API reference

Authentication

Two ways to authenticate: a Microsoft Entra single sign-on session (the workspace uses this) or an API key for approved server-to-server integrations.

Single sign-on

Browser sessions use Microsoft Entra ID single sign-on, including Microsoft Teams SSO. After sign-in the platform issues its own signed, HttpOnly, Secure session that is scoped to your tenant and user. Every request resolves to a verified tenant before any data is read or written.

API key

Approved integration clients (for example the Microsoft Copilot connector) authenticate with a bearer token. Send the key in the standard authorization header. Keys are tenant-scoped, so a key only ever sees data in its own tenant.

bash

curl https://app.clmspace.com/api/agreements \
  -H "Authorization: Bearer <key>"

Who am I?

GET /api/auth/whoami returns the resolved caller (email, role and tenant ID).

json

{
  "email": "j.boghici@example.com",
  "role": "admin",
  "tenantId": "f4c2-…"
}

Tenant binding

Both authentication modes resolve to a tenant ID, which is then enforced at every read and write, including single-record lookups. See multi-tenant isolation.

Multi-tenant isolation

Agreements