CompanyBelgium
ERP module

API & webhooks

Three distinct API surfaces to integrate the engine from the outside: your dashboard, your servers, and any HMAC-compatible service (Zapier, Make, forms).

What you can do

Each surface has its own auth mode tailored to its use — quota, rate-limit and audit journal apply to all three.

  • Dashboard tenant (NextAuth session)

    /api/automations/* — CRUD, toggle, seed, replay run and inbound-token management. Gated by requireCapability(automations.{view, manage, run}).

  • Public v1 API (API key)

    /api/v1/automations and /api/v1/automations/[id]/fire. Auth via X-API-Key + X-API-Secret, metered against the plan's monthly quota. Path used by the MCP server.

  • HMAC inbound webhook

    /api/automations/trigger/[token] — public HMAC-SHA256 signed POST with 5-min anti-replay. Token + secret generation and rotation from the automation page.

  • Replay & observability

    Replay endpoint releases the dedupeKey so the next tick can re-run. Run history with status, duration and action timeline. Per-rule success rate on the list page.

How it works

From creating an inbound endpoint to testing it from a terminal.

  1. 1

    Generate a token (inbound)

    On an event-driven automation, click "Generate a token". URL and HMAC secret are shown ONCE — copy them right away.

  2. 2

    Sign your requests

    Send X-CompanyBelgium-Timestamp (epoch ms, 5-min window) and X-CompanyBelgium-Signature: sha256=HMAC(secret, "[ts].[body]"). Any JSON body becomes the payload.

  3. 3

    Monitor and replay

    The execution history (filterable by status) lists the 50 most recent runs. A failed run can be replayed in one click — the engine recomputes on the next tick.

Need help getting started?

Our team supports onboarding, data migration and AML setup.