API Docs

Appearance

Onboarding & Service Account

This is where every integration starts. By the end you will hold a CRM token that authenticates your backend as a service account, ready to create and manage customer accounts.

Base URL

All examples use https://api.example.com. Replace it with the API_DOMAIN your Defentry account manager assigned to your client.

1. Receive your first CRM user

Defentry provisions your first CRM user for you and shares the credentials through your account manager. This first user is a real, interactive login — treat it as a break-glass administrator, not as the credential your servers use day to day.

2. Create a service account

Sign in to the Defentry CRM portal with your first user and create a dedicated service account for your integration:

  • Give it a clear name (e.g. acme-backend-integration).
  • Grant it only the permissions your integration needs.
  • Store its credentials in your secret manager — your backend will use these, not the human admin's.

Why a separate service account

Rotating or revoking the integration credential must never lock out your human administrators, and vice versa. The service account is created in the portal; there is no public API endpoint for provisioning CRM users.

3. Log in to get a CRM token

Authenticate the service account to receive a bearer token:

http
POST /api/v1/crm/auth/login
Content-Type: application/json

{
  "username": "acme-backend-integration@partner.com",
  "password": "your_service_account_password"
}

Response (200):

json
{
  "token": "1|service-account-token..."
}

Send Authorization: Bearer {token} on every CRM call. Tokens are short-lived; pass "keep_logged": true to extend the session when your workload is long running. Re-authenticate when a call returns 401.

4. Two-factor authentication (interactive users only)

Service accounts do not use 2FA

2FA applies to interactive human CRM logins (such as your first admin user in the portal). A service account is not enrolled in 2FA — its login returns a usable token directly, so your backend never has to handle a 2FA challenge.

For interactive human users, the challenge is completed with:

http
POST /api/v1/2fa/setup
Authorization: Bearer {crm_token}
http
POST /api/v1/2fa/verify
Authorization: Bearer {crm_token}
Content-Type: application/json

{ "code": "123456" }

5. Password recovery

Human administrators can recover access without involving Defentry support:

http
POST /api/v1/crm/auth/password/forgot
Content-Type: application/json

{ "email": "admin@partner.com" }
http
POST /api/v1/crm/auth/password/reset
Content-Type: application/json

{ "token": "emailed-token", "password": "new_password", "password_confirmation": "new_password" }

6. Log out

End a session explicitly when you are done (for example when rotating credentials):

http
POST /api/v1/crm/logout
Authorization: Bearer {crm_token}

Next step

Create and administer customer accounts with your CRM token.

For API access and technical questions, contact Defentry through your account manager.

Copyright © 2026 Defentry