QBMWServices API and Endpoint Reference

Reference the main QBMWServices endpoint groups used by QSalesView, QClock, CRM, customer dashboards, items, employees, permissions, and integrations.

Guide Summary

AudienceSupport staff, developers, implementation team, and AI agents.
Applies ToQBMWServices, QSalesView, QClock, CRM, restaurant delivery integration, QBM Server, SQL Server.
PurposeIdentify which API area is involved during login, product key validation, permission checks, dashboards, time clock, CRM, and integration calls.
Last Updated2026-05-18

Support Rules

  • Confirm the API base URL before testing any endpoint.
  • Most business endpoints require token and permission headers from the browser app.
  • Do not test protected endpoints with customer passwords or tokens in public tools.
  • A root URL response does not prove all API routes work; test the relevant route flow.

Expected result: Support can identify the endpoint group involved in a failure without exposing customer tokens or secrets.

Endpoint Groups

Endpoint GroupPurposeUsed BySupport Notes
api/Connection/loginLogin and token creation.QSalesView, QClock, web apps.First API area to check for login failures.
api/Connection/logoutLogout and session cleanup.Browser apps.Useful when stale token issues are suspected.
api/Connection/validateTokenValidates current token context.Browser apps.Invalid Token issues may surface here.
api/Connection/isValidCurrentProductKeyValidates current configured product key.QSalesView, support checks.Check appsettings.json without exposing the key.
api/Connection/validateAppValidates application permission context.QSalesView, QClock.Check app id and user security group.
api/Customer/totalSales, averageSaleValue, salesManagerReportPackSales dashboard and manager report data.QSalesView.Permission and performance issues often appear here.
api/Customer/salesByProduct, salesOverTime, salesByLocation, salesByEmployeeSales analytics breakdowns.QSalesView.Check filters, dates, permissions, and QBM Server speed.
api/Employee/checkin, checkout, lastCheckinClocking and employee time activity.QClock.Check employee/user mapping and token context.
api/Company/countries, states, serverTimeReference and server information.Browser apps.Useful to confirm basic API and server reachability.
api/Item/items, itemsStockInfoItem and stock information.QSalesView, integrations.Check item permissions, stock filters, and location.
api/Location/locationsLocation list.QSalesView, QClock.Check location permissions and active locations.
api/CRM/crmLists, dealListCRM reference and deal lists.CRM browser features.Check CRM module access and filters.
api/Customers/Lead/leadList, createLead, updateLeadLead management.CRM browser features.Check customer/lead permissions.
api/restaurant-delivery/orders, action endpoints, item mapping endpointsRestaurant delivery order support and mapping.Delivery integrations.Manager-only support actions require correct permissions.

Login And Permission Flow

  1. Browser app calls login with the configured service address.
  2. QBMWServices validates QBM user context through QBM Server.
  3. Product key validation confirms the service is licensed.
  4. Token and app id are used to validate screen or application permission.
  5. Dashboard or clocking endpoints call QBM Server using the validated token context.
  6. QBM Server reaches SQL Server and the company database.

Troubleshooting Decision Tree

  1. If login fails before token, check api/Connection/login, Service Address, QBM Server, and SQL Server.
  2. If product key fails, check isValidCurrentProductKey and masked appsettings.json.
  3. If access is denied, check validateApp, app id, user group, and report permissions.
  4. If sales dashboard times out, check Customer endpoints, date filters, QBM Server speed, and permission lookup.
  5. If QClock fails, check Employee endpoints, employee mapping, token context, and service logs.
  6. If restaurant delivery actions fail, check manager permission and integration-specific logs.

What To Send To Support

  • API base URL, with tokens removed.
  • Endpoint path that failed.
  • HTTP status, message, browser network screenshot, and timestamp.
  • QBMWServices logs from the same time.
  • User, app id or module, and permission context if relevant.

Security Notes

  • Do not share bearer tokens, passwords, product keys, or raw request bodies containing secrets.
  • Mask customer data in API screenshots.
  • Do not expose protected endpoints publicly without the approved QBM web architecture.