Authentication
The CRM Service uses JWT Bearer tokens for authentication. All endpoints (except health checks) require a valid token with appropriate roles.
Required Header
Every request must include an
Authorization: Bearer <token> header and an x-tenant-id header for multi-tenant isolation.Obtaining a Token
Authenticate via the Auth Service to receive a JWT:
curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/auth/login \
-H "Content-Type: application/json" \
-H "x-tenant-id: <your-tenant-id>" \
-d '{"email": "user@example.com", "password": "password"}'Using the Token
curl https://535ubezkse.execute-api.us-east-1.amazonaws.com/crm/v1/contacts \
-H "Authorization: Bearer <token>" \
-H "x-tenant-id: <your-tenant-id>"Required Headers
| Header | Required | Description |
|---|---|---|
| Authorization | Yes | Bearer JWT token |
| x-tenant-id | Yes | Tenant UUID for multi-tenant isolation |
| x-request-id | Recommended | UUID for request tracing |
| Idempotency-Key | Recommended | UUID for POST/PUT/PATCH/DELETE (24h TTL) |
RBAC Roles
| Role | Access Level |
|---|---|
| admin | Full access to all CRM endpoints |
| organizer | CRUD on contacts, deals, activities, lists, campaigns |
| user | Read-only access to own contacts and activities |
Multi-Tenant Isolation
All CRM data is isolated per tenant using PostgreSQL Row-Level Security (RLS). The x-tenant-id header determines which tenant's data is accessible. Cross-tenant access is prevented at the database level.