Appearance
Authentication
WedoCOD uses two authentication mechanisms depending on the API surface.
REST API — Bearer Token (Sanctum)
All REST API endpoints under api/web/1.0/ require a Laravel Sanctum personal access token.
Generating a Token
- Log in to the WedoCOD dashboard
- Navigate to Settings → API Keys
- Click Generate to create a new token
- Copy the token — it is only shown once
WARNING
Store your API token securely. It cannot be retrieved after creation. If lost, delete it and generate a new one.
Using the Token
Include the token in the Authorization header of every request:
http
GET /api/web/1.0/leads HTTP/1.1
Host: your-domain.com
Authorization: Bearer {your-token}
Accept: application/jsonToken Permissions
Tokens are scoped with specific permissions:
| Scope | Description |
|---|---|
CREATE LEADS | Create leads via the API |
VIEW LEADS | List and view individual leads |
UPDATE LEADS | Update lead statuses |
DELETE LEADS | Delete leads |
CREATE ORDERS | Create orders via the API |
VIEW ORDERS | List and view individual orders |
UPDATE ORDERS | Update order statuses |
DELETE ORDERS | Delete orders |
Each REST API endpoint checks tokenCan() for the required scope. A 403 Forbidden response is returned if the token lacks the required permission.
Example — cURL
bash
curl -X GET "https://your-domain.com/api/web/1.0/leads?per_page=25" \
-H "Authorization: Bearer {your-token}" \
-H "Accept: application/json"Dashboard — Session Authentication
Dashboard routes use standard session (cookie) authentication via the login page.
Login
POST/login
Authenticate and create a session.
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | User email address |
password | string | Yes | User password |
Password Reset
POST/reset-password
Send a password reset link.
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address for reset link |
Logout
POST/logout🔒 Session
Invalidate the current session.
No request body required.
Multi-Tenancy
WedoCOD is a multi-tenant platform. Every API request is scoped to the authenticated user's account. Admin users with system-level access can view data across all accounts.
Token Management
GET/settings/api-keys🔒 Session
List all API tokens for the current account.
POST/settings/api-keys/generate🔒 Session
Generate a new API bearer token.
DELETE/settings/api-keys/{token}/delete🔒 Session
Revoke a specific API token.