Why integrations matter
FN
Finn Osei ยท Finance Operations Lead
"The moment a deal closes, our finance system needs to know immediately so invoicing can start. Nobody should be manually re-keying closed deals into a second system โ that's exactly how numbers drift apart."
Every business runs more than one system of record. The CRM needs to reliably talk to โ and hear from โ the rest of the stack, without a human as the integration layer.
Business outcome
Closed deals reach downstream systems the instant they close, and external data lands in the CRM automatically โ with a full delivery/error log for troubleshooting.Anatomy of the integration layer
Integrations flow in two directions, each with its own tools:
| Direction | Tool | Use case |
|---|---|---|
| Outbound | API Keys (scoped: READ / WRITE / DELETE / BULK / ADMIN) | Let an external system securely call the SmartLite REST API |
| Outbound | Webhooks โ HMAC-signed, e.g. record.updated | Push a real-time event to any URL the moment a record changes |
| Inbound | Pull Connectors (scheduled polling) | Fetch records from an external API on a timer and upsert them |
| Inbound | Inbound Webhooks (HMAC-verified) / Bulk & Excel import | Receive pushed data (e.g. a Shopify order) and create/update CRM records automatically |
Same rules as manual entry
Every record created through ingestion runs through the exact same pipeline as a form submission โ workflows, audit logs, subscription limits, and outbound webhooks all fire per record, exactly as if a person typed it in.Rate limits are real
Each API key has a requests-per-minute cap (60 on Starter, higher on paid plans). Exceeding it returns 429 with a Retry-After header.Push closed deals to a finance webhook
Create an API keyIntegrations โ API Keys โ New Key โ name it "Finance Sync", scopes: READ + WRITE. Copy the plaintext key shown once.
Register an outbound webhookIntegrations โ Webhooks โ New Endpoint โ URL: your test receiver, event:
record.updated.Trigger itUpdate a real Opportunity's stage to "Closed Won" and check your receiver got the payload.
Verify the signatureCheck the
X-SmartLite-Signature header โ recompute the HMAC-SHA256 using your endpoint secret to confirm it matches.Test the API keyFrom a terminal:
curl -H "Authorization: Bearer <key>" http://localhost:8080/api/v1/records/opportunity and confirm you get your records back.Test what you learned
1. A record created via bulk API ingestion โ does it trigger Workflow Rules the same as a manual create?
Yes โ it goes through the exact same RecordService pipeline as manual entry
No โ ingested records skip workflows for performance
2. What happens when an API key exceeds its rate limit?
The request silently succeeds but is queued
HTTP 429 is returned with a Retry-After header