Commish API Reference

Base URL

Production API requests use this base URL. Demo or staging keys should be paired with their matching environment URL.

https://app.getcommish.io/api/v1

Authentication

All API requests require a valid API key sent in the Authorization header. Raw keys are checked by hash server-side:

Authorization: Bearer YOUR_API_KEY

Key format: use the exact key generated in Commish. Examples in these docs use placeholders only.

Header: send Authorization: Bearer YOUR_API_KEY over HTTPS.

Safety: start read-only for evaluation, keep keys out of client-side code, and rotate keys if they are exposed or no longer needed.

Scopes and Admin Actions

Scope	Use it for	Guidance
read	Viewing deals, users, plans, commissions, and configuration	Default for evaluation, BI pulls, and MCP exploration.
write	Creating or updating draft operational records	Enable only when the integration has a clear owner and rollback path.
admin	Approvals, rejection workflows, webhook/configuration management	Reserve for trusted server-side jobs and admin-approved MCP actions.

Admin endpoints are intentionally sensitive. Confirm who owns approvals, key rotation, and production cutover before enabling admin-scoped keys.

Pagination

List endpoints return paginated results. Use page and per_page parameters, keep per_page at or below 100, and continue until the returned page is empty or your expected total is reached.

{
  "data": [...],
  "meta": {
    "page": 1,
    "per_page": 25,
    "total": 100
  }
}

Error Codes

Errors return a consistent JSON structure:

{
  "error": {
    "code": "not_found",
    "message": "Deal not found"
  }
}

Code	HTTP Status	Description
unauthorized	401	Missing or invalid API key
forbidden	403	Insufficient permissions or inactive account
not_found	404	Resource not found
validation_error	400	Invalid request parameters
invalid_operation	400	Operation not allowed on resource in current state
rate_limited	429	Too many requests. Current limit is 100 requests/minute per API key; back off and retry after the Retry-After window.
internal_error	500	Unexpected server error

Rate Limits and Webhook Notes

Current limit: design around 100 requests per minute per API key and handle 429 responses with backoff. Requests are logged with method, path, status, response time, key, and organization context.

Webhook readiness: webhook management uses admin scope, HTTPS endpoint validation, local/private target blocking, and per-subscription secrets. Confirm delivery, retry, and idempotency requirements during implementation before using write/admin workflows at scale.

Deals

Manage sales deals and their commission calculations.

Comp Plans

Manage compensation plans and their configurations.

Users

Manage sales reps and team members.

Commissions

Aggregated commission data across your organization.

SPIFFs

Manage SPIFFs (Sales Performance Incentive Fund) and leaderboards.

Custom Deal Fields

Manage custom fields that can be added to deals for your organization.

Webhooks

Manage admin-scoped webhook subscriptions with HTTPS endpoint validation, local/private target blocking, active/inactive status, and per-subscription secrets.

Webhook Events

Webhook management supports admin-scoped subscriptions, HTTPS endpoint validation, local/private target blocking, active/inactive toggles, and per-subscription secrets. Confirm delivery retries and idempotency expectations for your implementation before depending on event workflows.

Event	Description
deal.created	A new deal is created
deal.approved	A deal is approved
deal.rejected	A deal is rejected
deal.updated	A deal is updated
commission.calculated	Commissions are recalculated
comp_plan.created	A new comp plan is created
comp_plan.updated	A comp plan is updated
comp_plan.assigned	A comp plan is assigned to a user
spiff.created	A new SPIFF is created
spiff.updated	A SPIFF is updated
spiff.completed	A SPIFF contest ends
user.created	A new user is added
user.updated	A user profile is updated