Introduction
Salesdock provides a REST API that lets you integrate Salesdock with your own systems — for example to fetch products and pricing, manage sales and customers, or create and update offers. This article describes:
- How to access the API documentation
- How to generate an API token
- How to restrict permissions further
- Operational notes: rate limiting, token rotation, IP restrictions
- Frequently asked questions
1. Accessing the API documentation
All technical documentation — endpoints, authentication, request and response examples — is publicly available on the Salesdock developer portal:
You can start exploring the documentation and building your integration without any prior approval. If you run into a question that is not covered, you can reach out to support@salesdock.nl.
2. Generating an API token
The API uses a per-user bearer token for authentication. Each token is tied to a specific user inside your Salesdock account, and inherits that user's role and permissions. The recommended setup is to create a dedicated integration user rather than reusing a personal account — that way the integration's access can be reviewed and revoked independently of any individual employee.
Step 1 — Create a dedicated user
- Navigate to Account → Users (Gebruikers).
- Create a new user with a clear, descriptive name — for example
CRM Integration— so that the user's purpose is recognisable later.
Step 2 — Choose the right scope
The scope of an API token equals the role of the user it belongs to:
| Role | Scope | Use when |
|---|---|---|
| Agent | User scope — the token can only access data the user is personally allowed to see. | You only need to pull or push data for one specific user (for example one sales rep's leads). |
| Admin | Account scope — the token can access account-wide data within the limits of the role's permissions. | You need to integrate at the account level, e.g. syncing all sales, all products, or all customers. |
Step 3 — Generate the token
- In the user list, find the user you just created.
- Click Actions (Acties) → API Token → Generate on the right side of the row.
- The token is shown once on the screen. Click Copy and store it in a secure location, such as a password manager or your CI/CD secret store. You will not be able to view this token again after saving.
Step 4 — Configure security options
Before saving, set the two switches that appear on the token-generation screen:
| Option | What it does | Recommended setting |
|---|---|---|
| Is this API token to be used for Salesdock Integration? | If turned on, the token is restricted to internal Salesdock-to-Salesdock integration traffic only and will be rejected when called from any external server. This switch is meant for tokens used by Salesdock's own internal provider/consumer integration. | Off — for any integration you build yourself, including CRM, ERP, BI, or webhook receivers running on your own infrastructure. |
| Enable IP restriction | Restricts the token so it can only be used from the IP addresses you list. Calls from any other IP are rejected with a 403. You enter one IP per line in the text field that appears. | On, with the public IP(s) of your integration server(s) listed. This significantly reduces risk in case the token is leaked. |
Step 5 — Save the token
Click Save token (Sla token op) at the bottom of the screen to finalise the process. The token is only activated after this final save — if you close the screen without saving, the token will not work.
3. Restricting permissions further
The token inherits the role of its user (Agent or Admin), but you can narrow that down on a per-resource basis. On the user's detail page in Account → Users, open Manage permissions (Beheer rechten) and toggle access to specific modules and actions (sales, leads, products, exports, and so on).
The recommended principle: give the integration user the smallest set of permissions that gets the job done. If the integration only reads sales, do not grant write access on customers.
4. Operational notes
Rate limiting
The API enforces a rate limit per authenticated user. At the time of writing, the default is 150 requests per minute per user/token. When the limit is exceeded, the API returns HTTP 429 Too Many Requests. Build retry-with-backoff logic into your client to handle bursts gracefully. Internal Salesdock server IPs are excluded from the limit.
Token rotation
API tokens do not expire automatically. To keep your environment secure, rotate them on a regular cadence (for example every 6–12 months) or whenever an employee with knowledge of the token leaves. Rotation works as follows: generate a new token on the same user, deploy it to your integration, then delete the old token via the same Actions → API Token menu.
IP restrictions at two levels
Salesdock supports IP restrictions at two layers:
- Per token: the option described in step 4 above. Applies to the specific API token only.
- Account-wide: available under Account → Security → IP whitelisting when enabled for your account. Applies to all UI and API access into the account.
For most integrations the per-token restriction is enough, and we strongly recommend enabling it. The account-wide whitelist is an additional layer that some customers use for compliance reasons.
Storing tokens
Treat your API token like a password. Never commit it to a git repository, and never include it in client-side code (browser, mobile app). Store it in a secrets manager or your platform's environment-variable store, and inject it at runtime.
5. Frequently asked questions
Where do I find existing tokens for a user?
Go to Account → Users, find the user, and open Actions (Acties) → API Token. From there you can review the IP-restriction setting, view IPs already on the allow-list, and revoke or regenerate the token.
Can I use one token for multiple integrations?
Technically yes, but we recommend creating one user (and thus one token) per integration. That way you can revoke a single integration without disrupting the others, and audit logs clearly show which integration performed which action.
What is the difference between an Agent and an Admin token in practice?
An Agent-scoped token can only access data tied to that specific user (for example, leads assigned to that user). An Admin-scoped token can read and write data for the entire account, within the limits of the user's permissions. Pick the smallest scope that satisfies the integration's needs.
Why am I getting 403 API token is only available for Salesdock internal integration?
The "Is this API token to be used for Salesdock Integration?" switch was turned on when the token was generated. That switch restricts the token to Salesdock's own internal integration traffic. Generate a new token with the switch off for an externally hosted integration.
Why am I getting a 403 from a known-good token?
The most common cause is IP restriction: the request is coming from an IP not on the token's allow-list. Verify the public IP your integration is calling from, and either add it to the list or temporarily disable IP restriction to confirm.
What happens if I hit the rate limit?
The API returns HTTP 429 Too Many Requests. Wait, then retry. Implement exponential backoff in your client to handle bursts cleanly.
Is there a sandbox or test environment?
There is no separate sandbox. We recommend testing with a non-production account or with a small, controlled dataset on your live account, and rotating to a production token once your integration is verified.
How do I revoke a token if it is compromised?
Open Account → Users, find the user, then Actions → API Token → Delete (or generate a new token, which invalidates the old one). Update your integration with the new token immediately.
Glossary
Token / API token — the bearer token used to authenticate API requests. Tied to a single Salesdock user.
Scope — the breadth of data a token can reach. Determined by the user's role (Agent = user scope, Admin = account scope).
IP restriction — an allow-list of IP addresses from which the token may be used. Calls from other IPs are refused.
Rate limit — the maximum number of requests an authenticated client may make within a time window. Currently 150 requests per minute per user.
Salesdock Integration switch — an internal-only mode for tokens used by Salesdock's own provider/consumer integration. Should be left off for any externally built integration.