8 BOM and ignores pagination.
Success response200 with paginated RoleListItem rows.

Query parameters

ParameterTypeRequiredDescription
per_pageintegerNoResults per page from 1 to 100. Defaults to 20.
pageintegerNoPagination page number.
qstringNoMinimum 2 characters when sent. Matches the stored role name.
searchstringNoLegacy free-text search alias used when q is absent.
sortstringNoname, created_at, or users_count. Defaults to name.
directionstringNoasc or desc. Defaults to asc.
formatstringNojson (default) or csv.

RoleListItem object

FieldTypeDescription
idintegerRole id.
namestringDisplay name shown in the UI. Built-in Admin and Cashier labels are translated.
name_keystringRole key with the business suffix removed.
name_storagestringStored database name including the #business_id suffix.
is_defaultbooleanWhether the role is marked as a default role.
is_service_staffbooleanWhether the role is flagged as service staff.
users_countintegerNumber of business users currently assigned to the role.
created_atstring | nullISO-8601 creation timestamp.

Top-level JSON response

FieldTypeDescription
dataarray<RoleListItem>Paginated role rows.
meta.current_page, meta.last_page, meta.per_page, meta.totalintegerPagination metadata.

Status codes

StatusWhen it happensResponse shape
200Roles were returned successfully.JSON { "data": [...], "meta": { ... } } or CSV download.
403The token user lacks roles.view.{ "message": "Unauthorized" }
422The query string failed validation, such as a 1-character q.Laravel validation JSON or { "message": string }.
500The role query or CSV export failed unexpectedly.{ "message": "Could not list roles" }

Get role

Returns one role with its sorted permission names.

Endpoint summary

PropertyValue
MethodGET
Path/api/v1/integration/roles/{id}
Permissionroles.view
CSV behaviorformat=csv streams one row with a data_json column.
Success response200 with a RoleDetail object.

Query parameters

ParameterTypeRequiredDescription
formatstringNojson (default) or csv.

RoleDetail object

FieldTypeDescription
idintegerRole id.
name, name_key, name_storagestringDisplay, suffix-stripped, and stored role names.
guard_namestringSpatie guard name.
is_default, is_service_staffbooleanRole flags.
users_countintegerNumber of business users assigned to the role.
permissionsarray<string>Sorted permission names attached to the role.
created_at, updated_atstring | nullISO-8601 timestamps.

Success response

FieldTypeDescription
dataRoleDetailDetailed role payload.

Status codes

StatusWhen it happensResponse shape
200The role was returned successfully.{ "data": RoleDetail } or CSV download.
403The token user lacks roles.view.{ "message": "Unauthorized" }
404The role id does not exist in the current business.{ "message": "Not found" }

Create role

Creates a role for the current business, including optional permission sets and service-staff flags.

Endpoint summary

PropertyValue
MethodPOST
Path/api/v1/integration/roles
Permissionroles.create
Demo modeReturns 403 in demo environments.
Request encodingapplication/json
Success response201 with a RoleDetail object.

Request body

FieldTypeRequiredDescription
namestringYesDisplay name without the #business_id suffix. The name must not contain #.
permissionsarray<string> | nullNoBase permission names to attach.
is_service_staffbooleanNoMarks the role as service staff.
spg_permissionsarray<string> | nullNoAdditional permission names merged into permissions.
radio_optionsarray<string> | nullNoAdditional permission names merged into permissions.

Permission merge behavior

RuleDescription
Merged sourcesThe controller merges permissions, spg_permissions, and radio_options into one unique permission list.
Unknown permissionsMissing permission records are created automatically before the role is synced.
Stored nameThe saved role name is the display name plus #business_id.

Status codes

StatusWhen it happensResponse shape
201The role was created successfully.{ "data": RoleDetail }
403Demo mode is active or the token user lacks roles.create.{ "message": string }
422The payload failed validation, the name contains #, or a role with the same stored name already exists.Laravel validation JSON or { "message": string }.
500The create transaction failed unexpectedly.{ "message": "something_went_wrong" }

Update role

Updates a role and replaces its permissions with the merged permission list from the request payload.

Endpoint summary

PropertyValue
MethodsPATCH or PUT
Path/api/v1/integration/roles/{id}
Permissionroles.update
Demo modeReturns 403 in demo environments.
Default-role ruleDefault roles cannot be edited unless the role is the built-in Cashier role for this business.
Request encodingapplication/json
Success response200 with the updated RoleDetail object.

Request body

FieldTypeRequiredDescription
namestringYesReplacement display name without #.
permissionsarray<string> | nullNoReplacement base permission list.
is_service_staffbooleanNoReplacement service-staff flag.
spg_permissionsarray<string> | nullNoAdditional permission names merged into the final permission set.
radio_optionsarray<string> | nullNoAdditional permission names merged into the final permission set.

Status codes

StatusWhen it happensResponse shape
200The role was updated successfully.{ "data": RoleDetail }
403Demo mode is active or the token user lacks roles.update.{ "message": string }
404The role id does not exist in the current business.{ "message": "Not found" }
422The payload failed validation, the name is invalid or duplicated, or a protected default role was targeted.Laravel validation JSON or { "message": string }.
500The update transaction failed unexpectedly.{ "message": "something_went_wrong" }

Delete role

Deletes a role from the current business.

Endpoint summary

PropertyValue
MethodDELETE
Path/api/v1/integration/roles/{id}
Permissionroles.delete
Demo modeReturns 403 in demo environments.
Default-role ruleDefault roles cannot be deleted unless the role is the built-in Cashier role for this business.
Success response200 with the deleted role id.

Status codes

StatusWhen it happensResponse shape
200The role was deleted successfully.{ "message": string, "data": { "id": integer } }
403Demo mode is active or the token user lacks roles.delete.{ "message": string }
404The role id does not exist in the current business.{ "message": "Not found" }
422A protected default role other than Cashier was targeted.{ "message": string }
500The delete transaction failed unexpectedly.{ "message": "something_went_wrong" }

List commission agents

Lists sales commission agents for the authenticated business.

Endpoint summary

PropertyValue
MethodGET
Path/api/v1/integration/commission-agents
AuthenticationBearer token or API key + secret required.
Permissionuser.view or user.create
ScopeOnly user_type = user rows with is_cmmsn_agnt = 1 are returned.
CSV behaviorformat=csv streams all matching rows with a UTF-8 BOM and ignores pagination.
Success response200 with paginated CommissionAgentListItem rows.

Query parameters

ParameterTypeRequiredDescription
per_pageintegerNoResults per page from 1 to 100. Defaults to 20.
pageintegerNoPagination page number.
statusstringNoactive, inactive, or terminated.
qstringNoMinimum 2 characters when sent. Matches full name, email, or contact number.
searchstringNoLegacy search alias used when q is absent.
sortstringNoname, email, cmmsn_percent, created_at, or status. Defaults to created_at.
directionstringNoasc or desc. Defaults to desc.
formatstringNojson (default) or csv.

CommissionAgentListItem object

FieldTypeDescription
idintegerCommission agent id.
full_namestringCollapsed display name.
emailstring | nullEmail address.
contact_nostring | nullContact number.
addressstring | nullAddress text.
cmmsn_percentnumber | nullCommission percentage.
statusstringAgent status.
created_atstring | nullISO-8601 creation timestamp.

Top-level JSON response

FieldTypeDescription
dataarray<CommissionAgentListItem>Paginated commission agent rows.
meta.current_page, meta.last_page, meta.per_page, meta.totalintegerPagination metadata.

Status codes

StatusWhen it happensResponse shape
200Commission agents were returned successfully.JSON { "data": [...], "meta": { ... } } or CSV download.
403The token user lacks access to the commission-agent list.{ "message": "Unauthorized" }
422The query string failed validation, such as a 1-character q.Laravel validation JSON or { "message": string }.
500The agent query or CSV export failed unexpectedly.{ "message": "Could not list commission agents" }

Get commission agent

Returns one sales commission agent from the current business.

Endpoint summary

PropertyValue
MethodGET
Path/api/v1/integration/commission-agents/{id}
Permissionuser.view or user.create
CSV behaviorformat=csv streams one row with a data_json column.
Success response200 with a CommissionAgentDetail object.

Query parameters

ParameterTypeRequiredDescription
formatstringNojson (default) or csv.

CommissionAgentDetail object

FieldTypeDescription
idintegerCommission agent id.
surname, first_name, last_namestring | nullName fields stored on the user record.
full_namestringCollapsed display name.
email, contact_no, addressstring | nullCommunication fields.
cmmsn_percentnumber | nullCommission percentage.
statusstringAgent status.
allow_loginbooleanAlways false for agents created by this API flow.
is_commission_agentbooleanAlways true for this endpoint.
created_at, updated_atstring | nullISO-8601 timestamps.

Success response

FieldTypeDescription
dataCommissionAgentDetailDetailed commission agent payload.

Status codes

StatusWhen it happensResponse shape
200The commission agent was returned successfully.{ "data": CommissionAgentDetail } or CSV download.
403The token user lacks access to the commission-agent detail endpoint.{ "message": "Unauthorized" }
404The commission agent id does not exist in the current business.{ "message": "Not found" }

Create commission agent

Creates a sales commission agent in the current business.

Endpoint summary

PropertyValue
MethodPOST
Path/api/v1/integration/commission-agents
Permissionuser.create
Request encodingapplication/json
Created defaultsThe controller sets user_type = user, allow_login = 0, is_cmmsn_agnt = 1, and status = active.
Success response201 with a CommissionAgentDetail object and success message.

Request body

FieldTypeRequiredDescription
first_namestringYesPrimary commission agent name field.
cmmsn_percentnumberYesCommission percentage. Parsed with the same numeric normalizer as the web form.
surname, last_namestring | nullNoOptional additional name fields.
emailstring | nullNoEmail address.
contact_nostring | nullNoContact number.
addressstring | nullNoAddress text.
languagestring | nullNoOptional language key. Defaults to en when omitted.

Status codes

StatusWhen it happensResponse shape
201The commission agent was created successfully.{ "message": "Created", "data": CommissionAgentDetail }
403The token user lacks user.create.{ "message": "Unauthorized" }
422The payload failed validation.Laravel validation JSON.
500The create transaction failed unexpectedly.{ "message": "Could not create commission agent" }

Update commission agent

Updates a sales commission agent. The endpoint supports partial updates.

Endpoint summary

PropertyValue
MethodsPATCH or PUT
Path/api/v1/integration/commission-agents/{id}
Permissionuser.update
Request encodingapplication/json
Success response200 with the updated CommissionAgentDetail object and success message.

Request body

FieldTypeRequiredDescription
surname, first_name, last_namestring | nullNoOptional updated name fields.
emailstring | nullNoUpdated email address.
contact_nostring | nullNoUpdated contact number.
addressstring | nullNoUpdated address text.
cmmsn_percentnumber | nullNoUpdated commission percentage.

Status codes

StatusWhen it happensResponse shape
200The commission agent was updated successfully.{ "message": "Updated", "data": CommissionAgentDetail }
403The token user lacks user.update.{ "message": "Unauthorized" }
404The commission agent id does not exist in the current business.{ "message": "Not found" }
422The payload failed validation.Laravel validation JSON.
500The update transaction failed unexpectedly.{ "message": "Could not update commission agent" }

Delete commission agent

Deletes a sales commission agent from the current business.

Endpoint summary

PropertyValue
MethodDELETE
Path/api/v1/integration/commission-agents/{id}
Permissionuser.delete
Delete behaviorUses the model's normal delete behavior, including soft delete when enabled on User.
Success response200 with the deleted commission agent id.

Status codes

StatusWhen it happensResponse shape
200The commission agent was deleted successfully.{ "message": "Deleted", "data": { "id": integer } }
403The token user lacks user.delete.{ "message": "Unauthorized" }
404The commission agent id does not exist in the current business.{ "message": "Not found" }
500The delete transaction failed unexpectedly.{ "message": "Could not delete commission agent" }