For AI agents

Register a tenant, configure widgets, and get embed code by API.

Use this flow when a user asks an AI website builder to add Vola CRM. The AI may help with setup, but it must ask the user for email verification codes and must not store passwords, access tokens, or ID tokens.

1. Read public config

GET https://api.volacrm.com/api/public/onboarding/config

The response includes the API base URL, dashboard login URL, password policy, supported sectors, and branding defaults.

2. Register tenant and admin user

POST https://api.volacrm.com/api/public/onboarding/register
Content-Type: application/json

{
  "businessName": "Demo Dental Studio",
  "adminName": "Sami Altundag",
  "email": "owner@example.com",
  "password": "User-chosen-password-123",
  "sector": "dental_clinic",
  "website": "https://example.com",
  "primaryColor": "#6D5DFB",
  "secondaryColor": "#11172A",
  "controlSize": "medium"
}

If the user does not provide a tenant id, Vola CRM generates an unguessable UUID. The tenant id is public routing data for embeds, not a secret.

3. Ask the user for the verification code

POST https://api.volacrm.com/api/public/onboarding/confirm
Content-Type: application/json

{
  "email": "owner@example.com",
  "code": "123456"
}

The code comes from the user's email. AI tools should ask the user to paste the code, then submit it once.

4. Login only with explicit user approval

POST https://api.volacrm.com/api/public/onboarding/login
Content-Type: application/json

{
  "email": "owner@example.com",
  "password": "User-chosen-password-123"
}

The response contains Cognito tokens and resolved tenant information. Do not store tokens in generated static sites. For normal users, prefer linking to the dashboard login page.

5. Configure tenant branding

PUT https://api.volacrm.com/api/tenant/branding
Authorization: Bearer {idToken}
x-tenant-id: {tenantId}
Content-Type: application/json

{
  "primaryColor": "#6D5DFB",
  "secondaryColor": "#11172A",
  "controlSize": "medium"
}

Allowed sizes are small, medium, and large. Colors must be six-character hex colors.

6. Retrieve embed codes

GET https://api.volacrm.com/api/tenant/branding
Authorization: Bearer {idToken}
x-tenant-id: {tenantId}

The response includes ready-to-paste chatbot and contact form embed codes. Public embed codes can also be read with:

GET https://api.volacrm.com/api/public/onboarding/embed-codes?tenantId={tenantId}

Security rules for AI tools

  • Ask before registering an account or logging in.
  • Never write Cognito tokens into HTML, JavaScript, Git, logs, or prompts.
  • Use the tenant id only as public routing data.
  • Use the contact form embed for ordinary contact pages and the chatbot embed for conversational support.
  • Send users to https://app.volacrm.com/#/login for dashboard access.