POST /api/v1/auth/login → JWT bearer token. Send as Authorization: Bearer <token> on every request.
Every API call requires either an Authorization: Bearer header or — when the cross-app cookie is in play — the omnimark_token cookie. Tokens last 7 days; refresh by re-logging in.
Example: POST /api/v1/auth/login with form-encoded body username=email@org.com&password=••• returns {"access_token": "eyJ...", "token_type": "bearer"}.
POST /api/v1/crm/contacts to create, GET /api/v1/crm/contacts/{id}, PATCH to update, DELETE to soft-archive.
Subscribe to 30+ event types: contact.created, deal.won, email.opened, sequence.replied, plan.changed.
Default 100 req/min per org. Burst up to 200 for 30s. AI endpoints have their own token-based quota.