Application API
Clear API and contract surface for TopoloCRM, grouped under the application instead of split across generic reference sections.
App IDs:
app_topolo_crm Repos:
Hosts:
https://crm.topolo.app https://crm-api.stg.topolo.us https://crm.stg.topolo.us Dependencies: topolo-auth, topolo-one, applications-packages
Depends on Topolo Auth: yes
Type: openapi
Source: PlatformApplications/TopoloCRM/packages/backend/openapi.yaml
Source exists: no
CRM owns its worker API contract and delegates browser login, cookie refresh, logout propagation, one-time `sso_code` callback exchange, and shared-launcher Auth data reads to the shared Auth client plus same-origin `/api/auth/*` worker gateway. CRM resolves its concrete Auth app id dynamically from the Auth catalog slug `topolo-crm`; the source-owned identity lives in the CRM repo `app-identity.ts`, and browser, backend, API-key, widget, notification, and seed-caller paths must not hardcode concrete `app_*` or `app_*` ids. The explicit `/login` route renders the branded shared LoginPage without an initial refresh probe, embedded password-login success returns to the CRM route tree after shared Auth token persistence, shared Auth token update events are treated as already-persisted state, and the browser app does not expose a legacy `/sso?token=` token handoff route or app-local `/sso/exchange` parser. CRM keeps same-tab sessionStorage access-token restore enabled by default after login and refresh so normal reloads do not appear logged out before cookie refresh completes. The callback route guards one-time code exchange with a fixed `/dashboard` completion target so Auth home-path re-resolution cannot retry an already consumed `sso_code`. CRM exposes `GET /api/widget` with the shared `@topolo/sdk` widget response contract for TopoloOne live workspace.
API key scopes in Auth catalog: 44
No global OpenAPI security scheme is declared.
activities.read activities.write api_keys.write attachments.read attachments.write commissions.read commissions.write companies.read companies.write contacts.read contacts.write deals.read deals.write documents.read documents.write listings.read listings.write notes.read notes.write offers.read Wrangler surfaces: none detected
Environment variables: none derived
Routes: workers.dev fallback or no explicit route declared
Observability enabled: no explicit signal found
Wrangler surfaces: No wrangler file detected in scanned surface
This application does not yet have a source-controlled OpenAPI spec in the docs platform. The current API page is derived from the registered contract source and repository surface.