RU
EN

Authentication & Scopes

Authentication scheme

There are three distinct authentication paths, depending on who is calling whom:

Never put a token in the URL (e.g. ?api_token=...) -- URLs are logged in more places than headers are. Always use the Authorization header.

Scopes

Every token carries an explicit list of scopes. A request only succeeds if the token's scopes include the scope required by the endpoint being called (see the per-endpoint scope column on the Endpoints page).

Scope Grants
chats:readRead chats and their metadata.
chats:writeClose, transfer, or request a rating for a chat.
messages:readRead a chat's message history.
messages:writeSend messages, typing indicators, and read receipts as an agent.
contacts:readRead contacts.
contacts:writeUpdate contact fields and attributes.
agents:readRead agent/operator info and presence.
tags:readRead tags.
tags:writeAttach tags to a contact.
files:readDownload a previously uploaded file.
files:writeUpload a new file.
stats:readRead aggregate chat/message/rating statistics.
channels:readRead a custom channel's online status.
channels:writeDeliver an inbound message on a custom channel.
webhooks:readList your webhook subscriptions.
webhooks:writeCreate, delete, or redeliver a webhook subscription.
responder:inject sensitiveInject a reply into a live chat as an external AI operator/bot.
responder:escalate sensitiveEscalate a chat from an external AI operator/bot to a human agent.
channels:register sensitiveRegister a new custom channel (gated to installed apps only).

The three scopes marked sensitive above let a token act as (or hand off to) another operator on your behalf -- grant them to a self-issued token only if you actually need that capability.

Signature rotation

The outbound signature header is versioned independently of the API path version, e.g. X-Smartbtn-Signature: sha256=v1:<hex hmac>. When you rotate your per-tenant signing secret, both the old and the new secret remain valid for a short overlap window so in-flight deliveries signed with the old secret still verify -- there is no moment where every delivery fails. Revoking a token or secret, on the other hand, takes effect immediately.

Keeping credentials safe

Treat your API token and any webhook signing secret as passwords: never commit them to source control, never log them, and never pass a token as a URL query parameter. If a token or secret leaks, contact support to revoke it and have a new one issued -- a compromised credential cannot be "changed" in place, only replaced.

Умная кнопка