1stContact.ai API (LeadConnector)
Securely connect to your CRM data using OAuth 2.0 or a Private Integration token. This guide covers auth, required headers, base URLs, rate limits, core endpoints (Contacts, Appointments), and webhooks—tailored for 1stContact.ai.
Quickstart
- Create your app: In the 1stContact-branded HighLevel Marketplace, create a Private (internal) or Public app and set scopes & redirect URL.
- Install the app: Use the standard or white-label install link for your account; when redirected to your
redirect_uriyou’ll receive a one-timecode. - Exchange code: POST to
/oauth/tokenfor anaccess_token+refresh_token. - Call APIs: Include
Authorization: Bearer <access_token>andVersion: 2021-07-28on every request.
Tip: For internal use, you can also use a Private Integration token (no OAuth UI). Use OAuth for marketplace/public apps.
Key Values
https://services.leadconnectorhq.com2021-07-28 (required header)Authentication
Option A — OAuth 2.0 (recommended): Create an app in your 1stContact-branded Marketplace, set scopes & redirect URL, install the app to a sub-account, then exchange the code for tokens via /oauth/token. Access tokens last ~24 hours; refresh tokens last up to 1 year and can be rotated.
Option B — Private Integration token: For internal automations, generate a token and call the APIs directly (skip the end-user OAuth UI).
contacts.readonly contacts.write, calendars.*) when creating your app.
curl -X POST "https://services.leadconnectorhq.com/oauth/token" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"client_id": "YOUR_CLIENT_ID",
"client_secret":"YOUR_CLIENT_SECRET",
"grant_type": "authorization_code",
"code": "ONE_TIME_AUTH_CODE",
"user_type": "Location",
"redirect_uri": "https://yourapp.com/oauth/callback"
}'
Required Headers
| Header | Value | Notes |
|---|---|---|
| Authorization | Bearer <access_token> | Token from OAuth or Private Integration |
| Version | 2021-07-28 | Mandatory for v2 endpoints |
| Content-Type | application/json | For JSON requests |
| Accept | application/json | JSON responses |
Base URL
All v2 endpoints live under the LeadConnector domain:
https://services.leadconnectorhq.com
The install link used during OAuth can be standard or white-label (via your 1stContact-branded Marketplace). API calls still go to the LeadConnector base URL.
Rate Limits
- Burst: 100 requests / 10 seconds per app per resource (Location/Company)
- Daily: 200,000 requests per app per resource
On HTTP 429, back off and retry (exponential backoff). Respect pagination for bulk operations.
Core Endpoint Examples
Contacts
Create and search contacts.
curl -X POST "https://services.leadconnectorhq.com/contacts/" \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-H "Version: 2021-07-28" \
-H "Content-Type: application/json" \
-d '{
"firstName":"Ada",
"lastName":"Lovelace",
"email":"[email protected]",
"phone":"+15555550123",
"source":"api",
"tags":["api","vip"]
}'
curl -X POST "https://services.leadconnectorhq.com/contacts/search" \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-H "Version: 2021-07-28" \
-H "Content-Type: application/json" \
-d '{
"query":"[email protected]",
"limit":50,
"page":1
}'
Appointments
Create and retrieve appointments (Calendar Events API).
curl -X POST "https://services.leadconnectorhq.com/calendars/events/appointments" \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-H "Version: 2021-07-28" \
-H "Content-Type: application/json" \
-d '{
"calendarId":"CALENDAR_ID",
"contactId":"CONTACT_ID",
"title":"Strategy Call",
"startTime":"2025-09-05T15:00:00Z",
"endTime":"2025-09-05T15:30:00Z",
"timeZone":"America/Chicago",
"notes":"Booked via API"
}'
Webhooks
Subscribe inside your Marketplace app settings. Useful events include:
| Event | When |
|---|---|
ContactCreate | A new contact is created |
ContactUpdate | A contact is updated |
AppointmentCreate | An appointment is booked |
OpportunityCreate | A pipeline opportunity is created |
InboundMessage | A contact sends a message |
Add your webhook URL in your app’s settings and toggle on events.
Error Handling
| Status | Meaning | Action |
|---|---|---|
400 | Bad request | Validate payload/fields |
401 | Unauthorized | Check bearer token; include Version header |
403 | Insufficient scope | Adjust app scopes/installation |
404 | Not found | Verify IDs/paths |
409 | Conflict | De-dupe or resolve state |
422 | Validation error | Fix required fields/format |
429 | Rate limit | Backoff & retry; respect limits |
5xx | Server error | Retry with jitter, monitor |
Security Best Practices
- Store client secrets and refresh tokens server-side only.
- Use HTTPS everywhere; rotate tokens; use least-privilege scopes.
- Implement exponential backoff and idempotency where possible.
- Log request IDs & timestamps for observability; never log secrets.
FAQ
Can I call the API via our 1stContact.ai domain? Use the 1stContact-branded install URL for OAuth, but API calls go to services.leadconnectorhq.com.
Do I always need the Version header? Yes—Version: 2021-07-28 is required for v2 endpoints.
How long do tokens last? Access token ~24h; refresh token up to 1 year (rotates on use).
Last updated: September 3, 2025 • Need help? Contact 1stContact.ai support.