Resources/The Agent API Atlas/CRM/Copper

Everything an AI agent can do with the Copper API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints31

API versionv1

Last updated23 June 2026

Orientation

How the Copper API works.

The Copper API is how an app or AI agent works with a Copper account: searching people and companies, creating a lead, advancing an opportunity through a pipeline, or logging an activity against a record. Access is granted through an API key tied to a user, so a call can reach whatever that user can reach, because Copper keys are account-level and carry no per-method permissions. Copper can also push a record change to a registered endpoint, so an integration learns about activity without polling.

31Endpoints

11Capability groups

17Read

14Write

0Permissions

Authentication

Copper authenticates each request with three headers: X-PW-AccessToken carries the API key, X-PW-UserEmail names the user who generated it, and X-PW-Application is set to developer_api. A user can hold several valid keys at once, and an admin can see and generate keys for any user. OAuth 2.0 is offered as an alternative for partner integrations.

Permissions

A Copper API key has no per-endpoint scopes. It inherits the full access of the user who owns it, so a key for an admin can reach the whole account and a key for a standard user is limited to what that user can see in the app. There is no way to narrow a single key to one record type or to read-only, the boundary is the owning user's role.

Versioning

Copper exposes one version, v1, in the request path. It does not mint new version strings for changes; instead it ships dated, backward-compatible additions, like new fields and new methods, through its changelog. An integration tracks the changelog rather than pinning a version.

Data model

Copper is record-oriented REST over JSON. The core records are People, Companies, Leads, Opportunities, Projects, Tasks, and Activities, linked by id and shaped by shared Custom Field Definitions and Pipelines. A list is fetched by POSTing to a /search endpoint with filters and paging, and a record change can be delivered to a webhook.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Copper determines what it can reach. There is a route for making calls, a route for receiving events, and each is governed by the key behind it and the access of the user who owns that key.

Ways to connect

REST API

The REST API takes JSON request bodies, returns JSON, and lists records by POSTing filters to a /search endpoint with page_number and page_size paging, at https://api.copper.com/developer_api/v1. A call authenticates with the three X-PW headers carrying an API key, the key owner's email, and the application name.

Best forConnecting an app or AI agent to Copper.

Governed byThe API key and the access of the user who owns it.

Docs ↗

Webhooks

Copper POSTs a notification to a registered HTTPS endpoint when a record changes. A subscription is created via POST /webhooks with a target URL, a record type, and an event (new, update, or delete), and an optional secret lets the receiver verify the payload. Only https:// targets are accepted, and an account may hold up to 100 active subscriptions.

Best forReceiving Copper record changes at an app or AI agent.

Governed byThe subscription and the secret on the endpoint.

Docs ↗

Authentication

API key

A user generates an API key in the app, and every request sends it in X-PW-AccessToken alongside X-PW-UserEmail (the key owner's email) and X-PW-Application set to developer_api. The key has no scopes; it carries the full access of the owning user, so a key's reach equals that user's role. A user can hold several keys, and admins can generate keys for any user.

TokenAPI key in the X-PW-AccessToken header

Best forServer-side calls acting as a specific Copper user.

Docs ↗

OAuth 2.0

Copper offers an OAuth 2.0 authorization-code flow as the preferred method for partner integrations, where a user grants an app access and the app receives an access token instead of handling a raw key. The resulting token still acts as the granting user, with no per-method scopes, so its reach is that user's role.

TokenOAuth 2.0 access token

Best forPartner integrations connecting on behalf of a user.

Docs ↗

Capability map

What an AI agent can do in Copper.

The Copper API is split into areas an agent can act on, like people, companies, leads, opportunities, tasks, and activities. Each area has its own methods, and a write changes records other people in the account see.

People

6 endpoints

Methods for working with People records (individual contacts).

A write here changes real person data the account sees.

View endpoints →

Companies

4 endpoints

Methods for working with Company records (organizations).

A write here changes real company data the account sees.

View endpoints →

Leads

4 endpoints

Methods for working with Lead records (unqualified prospects).

A write here changes real lead data, and convert deletes the lead.

View endpoints →

Opportunities

3 endpoints

Methods for working with Opportunity records (deals in a pipeline).

A write here changes real opportunity data, including pipeline stage.

View endpoints →

Tasks

2 endpoints

Methods for working with Task records.

A write here changes real task data the account sees.

View endpoints →

Activities

2 endpoints

Methods for logging and reading Activities against records.

A write here adds or removes activity history on a record.

View endpoints →

Projects

1 endpoint

Methods for working with Project records.

A write here changes real project data the account sees.

View endpoints →

Pipelines

2 endpoints

Methods for reading Pipelines and their stages.

Read-only metadata describing how opportunities move through stages.

View endpoints →

Custom Fields

1 endpoint

Methods for reading Custom Field Definitions.

Read-only metadata describing the account's custom fields.

View endpoints →

Account & Users

3 endpoints

Methods for reading the account and its users.

Read-only; lists the people and settings of the account itself.

View endpoints →

Webhooks

3 endpoints

Methods for managing webhook subscriptions.

A write here changes which events get pushed to an external endpoint.

View endpoints →

Endpoint reference

Every Copper API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
People Methods for working with People records (individual contacts).6
POST	`/people/search`	List and filter People records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Reaches whatever the key's owning user can see. Acts onperson Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/people/{id}`	Fetch a single Person record by its id.	read	—	Current
Read-only. Acts onperson Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/people/fetch_by_email`	Fetch a Person record by email address (email sent in the request body).	read	—	Current
Read-only; a POST because the email is sent in the JSON body. Acts onperson Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/people`	Create a new Person record.	write	—	Current
A core write; the new record is visible to the account. Acts onperson Permission (capability)None required VersionAvailable since the API’s base version Webhook event`person.new` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/people/{id}`	Update fields on an existing Person record.	write	—	Current
A core write; Copper uses PUT for updates. Acts onperson Permission (capability)None required VersionAvailable since the API’s base version Webhook event`person.update` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/people/{id}`	Delete a Person record.	write	—	Current
Irreversible removal of the record. Acts onperson Permission (capability)None required VersionAvailable since the API’s base version Webhook event`person.delete` Rate limitStandard limits apply SourceOfficial documentation ↗
Companies Methods for working with Company records (organizations).4
POST	`/companies/search`	List and filter Company records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/companies/{id}`	Fetch a single Company record by its id.	read	—	Current
Read-only. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/companies`	Create a new Company record.	write	—	Current
A core write; the new record is visible to the account. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/companies/{id}`	Update fields on an existing Company record.	write	—	Current
A core write; Copper uses PUT for updates. Acts oncompany Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Leads Methods for working with Lead records (unqualified prospects).4
POST	`/leads/search`	List and filter Lead records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Acts onlead Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/leads`	Create a new Lead record.	write	—	Current
A core write; the new record is visible to the account. Acts onlead Permission (capability)None required VersionAvailable since the API’s base version Webhook event`lead.new` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/leads/{id}`	Update fields on an existing Lead record.	write	—	Current
A core write; Copper uses PUT for updates. Acts onlead Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/leads/{id}/convert`	Convert a Lead into a Person, optionally also creating a Company and an Opportunity.	write	—	Current
Creates a Person (and optionally a Company and Opportunity) and deletes the original Lead. Acts onlead Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Opportunities Methods for working with Opportunity records (deals in a pipeline).3
POST	`/opportunities/search`	List and filter Opportunity records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Acts onopportunity Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/opportunities`	Create a new Opportunity record in a pipeline.	write	—	Current
A core write; the primary-contact field became optional on 2025-08-15. Acts onopportunity Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/opportunities/{id}`	Update fields on an existing Opportunity, including its pipeline stage.	write	—	Current
A core write; advancing a stage moves the deal in the pipeline. Acts onopportunity Permission (capability)None required VersionAvailable since the API’s base version Webhook event`opportunity.update` Rate limitStandard limits apply SourceOfficial documentation ↗
Tasks Methods for working with Task records.2
POST	`/tasks/search`	List and filter Task records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/tasks`	Create a new Task record.	write	—	Current
A core write; the new task is visible to the account. Acts ontask Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Activities Methods for logging and reading Activities against records.2
POST	`/activities`	Log a new Activity (a note or interaction) against a record.	write	—	Current
Only User-type activities can be created; System-type activities are read-only. Acts onactivity Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/activities/search`	List and filter Activity records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Acts onactivity Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Projects Methods for working with Project records.1
POST	`/projects/search`	List and filter Project records, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Acts onproject Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Pipelines Methods for reading Pipelines and their stages.2
GET	`/pipelines`	List the Pipelines configured in the account.	read	—	Current
Read-only metadata describing how opportunities are organized. Acts onpipeline Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/pipeline_stages`	List the Pipeline Stages configured in the account.	read	—	Current
Read-only metadata; the stages an opportunity can move through. Acts onpipeline_stage Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Custom Fields Methods for reading Custom Field Definitions.1
GET	`/custom_field_definitions`	List the Custom Field Definitions configured in the account.	read	—	Current
Read-only metadata describing the account's custom fields and which records they apply to. Acts oncustom_field_definition Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Account & Users Methods for reading the account and its users.3
GET	`/account`	Fetch details about the Copper account, like its name and timezone.	read	—	Current
Read-only. Acts onaccount Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/users/search`	List the users in the account, with sorting and paging in the request body.	read	—	Current
Read-only; a POST because filters and paging go in the JSON body. Useful for detecting deactivations or role changes. Acts onuser Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/users/me`	Fetch the user that owns the API key or token making the call.	read	—	Current
Read-only; identifies which user a key acts as. Acts onuser Permission (capability)None required VersionIntroduced 2024-06-19 Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks Methods for managing webhook subscriptions.3
POST	`/webhooks`	Create a webhook subscription for a record type and event (new, update, or delete).	write	—	Current
Only https:// targets are accepted; an account may hold up to 100 active subscriptions. Acts onwebhook Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/webhooks`	List the account's active webhook subscriptions.	read	—	Current
Read-only. Acts onwebhook Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/webhooks/{id}`	Delete a webhook subscription so its events stop being pushed.	write	—	Current
Stops delivery for that subscription. Acts onwebhook Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Copper can notify an app when a record changes, like a person being created or an opportunity being updated. It sends the record type, the event, and the record id to a registered HTTPS endpoint, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`person / new`	A new Person record was created in the account.	`/people`
`person / update`	A field on an existing Person record changed.	`/people/{id}`
`person / delete`	A Person record was removed.	`/people/{id}`
`lead / new`	A new Lead record was created.	`/leads`
`opportunity / update`	A field on an existing Opportunity changed, like its stage or value.	`/opportunities/{id}`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Copper limits how fast an app can call, by a per-minute request count across the account, with a separate per-second ceiling on the bulk methods.

Request rate

Copper meters requests by a flat per-minute count across the account, not by a per-method cost or point weighting. All API calls share a limit of 180 requests per minute, and the bulk methods carry a separate ceiling of 3 requests per second. Going over either returns HTTP 429, at which point a caller backs off and retries.

Pagination

A /search endpoint is page-based, not cursor-based. The request body takes page_number (starting at 1) and page_size to walk through results, alongside sort_by and sort_direction to order them. A page that returns fewer than page_size records, or an empty page, signals the end of the results.

Request size

A /search request returns up to 200 records per page, the maximum value of page_size. An account may hold up to 100 active webhook subscriptions at once.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`Bad Request`	The request was malformed, for example invalid JSON or a missing required parameter.	Fix the request body and resend. The request is not retryable as-is.
401	`Unauthorized`	Authentication failed, for example a missing or invalid X-PW-AccessToken or X-PW-UserEmail header.	Confirm all three X-PW headers are present and the key and email are valid, then resend.
403	`Forbidden`	The authenticated user does not have access to the requested record or action.	Use a key owned by a user whose role allows the action, or request the access in the app.
404	`Not Found`	The requested record does not exist, or is not visible to the authenticated user.	Verify the record id and that the owning user can see it.
422	`Unprocessable Entity`	The request was well-formed but failed validation, for example an invalid webhook target or a field value Copper rejects.	Read the validation message, correct the offending field, and resend.
429	`Too Many Requests`	The 180-per-minute account limit, or the 3-per-second bulk limit, was exceeded.	Back off and retry, smoothing the request rate to stay under the limit.
500	`Internal Server Error`	An error on Copper's side. It is rare.	Retry with backoff, and contact Copper support if it persists.

Versioning & freshness

Version history.

Copper exposes one API version in the path and ships dated, backward-compatible changes through its changelog rather than minting new version strings.

Version history

What changed, and when

Latest versionv1

v1Current version

Copper Developer API v1 (current)

Copper exposes one version, v1, in the request path, and ships dated backward-compatible changes through its changelog rather than minting new version strings. Recent additions include account-detail fields, optional fields on opportunity creation, and a field-layouts endpoint.

What changed

2026-02-24: Added a logo field to the account-details response.
2025-08-15: Made the primary-contact field optional when creating an opportunity.
2025-03-10: Added an endpoint for retrieving field layouts by entity type.
2025-01-09: Added bulk opportunity creation.

2024-11-11Feature update

Pipeline and contact enhancements

A run of backward-compatible additions through late 2024, covering pipelines, opportunity search, and primary contacts.

What changed

2024-11-11: Added pipeline type and revenue-classification fields to pipeline endpoints.
2024-10-30: Added primary-contact filtering to opportunity search.
2024-06-19: Added an endpoint to retrieve the current authenticated API user; clarified OAuth 2.0 docs.
2024-04-24: Added primary-contact management for company records.

2023-08-22Feature update

Bulk APIs and OAuth 2.0

Mid-2023 introduced the beta bulk APIs, custom webhook headers, and OAuth 2.0 as the preferred method for partner integrations.

What changed

2023-08-22: Introduced beta bulk APIs for people, leads, companies, and activities.
2023-08-14: Added custom HTTP header support to webhook subscriptions.
2023-08-11: Launched OAuth 2.0 as the preferred authentication method for partners.

There is one version to target; track the changelog for new fields and methods.

Copper API changelog ↗

Questions

Copper API, answered.

How does Copper authenticate API requests?+

Every request carries three headers: X-PW-AccessToken with the API key, X-PW-UserEmail with the email of the user who generated the key, and X-PW-Application set to developer_api. A key is generated under Settings in the app, a user can hold several at once, and admins can manage keys for any user. OAuth 2.0 is available as an alternative for partner integrations.

Can a Copper API key be scoped to just one record type or to read-only?+

No. A Copper key has no per-endpoint scopes. It carries the full access of the user who owns it, so the only way to limit a key is to own it with a user whose role is already restricted in the app. A key for an admin can reach the whole account. Narrowing access to a single record type, or to read-only, has to be enforced outside Copper, which is what a gateway like Bollard does.

Why are search and list operations POST requests, not GET?+

Copper lists records through a /search endpoint that takes its filters, sorting, and paging as JSON in the request body, so those endpoints are POST even though they only read data. For example, listing people is POST /people/search. A single record is still fetched with GET, like GET /people/{id}.

How do I page through search results?+

A /search body takes page_number, starting at 1, and page_size, up to 200, plus sort_by and sort_direction. Increment page_number to walk through pages. A page that comes back with fewer than page_size records, or empty, means there are no more results.

What are the rate limits?+

All API calls share a limit of 180 requests per minute across the account. The bulk create and update methods have an additional limit of 3 requests per second. Exceeding either returns HTTP 429, and the caller should back off and retry.

How do Copper webhooks work?+

An integration registers a subscription by POSTing to /webhooks with an HTTPS target URL, a record type (like person or opportunity), and an event (new, update, or delete). Copper then POSTs a small payload naming the type, event, and record id when a matching change happens. An account can hold up to 100 active subscriptions, and only https:// targets are accepted.

What is Bollard AI?

Control what every AI agent can do in Copper.

Bollard AI sits between a team's AI agents and Copper. Grant each agent exactly the access it needs, read or write, record type by record type, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Copper key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Copper access in Bollard Browse all APIs →

Copper

Sales Follow-up Agent

View people and companies ResourceOffReadFull use

Log activities ActionOffReadFull use

Delete records ActionOffReadFull use

Per-agent access, set in Bollard AI, not in Copper

How the Copper API works.

Connection & authentication methods.

REST API

Webhooks

API key

OAuth 2.0

What an AI agent can do in Copper.

People

Companies

Leads

Opportunities

Tasks

Activities

Projects

Pipelines

Custom Fields

Account & Users

Webhooks

Every Copper API method.

People

Companies

Leads

Opportunities

Tasks

Activities

Projects

Pipelines

Custom Fields

Account & Users

Webhooks

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Copper API, answered.

More crm API guides for agents

Freshsales

Pipedrive

Insightly

Close

Keap

Nutshell

Control what every AI agent can do in Copper.