Skip to content

Authentication

Every SMBcrm API and MCP request is authenticated with a bearer token scoped to a single SMBcrm account/location — yours. There are two kinds of token, and both are sent the same way.

However you obtain it, the token goes in the Authorization header as a bearer token, alongside the required Version header:

Terminal window
curl https://services.smbcrm.com/contacts/<contact_id> \
-H "Authorization: Bearer <access_token_or_private_integration_token>" \
-H "Version: v3"

See Base URL & Headers for the full request shape.

Use a Private Integration Token when you’re building for your own account — a backend job, an internal dashboard, a script, or an AI agent that acts on your data. It needs no authorization flow.

Use OAuth when you’re building an app that other SMBcrm users authorize to act on their account. Each user grants access explicitly, and you receive a token scoped to their account/location.

A token can only do what its scopes allow, so request the minimum you need. And because a token grants access to real account data, treat it like a password.