RidgeCRM Developer Docs

Start Here

Authentication & organizations

Authenticate API clients and keep every request scoped to the correct organization.

Two auth models

RidgeCRM has browser sessions for the app and Bearer JWTs for programmatic API calls. The docs should be clear about that split so developers do not assume cookies are enough for `/api/v1`.

  • Browser UI: login session plus selected organization.
  • API clients: `Authorization: Bearer <jwt>`.
  • Org-scoped APIs: add `X-Organization-ID` so handlers can load `locals.org`.

Google token exchange

http

Exchange Google identity for RidgeCRM API auth

POST /api/v1/auth/google
Content-Type: application/json

{
  "idToken": "google-id-token"
}

Common auth errors

  • 401 means the JWT is missing, invalid, expired, or the handler requires a user.
  • 400 often means the user is authenticated but no valid `X-Organization-ID` was supplied.
  • 403 should be used for permission or membership failures when the user exists but cannot act.