Heroshhi Pro API Reference
This is the complete reference for Heroshhi Pro's API. Every action you can do in the dashboard — sending messages, managing leads, running campaigns — can also be done through these endpoints.
https://api.heroshhi.com/api
Authentication
To use the API, you first need to log in and get a token. Then include that token in every request you make. Think of it like a session key that proves who you are.
Include the token in every request header: Authorization: Bearer <jwt_token>
// Login to receive a JWT token POST https://api.heroshhi.com/api/auth/login Content-Type: application/json { "email": "admin@yourcompany.com", "password": "your_password" } // Response { "success": true, "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }
Rate Limits
To keep things fair and prevent abuse, there's a limit on how many requests you can make in a short time. If you hit the limit, you'll get a 429 Too Many Requests error — just wait a moment and try again.
| Endpoint Type | Limit | Window |
|---|---|---|
| Standard API | 100 | 15 minutes |
| Webhook Endpoints | 500 | 15 minutes |
| Authentication | 5 | 15 minutes |
Authentication Routes /api/auth
| Method | Endpoint | Description |
|---|---|---|
| POST | /login | User login with email/password |
| POST | /signup | New user registration |
| POST | /forgot-password | Request password reset |
| POST | /reset-password | Reset password with token |
| POST | /verify-2fa | Verify 2FA code |
| GET | /me | Get current user profile |
Lead Routes /api/leads
| Method | Endpoint | Description |
|---|---|---|
| GET | / | List leads with filters and pagination |
| GET | /:id | Get single lead details |
| POST | / | Create new lead |
| PUT | /:id | Update lead |
| DEL | /:id | Delete lead |
| POST | /import | Bulk import from CSV |
| POST | /bulk-update | Update multiple leads |
| POST | /bulk-assign | Assign multiple leads |
| POST | /bulk-delete | Delete multiple leads |
| GET | /analytics | Get lead analytics |
| POST | /:id/engagement | Log engagement activity |
Message Routes /api/messages
| Method | Endpoint | Description |
|---|---|---|
| GET | / | List messages with filters |
| GET | /:leadId | Get messages for a lead |
| POST | /send | Send message to lead |
| GET | /templates | List WhatsApp templates |
WhatsApp Routes /api/whatsapp
| Method | Endpoint | Description |
|---|---|---|
| GET | /status | Get WhatsApp connection status |
| POST | /connect | Connect WhatsApp Business API |
| DEL | /disconnect | Disconnect WhatsApp |
| POST | /send | Send message (blocked if opted out) |
| POST | /send-bulk | Bulk send (opt-outs filtered) |
| GET | /coexistence | Get coexistence settings |
| PUT | /coexistence | Update coexistence settings |
Drip & Broadcast Routes
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/drips | List drip campaigns |
| POST | /api/drips/:id/enroll | Enroll leads in campaign |
| POST | /api/broadcasts | Create and send broadcast |
| GET | /api/broadcasts/:id | Get broadcast details |
Webhook Integration Guide
Lead Ingestion Webhook
You can send leads into Heroshhi Pro from any external system (your website, a form builder, etc.) using this simple webhook. No login required — just send the data and the lead appears in your dashboard.
{
"name": "John Doe",
"phone": "919876543210",
"email": "john.doe@example.com",
"source": "Website Form",
"inquiry": "Product inquiry",
"userId": "your_account_id"
}
Data Models
Lead Object
| Field | Type | Description |
|---|---|---|
| name | String* | Lead's full name (required) |
| phone | String* | Phone number with country code (required) |
| segment | Enum | hot / warm / cold |
| status | Enum | pending / contacted / qualified / converted / lost |
| assignedTo | ObjectId | Assigned sales representative (ref: User) |
| isOptedOut | Boolean | Whether this contact has opted out of messaging |
Message Object
| Field | Type | Description |
|---|---|---|
| leadId | ObjectId | Associated lead |
| direction | Enum | inbound / outbound |
| status | Enum | queued / sent / delivered / read / failed |
Opt-Out Behaviour
All messaging endpoints automatically check whether a lead has opted out before sending. This keeps you compliant with Meta policies — you don't need to check manually.
What happens when you message an opted-out lead?
If you try to send a single message or template to a lead who has opted out, the API will block it and return this response:
{
"success": false,
"message": "Cannot send message - contact has opted out",
"error": "OPT_OUT_BLOCKED"
}
Error Handling
When something goes wrong, the API always responds in the same format so your code can handle errors easily:
{
"success": false,
"message": "Error description",
"error": "Detailed error (development only)"
}
Success
Everything worked perfectly.
Created
New item created successfully.
Bad Request
Something's wrong with what you sent.
Unauthorized
Token is missing or expired.
Not Found
The item doesn't exist.
Too Many Requests
Slow down — rate limit hit.
Security Implementation
Security Headers
The API automatically adds security headers to every response, protecting against common web attacks like cross-site scripting and clickjacking.
Input Validation
Everything you send to the API is automatically checked and cleaned to prevent hacking attempts — including code injection, malicious HTML, and other common attacks.
CORS Configuration
The API only accepts requests from the official Heroshhi Pro frontend. Webhook endpoints are the exception — they're open to receive events from Meta and other integrations.