🧠 HeyCMO
API Reference

API Reference

HeyCMO API — REST endpoints, MCP protocol, authentication, and integration guide.

API Reference

HeyCMO exposes both a REST API for account management and an MCP server over SSE for AI tool integration. The primary way to interact with HeyCMO's agents and workflows is through the MCP protocol via Claude Desktop, Cursor, or any MCP-compatible client.

Base URL

https://heycmo.ai

Quick Start

# Health check
curl https://heycmo.ai/api/health

# Get customer info
curl -H "Authorization: Bearer hcmo_live_YOUR_KEY" \
  https://heycmo.ai/api/customer/CUSTOMER_ID

# Connect via MCP (Claude Desktop / Cursor)
# Add to your MCP config:
# { "url": "https://heycmo.ai/mcp/sse?token=hcmo_live_YOUR_KEY" }

Authentication

All authenticated endpoints require a Bearer token in the Authorization header:

Authorization: Bearer hcmo_live_YOUR_KEY

MCP endpoints use a token query parameter instead:

GET /mcp/sse?token=hcmo_live_YOUR_KEY

See Authentication for details on API key management.

Endpoints

MethodPathAuthDescription
GET/api/healthNoneLiveness check
GET/api/health/readyNoneReadiness check (with DB)
GET/mcp/sseTokenMCP SSE connection
POST/mcp/messageTokenMCP message handler
POST/api/checkoutNoneCreate Stripe checkout
POST/api/webhooks/stripeStripeWebhook handler
GET/api/session/:idNoneGet session customer
GET/api/customer/:idBearerGet customer details
GET/api/events/:idBearerGet customer events
GET/api/dashboard/:idBearerRender dashboard
POST/api/onboard/:idBearerTrigger onboarding
POST/api/connect/:idBearerGenerate connect links
GET/api/connections/:idBearerPlatform connection status
POST/api/admin/provisionAdminProvision customer
GET|POST|PUT/api/inngestInngestCron/event functions

See Endpoints for complete documentation of each endpoint.

Rate Limiting

Rate limiting is applied per API key or IP address:

ScopeLimit
REST API60 requests/minute
MCP30 requests/minute per customer
Checkout5 requests/minute
Webhooks100 requests/minute

Error Responses

All errors follow a consistent format:

{
  "error": "Error message describing what went wrong"
}
Status CodeMeaning
400Bad request — invalid input
401Unauthorized — invalid or missing API key
413Request body too large
429Rate limited — too many requests
500Internal server error
503Service unavailable (readiness check failed)

CORS

The API allows requests from:

  • https://heycmo.ai
  • https://app.heycmo.ai
  • http://localhost:3000 (development only)
  • http://localhost:3001 (development only)

Security Headers

All responses include:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • Strict-Transport-Security: max-age=31536000; includeSubDomains (production)

Provenance & RSS

Public-facing dogfooding artifacts — ProvenanceFooter on every blog post, /built-by-heycmo dashboard, per-agent transparency pages, and an RSS feed of agent-published content.

Authentication

API key authentication — generation, usage, and security.

On this page

API ReferenceBase URLQuick StartAuthenticationEndpointsRate LimitingError ResponsesCORSSecurity Headers