Authentication
Every SMBcrm API and MCP request is authenticated with a bearer token scoped to a single SMBcrm account/location — yours. There are two kinds of token, and both are sent the same way.
Two ways to authenticate
Section titled “Two ways to authenticate”Sending the token
Section titled “Sending the token”However you obtain it, the token goes in the Authorization header as a bearer token, alongside the required Version header:
curl https://services.smbcrm.com/contacts/<contact_id> \ -H "Authorization: Bearer <access_token_or_private_integration_token>" \ -H "Version: v3"See Base URL & Headers for the full request shape.
Which should I use?
Section titled “Which should I use?”Use a Private Integration Token when you’re building for your own account — a backend job, an internal dashboard, a script, or an AI agent that acts on your data. It needs no authorization flow.
Use OAuth when you’re building an app that other SMBcrm users authorize to act on their account. Each user grants access explicitly, and you receive a token scoped to their account/location.
Scopes & safety
Section titled “Scopes & safety”A token can only do what its scopes allow, so request the minimum you need. And because a token grants access to real account data, treat it like a password.
