Pull Cause Shield data into your own stack.
Bearer-token REST API for reading fraud events, smart-classified webhooks, and uptime checks. JSON in, JSON out. Used by partners integrating Cause Shield into Salesforce NPSP, Funraisin, and Raisely.
01 · Authentication
Bearer tokens, one per integration.
Generate keys at Settings → REST API. Each key is scoped to one organisation and is shown to you exactly once at creation — we only store a sha256 hash. Send it as a standard Bearer token:
Authorization: Bearer cs_live_xxxxxxxxxxxxxxxxxxxxxxxx
A minimal end-to-end curl example:
curl https://causeshield.com/api/v1/fraud-flags \ -H "Authorization: Bearer cs_live_xxxxxxxxxxxxxxxxxxxxxxxx"
Keys can be revoked at any time from Settings. Revocation takes effect on the next request — there’s no propagation delay.
02 · Rate limits
60 requests per minute, per org.
The limit is per-organisation, not per-key — multiple keys share the same minute-granular bucket. When you exceed it we return 429 Too Many Requests with a Retry-After header in seconds. The /api/v1/me health probe is unrate-limited so you can keep using it during back-off.
If 60/min isn’t enough, get in touch — we’ll raise it for your org. We deliberately start generous to keep integrations easy.
03 · Endpoints
Five reads. JSON only. application/json.
/api/v1/meReturns the caller’s org (id, name, plan, created_at). Cheap and unrate-limited — use as a health probe.
{
"data": {
"id": "5f9d2c7e-...",
"name": "Wildlife Trust",
"plan": "partner",
"created_at": "2025-01-04T10:22:11.000Z"
}
}/api/v1/fraud-flags?limit=100&since=<iso>Lists fraud flags for the org, newest first. Each row includes the joined transaction (amount, currency, country, card_country) but never the raw donor email — PII never leaves the API.
{
"data": [
{
"id": "8a1b...",
"created_at": "2026-05-10T19:42:11.000Z",
"risk_level": "high",
"risk_score": 78,
"recommended_action": "review",
"flags": ["velocity_spike", "mismatched_country"],
"reasoning": "Three donations in 40s from the same IP …",
"transaction": {
"id": "f3c1...",
"amount_cents": 50000,
"currency": "AUD",
"country": "AU",
"card_country": "NG"
}
}
]
}/api/v1/webhook-events?limit=100&since=<iso>Lists smart-classified webhook events. Donor email + name are returned as opaque hashes (already hashed at ingest with a per-org pepper).
{
"data": [
{
"id": "11ab...",
"website_id": "9c4d...",
"ts": "2026-05-10T19:39:02.000Z",
"event_type": "donation",
"classification_confidence": "high",
"risk_level": "low",
"amount_cents": 5000,
"currency": "AUD",
"email_hash": "f7b3e1a2..."
}
]
}/api/v1/uptime?website_id=<uuid>&limit=100&since=<iso>Recent ping checks for one website (or every site in the org when website_id is omitted). Caller must own the website — the query is org-scoped automatically.
{
"data": [
{
"id": "aa12...",
"website_id": "9c4d...",
"checked_at": "2026-05-10T19:40:00.000Z",
"status": "up",
"status_code": 200,
"response_ms": 312
}
]
}/api/v1/sitesList of websites in the org. Minimal shape — enough to map your internal site IDs onto Cause Shield ones.
{
"data": [
{
"id": "9c4d...",
"url": "https://give.wildlifetrust.org",
"display_name": "Main donation site",
"last_status": "up"
}
]
}List endpoints accept ?limit= (default 100, max 1000) and ?since=<iso> for polling — pass the newest created_at / ts / checked_at you’ve seen and only newer rows come back.
04 · Errors
One shape, every failure mode.
Errors are returned as JSON with a single error string and a standard HTTP status code:
{
"error": "Rate limit exceeded"
}401
Missing or invalid Bearer token. Check the Authorization header.
403
The key is valid but the org isn’t on the Partner plan.
404
The resource (e.g. a website_id filter) doesn’t exist or belongs to a different org.
429
Rate limit exceeded. Honour Retry-After and re-issue.
Wire Cause Shield into your CRM in an afternoon.
Generate a key in settings, drop it into your Apex / Funraisin / Raisely job, and read events on a polling schedule.