TraceCRM
ES EN Start free trial

TraceCRM Documentation

Everything you need to use TraceCRM as a business user and as a technical user integrating API and webhooks.

Getting started (business users)

  • Create your workspace and invite your team from Settings > Team.
  • Configure contact lifecycle stages in Settings > Pipeline Stages.
  • Import contacts in Import and assign sources/stages for better segmentation.
  • Create opportunities from contacts and track progress in Opportunities + Kanban.

Daily use (sales team)

  • Use Contacts to classify relationship status and capture calls, notes, files, and activities.
  • Use Opportunities for pipeline and revenue forecasting (open/won/lost logic).
  • Use Reports to build dashboards by source, stage, owner, and conversion trends.

API guide (technical users)

Base URL example: /api/v1. Authenticate with Bearer token or X-API-Key header. 

curl -X GET "https://tracecrm.pro/api/v1/leads" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

Security model: every API key is tenant-scoped, per-endpoint scopes are enforced, and requests are rate-limited per key.

  • leads:read, leads:write, leads:delete
  • deals:read, deals:write, deals:delete
  • forms:read, forms:write

Available resources:

  • GET/POST/PUT/DELETE /api/v1/leads
  • GET/POST/PUT/DELETE /api/v1/deals
  • GET/POST/PUT/DELETE /api/v1/forms

Webhook guide (technical users)

Configure endpoints in Settings > API Connect. You can subscribe to lead, deal, and form events.

Important headers:

  • X-TraceCRM-Event
  • X-TraceCRM-Delivery
  • X-TraceCRM-Timestamp
  • X-TraceCRM-Signature (HMAC SHA-256)

Verify signatures with your endpoint secret and reject stale/replayed deliveries using timestamp + delivery ID. 

// Pseudo-code
$signedPayload = $timestamp . '.' . $rawBody;
$expected = hash_hmac('sha256', $signedPayload, $endpointSecret);
if (!hash_equals($expected, $signatureHeader)) reject(401);
if (abs(time() - (int)$timestamp) > 300) reject(401); // 5 min window
if (alreadyProcessed($deliveryId)) reject(409);

Events available:

  • lead.created, lead.updated, lead.deleted, lead.stage_changed
  • deal.created, deal.updated, deal.deleted, deal.stage_changed, deal.status_changed
  • form.submission.created, webhook.ping

Best practices

  • Keep contact lifecycle and opportunity pipeline separated for cleaner reporting.
  • Always validate webhook signatures before processing payloads.
  • Store processed webhook delivery IDs to enforce idempotency and replay protection.
  • Issue minimum-scope API keys and rotate them periodically.
  • Use idempotency keys in your integrations to avoid duplicate writes.
  • Review API/Webhook logs in API Connect to debug delivery issues quickly.