API documentation
Everything the dashboard does, the API does. Scoped keys, a stable REST surface, HMAC webhooks, an MCP server and a bring-your-own-LLM agent - one permission model across all of them.
API keys
Create a key in Settings → Integrations. Keys are shown once and stored hashed. Every key carries RBAC scopes - the same permission set that governs the UI - and is rate-limited per key. Send it as a bearer token on every request.
- Scoped to the same RBAC permissions as the dashboard
- Shown once, stored hashed, revocable any time
- Per-key rate limits, separate from session APIs
curl https://api.outboundrix.io/v1/contacts \ -H "Authorization: Bearer obx_live_sk_XXXXXXXX" \ -H "Content-Type: application/json"
One stable REST surface
https://api.outboundrix.io/v1JSON over HTTPS. Public REST surface, separate from the session-cookie dashboard APIs.
/v1/contactsList and filter contacts in the workspace. Supports ICP filters, fit-score thresholds and cursor pagination.
curl https://api.outboundrix.io/v1/contacts \ -H "Authorization: Bearer obx_live_sk_XXXXXXXX" \ -H "Content-Type: application/json"
{
"object": "list",
"data": [
{
"id": "con_3kf9a2",
"email": "[email protected]",
"full_name": "Dana Ruiz",
"company": "Acme",
"fit_score": 0.82,
"verified": true
}
],
"has_more": false
}/v1/sequencesCreate a branching multichannel sequence. Steps can wait and branch on reply signal; spam-lint runs server-side before launch.
curl -X POST https://api.outboundrix.io/v1/sequences \
-H "Authorization: Bearer obx_live_sk_XXXXXXXX" \
-H "Content-Type: application/json" \
-d '{
"name": "Q2 Heads of Sales",
"mailbox_pool": "pool_default",
"steps": [
{ "channel": "email", "wait_days": 0 },
{ "channel": "email", "wait_days": 3, "if": "no_reply" }
]
}'{
"id": "seq_a1b2c3",
"name": "Q2 Heads of Sales",
"status": "draft",
"steps": 2,
"created_at": "2026-05-17T09:20:00Z"
}/v1/sequences/:id/launchLaunch a draft sequence from a warmup-safe rotated mailbox pool. Returns 409 if the pool is not warmed.
/v1/api-keys/:idRevoke an API key immediately. In-flight requests using it fail with 401 on the next call.
HMAC-signed event delivery
Register an endpoint per workspace and Outboundrix fires on domain events - contact.created, reply.received, sequence.finished. Every payload is HMAC-signed with your workspace secret; verify the signature header before trusting the body.
- Workspace-defined endpoints
- HMAC signature header on every delivery
- Exponential backoff with jitter on failure
{
"event": "reply.received",
"created_at": "2026-05-17T11:04:22Z",
"data": {
"contact_id": "con_3kf9a2",
"sequence_id": "seq_a1b2c3",
"classification": "interested"
}
}Operate the platform from any model
A Model Context Protocol server exposes Outboundrix operations as tools - search contacts, enrich, create and launch sequences, read deliverability, CRM read/write. Auth uses the same scoped API keys, and the tool surface mirrors the REST capability set so there is one permission model. Point any MCP-capable model at it.
- Same scoped keys as REST and the UI
- Tool surface mirrors /v1 capabilities
- Ships in the same deployment, one permission model
{
"mcpServers": {
"outboundrix": {
"url": "https://mcp.outboundrix.io",
"headers": {
"Authorization": "Bearer obx_live_sk_XXXXXXXX"
}
}
}
}Your key, your model, your cost
Store your own provider key (OpenAI, Anthropic or Gemini) - encrypted, per workspace, never in source. An agent runtime executes GTM workflows (build a list, draft and launch a sequence, triage replies) by calling the MCP tool surface. The provider adapter is model-agnostic: your key and model choice drive cost and selection, not ours.
- Provider key encrypted per workspace
- Actions bounded by the API key RBAC scopes
- Every action written to the activity log
- Provider-agnostic adapter, no token markup