API Reference
Pounce's webhook and REST API endpoints for integrating with external tools and services.
Base URL
https://your-pounce-domain.com/apiFor managed hosting, use https://app.pouncefirst.com/api.
All API endpoints require authentication unless noted.
Authentication
API requests use your license key as a Bearer token:
Authorization: Bearer PC-XXXX-XXXX-XXXXWebhook Endpoints
These endpoints receive events from external providers.
Resend Inbound Email
POST /api/webhook/resendReceives inbound email events from Resend. Automatically creates a lead from the email sender and content.
How it works: Resend sends webhook metadata (sender, recipient, subject, email ID). Pounce then fetches the full email content (body, headers, reply-to) from the Resend API using the email ID.
Recipient filtering: Only emails sent to your configured sender address (e.g., hello@yourdomain.com) are processed. Other addresses on the same domain are ignored.
Setup: In your Resend dashboard, create an inbound route pointing to this URL with your domain. See Inbox Setup for detailed steps.
Webhook verification: When RESEND_WEBHOOK_SECRET is set as an environment variable, Pounce verifies the Resend signature before processing.
Stripe Webhook
POST /api/stripe/webhookReceives Stripe events for subscription management. Handles checkout completion, plan changes, and cancellations.
Booking Webhook
POST /api/webhook/booking?provider=calcom
POST /api/webhook/booking?provider=calendlyReceives booking events from Cal.com or Calendly. Matches leads by email, transitions status to Scheduled, and logs the booking in the conversation.
Cal.com setup: Create a webhook in your Cal.com dashboard with event BOOKING_CREATED pointing to this URL.
Calendly setup: Create a webhook subscription with event invitee.created pointing to this URL.
Webhook verification: When CALCOM_WEBHOOK_SECRET or CALENDLY_WEBHOOK_SECRET is set as an environment variable, Pounce verifies the provider’s signature header before processing. Without a secret, all requests are accepted (fine for testing, not recommended for production).
Request body: Handled automatically — Pounce parses the provider-specific payload format.
Response:
{
"processed": true,
"leadId": "uuid",
"status": "scheduled",
"isNewLead": false
}Form Endpoints
Submit Form
POST /api/f/{form-slug}Submit a lead through a specific form. Accepts application/json or application/x-www-form-urlencoded.
Request body:
{
"name": "Jane Smith",
"email": "jane@example.com",
"message": "I'm interested in your services"
}Custom fields are included by their field name.
Form Embed Script
GET /api/f/{form-slug}/embed.jsReturns a JavaScript snippet that renders the form with your configured styling.
Usage:
<script src="https://app.pouncefirst.com/api/f/contact/embed.js"></script>Form Embed HTML
GET /api/f/{form-slug}/embedReturns the form as a standalone HTML page (for iframe embedding).
Admin Endpoints
All admin endpoints require session authentication (cookie-based).
License Verification
GET /api/license/verifyReturns license status, tier, and limits.
Response:
{
"valid": true,
"tier": "starter",
"maxSites": 1,
"activeSites": 1,
"expiresAt": "2027-01-01T00:00:00Z"
}Rate Limits
| Endpoint | Limit |
|---|---|
| Form submissions | 10/minute per IP |
| Webhook endpoints | 100/minute per provider |
| Admin API | 60/minute per session |
Rate-limited requests receive a 429 Too Many Requests response with a Retry-After header.
Questions about this topic?
We are here to help. Reach out or check our support resources.