Developer docs

Built for engineers.

Real API. Real docs. Real webhooks. Things automotive CRMs traditionally don’t ship.

4 public endpoints·22 tRPC routers·5 webhook events·edge-cached 60s

ADF webhook Status JSON AWAIS feed Status badges

What’s public

Four public endpoints. Real URLs, real examples.

Every example below is verified against the actual route file in our repo. No fake URLs, no sample data that doesn’t match the response shape, no “coming soon” placeholders.

POST/api/webhooks/adf

ADF/XML lead intake — OEM and lead-provider webhook

Standard ADF/XML POST receiver for OEM lead programs and third-party providers (Cars.com, AutoTrader, HomeNet, Edmunds). Per-dealer token in the query string identifies the lead source. Optional HMAC signature provides defense-in-depth for high-trust vendors. Lead processing runs on the same production pipeline as our inbound-email path — two intake surfaces, one downstream.

Authentication: Per-dealer ADF token in query string (?token=...). When ADF_WEBHOOK_SECRET is configured on a dealer, the x-adf-signature header is REQUIRED on every request — a missing signature is treated as an attack.
Headers: Content-Typerequiredapplication/xml or text/xml
x-adf-signatureoptionalHex-encoded HMAC-SHA256 of the raw body, signed with the dealer's ADF_WEBHOOK_SECRET. Required when HMAC is enabled on the lead source.
Caching: Never cached. Each POST creates a real Lead row and downstream LeadActivity events.
Rate limits: No published rate limit. Behind Vercel's edge protection. Sustained > 10 RPS per token will trigger graylisting — contact developers@gladiuscrm.com if you need a higher tier.
Error responses: 400Empty request body.
401Missing token / invalid token / missing signature header / invalid HMAC signature.
500Internal pipeline error. Response includes { error: string }. Safe to retry with exponential backoff.
Notes: HMAC signature scheme: hex(HMAC-SHA256(secret, raw_request_body)). The constant-time comparison is performed in src/app/api/webhooks/adf/route.ts. Raw body MUST be passed byte-for-byte — re-serializing the XML between signing and POSTing will break the signature.

Example request

bash

curl -X POST \
  "https://gladiuscrm.com/api/webhooks/adf?token=lds_REPLACE_WITH_YOUR_TOKEN" \
  -H "Content-Type: application/xml" \
  -H "x-adf-signature: <hex-sha256-hmac-of-body>" \
  --data-binary @lead.xml

Example response

json

{
  "success": true,
  "leadId": "clxyz123abc456def789",
  "parseOk": true,
  "autoAssigned": true
}

GET/api/status/aggregate

Ecosystem health JSON — powers the public /status page

Aggregates real-time health from all 5 vertical /api/health endpoints, plus federation event counts and AWAIS counters, into a single JSON payload. Powers /status. Defensive contract: this endpoint NEVER 500s — a nuked DB and every vertical down still returns 200 with ok:false rows so consumers render a clean red state instead of an opaque proxy error.

Authentication: Public. No auth, no API key, no rate limit beyond edge protection.
Headers: Acceptoptionalapplication/json
Caching: Cache-Control: public, s-maxage=60, stale-while-revalidate=120. The /status page polls every 15s so 75%+ of polls hit the Vercel edge cache.
Rate limits: Effectively unlimited — edge-cached for 60 seconds. Origin sees ~1 request per region per minute regardless of consumer poll frequency.
Error responses: 200Always 200. Down verticals appear as { ok: false, status: 'down' } rows.
Notes: Published floors: iqScore >= 145, rulesActive >= 66, patternsBank >= 261. Live counters override the floor when higher. A transient DB hiccup never makes the response smaller than the published category claims.

Example request

bash

curl -s https://gladiuscrm.com/api/status/aggregate | jq .ecosystem.verticals

Example response

json

{
  "generatedAt": "2026-05-30T17:14:02.318Z",
  "ecosystem": {
    "verticals": [
      {
        "slug": "gladiuscrm",
        "name": "Auto CRM",
        "ok": true,
        "status": "ok",
        "responseMs": 142,
        "httpStatus": 200,
        "version": "ec74a91",
        "lastChecked": "2026-05-30T17:14:02.318Z"
      }
    ],
    "okCount": 5,
    "total": 5,
    "avgResponseMs": 168
  },
  "awais": {
    "iqScore": 145,
    "rulesActive": 66,
    "patternsBank": 261,
    "events24h": 8421
  },
  "federation": {
    "last60s": 14,
    "last1h": 612,
    "last24h": 8421,
    "lastEventAgoMs": 4318
  },
  "uptime": {
    "last30d": [
      { "day": "2026-05-01", "okRatio": 1, "events": 7912 }
    ]
  },
  "lastIncidentAgoMs": null
}

GET/api/awais/incidents/recent

AWAIS incident feed — anonymized 24h attack log

Returns the last 50 federation events as anonymized incident rows, plus a 24-hour hour-bucketed heatmap and the top-3 most-triggered rules. Powers the public /awais/incidents page. Tenant IDs, dealer IDs, IP addresses, raw payloads, pattern keys, and second-level timestamps are all stripped — only coarse pattern labels and bucketed severities ship.

Authentication: Public. No auth, no API key.
Headers: Acceptoptionalapplication/json
Caching: Cache-Control: public, s-maxage=60, stale-while-revalidate=120. The /awais/incidents page polls every 10s so the edge absorbs ~83% of traffic.
Rate limits: Effectively unlimited — edge-cached for 60 seconds. Same defensive contract as /api/status/aggregate: never 500s, returns empty arrays on DB outage.
Error responses: 200Always 200. Empty incidents / flat heatmap / empty leaderboard on cold start or DB outage.
Notes: Timestamps are rounded to the nearest UTC minute. Pattern labels are a stable FNV-1a hash of the internal kind — the same internal event always maps to the same public label, so consumers can group by (rule, pattern) across polls. Propagation latency is synthetic (anchored to real bus-to-bus production traces, never a real per-event measurement). See src/app/api/awais/incidents/recent/route.ts for the full anonymization contract.

Example request

bash

curl -s https://gladiuscrm.com/api/awais/incidents/recent \
  | jq '.incidents[0], .totals, .leaderboard'

Example response

json

{
  "generatedAt": "2026-05-30T17:14:02.318Z",
  "incidents": [
    {
      "ts": "2026-05-30T17:13:00.000Z",
      "pattern": "Credential-stuffing burst",
      "rule": "rule#42",
      "origin": "CRM",
      "severity": "elevated",
      "propagationMs": 17,
      "verticalsHit": 4
    }
  ],
  "totals": {
    "last24h": 8421,
    "patterns24h": 11,
    "avgPropagationMs": 21,
    "rulesActive": 66
  },
  "heatmap": [
    { "hour": "17:00", "count": 342 }
  ],
  "leaderboard": [
    { "rule": "rule#42", "pattern": "Credential-stuffing burst", "count": 1184 }
  ],
  "lastEventAgoMs": 4318
}

GET/api/badge/[vertical]/[metric].svg

Embeddable status SVG badges — shields.io style

Drop-in SVG status badges anyone can embed in a README, partner microsite, or dealer marketing page. Three metrics shipped: health (Operational / Degraded / Down), uptime (% or N/5 up), and awais-iq (live AWAIS IQ score). Every embed renders the Gladius wordmark, so this is also a free network-effect surface.

Authentication: Public. CORS Access-Control-Allow-Origin: * so remote pages can fetch + cache.
Headers: Acceptoptionalimage/svg+xml
Caching: Cache-Control: public, s-maxage=300, stale-while-revalidate=600. Partner pages can be embedded 10,000x and the origin sees ~1 hit per badge per 5 minutes.
Rate limits: Effectively unlimited — edge + browser cached for 5 minutes minimum.
Error responses: 200 (Unknown vertical)Unknown vertical slug renders a 'Unknown vertical' SVG so the embed stays visually intact. NEVER a 4xx.
200 (Unknown metric)Unknown metric renders 'Unknown metric'. NEVER a 4xx.
Notes: Supported verticals: gladiuscrm, gladiusbdc, gladiusturf, gladiusstone, gofetchauto, ecosystem. Supported metrics: health, uptime, awais-iq. The trailing .svg is optional — both /health and /health.svg resolve to the same image so most CMS embed flows just work.

Example request

bash

# Vertical-specific health badge
curl -s "https://gladiuscrm.com/api/badge/gladiuscrm/health.svg" > badge.svg

# Whole-ecosystem uptime badge
curl -s "https://gladiuscrm.com/api/badge/ecosystem/uptime.svg" > badge.svg

# AWAIS IQ score badge
curl -s "https://gladiuscrm.com/api/badge/ecosystem/awais-iq.svg" > badge.svg

Example response

html

<!-- Markdown embed -->
![Gladius status](https://gladiuscrm.com/api/badge/ecosystem/health.svg)

<!-- HTML embed -->
<img
  src="https://gladiuscrm.com/api/badge/gladiuscrm/uptime.svg"
  alt="Gladius CRM uptime"
  height="20" />

<!-- Live preview tile (rendered above the example) -->

For pilot dealers

22 tRPC routers. Typesafe end-to-end.

The authenticated CRM API is exposed via tRPC v11 — full TypeScript types from server to client, no manual schema generation, no OpenAPI drift. Available to your dev team on request after pilot signing. Schema reference lives behind auth at /dashboard/api for every active rooftop.

lead

Lead CRUD, scoring, assignment, soft-delete.

customer

Customer + household graph, encrypted PII reads.

vehicle

Vehicle history, ownership chain, equity.

leadActivity

Append-only activity stream (touches, status changes).

leadSource

Provider config, ADF tokens, attribution windows.

dashboard

Manager + rep widget streams.

communication

Send / receive SMS, email, voice via Twilio + Resend.

communicationTemplate

Template library, variable interpolation, A/B.

notificationPreference

Per-user channel + quiet-hours config.

followUpRule

Cadence engine config (Smart Tasks).

ai

Claude-routed scoring, drafting, classification, RAG.

reporting

Aggregations, exports, cohort + funnel queries.

deal

Deal sheet, desking, F&I, signed contracts.

dms

DMS bridge (4 providers): inventory + deal write-back.

oem

OEM certification pipelines + manufacturer programs.

appointment

Scheduling, calendar sync, show / no-show.

task

Smart Tasks (manager-issued + auto-generated).

inventory

Stock photo, equity, days-on-lot.

service

Service-to-sales bridge, RO data, in-bay opportunities.

review

Birdeye / Podium replacement: review request + reply.

callTracking

DNI, recording, AI score, attribution.

payment

Stripe Connect: deposits, holds, full collection.

Looking for OpenAPI or REST? We don’t ship one — tRPC gives our team end-to-end type safety we’re not willing to give up. If your stack can’t consume tRPC, a thin REST shim is on the Q3 roadmap; email developers@gladiuscrm.com to be on the early list.

Authentication

Sessions, tokens, and HMAC.

Authenticated app (tRPC): Stateless HMAC-signed session JWT in an httpOnly gladius_session cookie. Issued at sign-in, rotated on every privilege change. Verified per request via our edge auth helper — no Clerk, no Auth0, no external dependency. tRPC procedures inherit dealer + role context from the cookie automatically; no Authorization header to manage.

Multi-factor: Optional homegrown TOTP (RFC 6238) with AES-GCM wrapped secrets and bcrypt backup codes. Dealers can enforce MFA org-wide via the mfaRequiredByDealer setting. Five-minute pending-mfa cookie carries the challenge state.

Public ADF webhook: Per-dealer token in the query string identifies the lead source. Optional HMAC-SHA256 over the raw body via x-adf-signature header. Compared in constant time to avoid timing leaks. When the dealer has ADF_WEBHOOK_SECRET configured the signature header becomes REQUIRED — a missing header is treated as an attack, not as a misconfigured client.

Outbound webhooks: Each subscription URL gets its own HMAC secret. Every outbound POST carries an x-gladius-signature header (hex-SHA256-HMAC of the raw body) and an x-gladius-event header naming the event. Verify in constant time before trusting the payload.

Webhook events

Subscribe to changes, not poll.

Outbound webhook subscriptions are configured per-dealer in the pilot portal. Each event ships a stable JSON envelope plus the event-specific data block shown below. PII fields (names, phone, email) ship as encrypted references for events.created flows; resolve via the authenticated tRPC API.

POSTlead.created

On every new lead from any intake surface (ADF, inbound email, web form, manual entry).

json

{
  "event": "lead.created",
  "createdAt": "2026-05-30T17:14:02.318Z",
  "data": {
    "leadId": "clxyz...",
    "dealerId": "clxyz...",
    "source": "ADF webhook (Cars.com)",
    "fullName": "<encrypted-ref>",
    "vehicleOfInterest": "2025 Toyota RAV4"
  }
}

POSTlead.scored

Each time the AI re-scores a lead (on touch, on response, on cadence event).

json

{
  "event": "lead.scored",
  "createdAt": "2026-05-30T17:14:02.318Z",
  "data": {
    "leadId": "clxyz...",
    "score": 78,
    "tier": "HOT",
    "reasons": ["replied within 4 min", "viewed equity report"]
  }
}

POSTappointment.scheduled

On appointment create OR reschedule.

json

{
  "event": "appointment.scheduled",
  "createdAt": "2026-05-30T17:14:02.318Z",
  "data": {
    "appointmentId": "clxyz...",
    "leadId": "clxyz...",
    "scheduledFor": "2026-06-02T19:00:00.000Z",
    "channel": "self-serve-portal"
  }
}

POSTcommunication.sent

On every outbound SMS, email, or voice attempt. Inbound replies fire communication.received.

json

{
  "event": "communication.sent",
  "createdAt": "2026-05-30T17:14:02.318Z",
  "data": {
    "communicationId": "clxyz...",
    "leadId": "clxyz...",
    "channel": "sms",
    "direction": "out",
    "providerMessageId": "SM..."
  }
}

POSTpayment.captured

On a successful Stripe charge against a Gladius-issued payment intent (deposit, hold, full collection).

json

{
  "event": "payment.captured",
  "createdAt": "2026-05-30T17:14:02.318Z",
  "data": {
    "paymentId": "clxyz...",
    "leadId": "clxyz...",
    "amountCents": 50000,
    "currency": "usd",
    "stripeChargeId": "ch_..."
  }
}

SDK + language support

TypeScript first. cURL always.

TypeScript / tRPC

Direct @trpc/client usage with our shared AppRouter type. Zero generated code, full inference, no schema drift.

cURL

Every public endpoint works with vanilla curl. See the request examples above — copy + paste, swap the token, ship.

Postman collection

On request from developers@gladiuscrm.com. Ships with environment variables for all four public endpoints pre-wired.

Status + uptime

Watch it live, embed it anywhere.

Public status page

/status

5-vertical live health, 30-day uptime grid, AWAIS counters. Polls /api/status/aggregate every 15s.

Open status →

AWAIS live feed

/awais/incidents

Anonymized 24h attack log + heatmap + top-3 rule leaderboard. Polls /api/awais/incidents/recent every 10s.

Watch AWAIS →

Embeddable SVG badges

/status/badges

Drop-in shields for READMEs, partner sites, and dealer microsites. Live previews + copy-as-Markdown.

Grab a badge →

Sample badge URLs

https://gladiuscrm.com/api/badge/ecosystem/health.svg

https://gladiuscrm.com/api/badge/ecosystem/uptime.svg

https://gladiuscrm.com/api/badge/ecosystem/awais-iq.svg

https://gladiuscrm.com/api/badge/gladiuscrm/health.svg

Contact + support

How to reach the team directly.

General + integrations

developers@gladiuscrm.com

Replied within 24 hours, including weekends.

Bug reports + outages

Check /status first →

Live health for every vertical. If your symptom matches a red row, we already know.

security@gladiuscrm.com

For coordinated vulnerability disclosure.

Founder direct

813-442-0253

Ricardo Gamon, founder. Pilot dealers + serious integration partners only — say “developer” so it routes past sales.

Gladius Technologies LLC · Tampa, FL · 2026

Gladius

curl -X POST \ "https://gladiuscrm.com/api/webhooks/adf?token=lds_REPLACE_WITH_YOUR_TOKEN" \ -H "Content-Type: application/xml" \ -H "x-adf-signature: <hex-sha256-hmac-of-body>" \ --data-binary @lead.xml

{ "generatedAt": "2026-05-30T17:14:02.318Z", "ecosystem": { "verticals": [ { "slug": "gladiuscrm", "name": "Auto CRM", "ok": true, "status": "ok", "responseMs": 142, "httpStatus": 200, "version": "ec74a91", "lastChecked": "2026-05-30T17:14:02.318Z" } ], "okCount": 5, "total": 5, "avgResponseMs": 168 }, "awais": { "iqScore": 145, "rulesActive": 66, "patternsBank": 261, "events24h": 8421 }, "federation": { "last60s": 14, "last1h": 612, "last24h": 8421, "lastEventAgoMs": 4318 }, "uptime": { "last30d": [ { "day": "2026-05-01", "okRatio": 1, "events": 7912 } ] }, "lastIncidentAgoMs": null }

{ "generatedAt": "2026-05-30T17:14:02.318Z", "incidents": [ { "ts": "2026-05-30T17:13:00.000Z", "pattern": "Credential-stuffing burst", "rule": "rule#42", "origin": "CRM", "severity": "elevated", "propagationMs": 17, "verticalsHit": 4 } ], "totals": { "last24h": 8421, "patterns24h": 11, "avgPropagationMs": 21, "rulesActive": 66 }, "heatmap": [ { "hour": "17:00", "count": 342 } ], "leaderboard": [ { "rule": "rule#42", "pattern": "Credential-stuffing burst", "count": 1184 } ], "lastEventAgoMs": 4318 }

# Vertical-specific health badge curl -s "https://gladiuscrm.com/api/badge/gladiuscrm/health.svg" > badge.svg # Whole-ecosystem uptime badge curl -s "https://gladiuscrm.com/api/badge/ecosystem/uptime.svg" > badge.svg # AWAIS IQ score badge curl -s "https://gladiuscrm.com/api/badge/ecosystem/awais-iq.svg" > badge.svg

 ![Gladius status](https://gladiuscrm.com/api/badge/ecosystem/health.svg)  <img src="https://gladiuscrm.com/api/badge/gladiuscrm/uptime.svg" alt="Gladius CRM uptime" height="20" /> 

{ "event": "lead.created", "createdAt": "2026-05-30T17:14:02.318Z", "data": { "leadId": "clxyz...", "dealerId": "clxyz...", "source": "ADF webhook (Cars.com)", "fullName": "<encrypted-ref>", "vehicleOfInterest": "2025 Toyota RAV4" } }

{ "event": "lead.scored", "createdAt": "2026-05-30T17:14:02.318Z", "data": { "leadId": "clxyz...", "score": 78, "tier": "HOT", "reasons": ["replied within 4 min", "viewed equity report"] } }

{ "event": "appointment.scheduled", "createdAt": "2026-05-30T17:14:02.318Z", "data": { "appointmentId": "clxyz...", "leadId": "clxyz...", "scheduledFor": "2026-06-02T19:00:00.000Z", "channel": "self-serve-portal" } }

{ "event": "communication.sent", "createdAt": "2026-05-30T17:14:02.318Z", "data": { "communicationId": "clxyz...", "leadId": "clxyz...", "channel": "sms", "direction": "out", "providerMessageId": "SM..." } }

{ "event": "payment.captured", "createdAt": "2026-05-30T17:14:02.318Z", "data": { "paymentId": "clxyz...", "leadId": "clxyz...", "amountCents": 50000, "currency": "usd", "stripeChargeId": "ch_..." } }