API & Keys
Authentication, public endpoints, and how to integrate beyond the embed.
Overview
SalesCFG exposes HTTP APIs for the embedded configurator, quote submission, analytics, and dashboard management. Most integrations use the embed script; server-side automation uses API keys where supported.
API keys
Each client account has two credentials:
Public key
Safe for browser embeds. Sent as X-Public-Key (or via script data-public-key). Tied to allowed domains and subscription status.
API key (secret)
For server-side calls only. Sent as X-API-Key. Never commit to frontend code or public repositories.
Public authentication
Public routes validate X-Public-Key and check:
- Key exists and matches a client
- Subscription is active
- Request origin matches an allowed domain (or trusted preview host)
- Monthly request quota not exceeded
Common headers
| Header | Value |
|---|---|
| X-Public-Key | Your public key |
| X-Embed-Origin | Origin of the embedding page (recommended) |
| Content-Type | application/json for POST bodies |
Public endpoints
These routes are used by the embed and can be called with a public key:
| Endpoint | Purpose |
|---|---|
| GET /api/configurator/[publicId] | Load configurator data for the buyer UI |
| POST /api/quote/create | Submit a quote from selected options |
| POST /api/embed/analytics | Track embed usage events |
| POST /api/ai/* | AI assistant features when entitled |
Create a quote
POST /api/quote/create accepts customer details and the selected configuration. Pricing is snapshotted at submission time.
Typical JSON body fields
- configuratorId, customerEmail (required)
- customerName, customerPhone, customerCompany, customerNotes
- selectedOptions, totalPrice, configuration
- formSchema, formData (when using custom quote fields)
Dashboard APIs
Configurator CRUD, quotes list, billing, documents, and team management use session authentication (NextAuth) when you are logged into the dashboard. A broader REST API for ERP/CRM integrations is planned; dashboard session routes are the supported path for in-app operations today.
Live snippets
For copy-ready embed code with your real keys and framework variants, use the dashboard embed page while signed in.
See also
Step-by-step embed setup and domain allowlisting are covered in the embedding guide. Embedding guide