Limitations and Recommendation
General rules of working with API
All communication with the API occurs in an encrypted form over the SSL protocol. This means that all references to the API must contain the HTTPS protocol. It is especially important to remember this when accessing our system through JS, if you are referring to some third-party resources, for example, accessing the Web-sockets. Inside the system, the user is always in a secure connection and the attempt to access the HTTP picture will be blocked or the user’s browser will give them a warning.
The API key (hash) used for authentication in the API is highly desirable to update using the password change form. If the key is not updated within six months, the system reserves the right to do this automatically. Also worth noting is that the user’s API key is changed when changing the username or password without warning.
All requests must be made not on the common domain http://www.amocrm.com, but on the exact address of your account, for example, https://company.amocrm.com.
To work with our API, one of the following cryptographic protocols is required: TLS 1.1, TLS 1.2 The recommended version is TLS 1.2
Starting 16.11.2016, we completely refuse to support the SSLv3 protocol, due to the fact that this protocol is considered to be vulnerable.
The cURL library supports TLS 1.1 / 1.2, starting with version 7.34.0. In the parameters of the cURL session, you can explicitly specify the protocol version:
$curl=curl_init(); #Save the cURL session descriptor curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
There are mechanisms for limiting the activity of working with the API – not more than 1 request per second, and in some methods there are restrictions on the number of data returned for one request (more details in the description of specific methods).
In case of suspicious activity via API or integration failure, access to the API of the account can be blocked. For example, if you select the same time in a short period of time, unchecked search of all data (We recommend using the If-Modified-Since header when working with lists of leads / contacts / companies / tasks.
In case of exceeding the number of requests – the HTTP code 429 will be returned, if the restrictions are repeatedly violated, the account is blocked and any code in the API will return HTTP code 403 for any request.
In the case of subscription termination, access to the data via the API will be closed 30 days after the end of the subscription. In response to requests, the server will return an HTTP code of 402.
The maximum number of returned entities (leads / contacts / companies / customers) is not more than 500.