Who this is for
The RESO.tax API is a firm-facing integration surface. Your firm's admin creates private keys under Settings → Integrations → API access. Each key has an internal name and reason (e.g. “WordPress form”, “Zapier leads”) and scoped permissions.
Scopes
- cases:create — POST /api/v1/cases (lead intake)
- cases:read — GET /api/v1/cases and GET /api/v1/cases/{id}
- cases:update — PATCH /api/v1/cases/{id} (enrich phone, email, intake)
- activity:append — POST /api/v1/cases/{id}/activity
- reports:export — GET /api/v1/reports/{intake|revenue|sales}
Idempotency
Send Idempotency-Key: your-unique-key on POST /api/v1/cases. Retries with the same key return the original response (safe for Zapier and form double-submits). Keys are scoped per API key.
Authentication
Send your private key on every request:
- Authorization: Bearer reso_live_…
- x-api-key: reso_live_…
Keys are shown once at creation. Revoked keys stop immediately. Rate limit: 60 requests per minute per key.
Create a case
POST https://reso.tax/api/v1/cases — scope cases:create
Required: client_first_name, client_last_name
Optional: client_email, client_phone, external_case_id, lead_id, landing_url, intake source/campaign (UUID or slug), lead_metadata (ip, referrer, utm_*), case_type
Read cases
GET https://reso.tax/api/v1/cases — scope cases:read. Query: limit (max 100), offset, status, external_case_id
GET https://reso.tax/api/v1/cases/{case_id} — single case summary
Update a case
PATCH https://reso.tax/api/v1/cases/{case_id} — scope cases:update. Update phone, email, intake source/campaign, lead_metadata, or external_case_id on an existing lead.
Post activity
POST https://reso.tax/api/v1/cases/{case_id}/activity — scope activity:append
- api.note — requires message (general integration note)
- api.lead_event — requires event (funnel milestone from your CRM)
Export reports
GET https://reso.tax/api/v1/reports/intake?format=csv&from=YYYY-MM-DD&to=YYYY-MM-DD
Same pattern for revenue and sales. Scope reports:export. Omit format=csv for JSON.
Example — create case
curl -X POST https://reso.tax/api/v1/cases \
-H "Authorization: Bearer reso_live_YOUR_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{
"client_first_name": "Jane",
"client_last_name": "Doe",
"client_email": "jane@example.com",
"client_phone": "5552014433",
"intake_source_slug": "digital",
"lead_id": "wp-form-88421",
"lead_metadata": {
"ip": "203.0.113.42",
"landing_url": "https://yourfirm.com/free-consult",
"utm_source": "google"
}
}'IRS Logics vs RESO API
IRS Logics integration pulls matters into RESO. The RESO API pushes leads into your firm — web forms, ads, middleware. Link Logics later with external_case_id.
Security
- HTTPS required in production — keys are rejected over plain HTTP.
- Keys are hashed at rest with a server pepper (FIRM_API_KEY_PEPPER).
- Per-key scopes, optional expiry, and optional IP allowlists.
- 60 requests/minute per key (distributed rate limit).
- Failed auth attempts are rate-limited per client IP.
- Revoked keys stop working within seconds (short lookup cache).
- Audit log records endpoint, outcome, and client IP per request.
- Never embed keys in public JavaScript — server-side integrations only.
Getting started
- Firm admin → Settings → API access → Create API key (choose scopes).
- Copy the key once and store it in your integration.
- Point requests at the endpoints above with the key in the Authorization header.