Reference
API keys & authentication
Generate keys, sign requests, and authenticate end-users.
AskAIs Customer Service exposes two kinds of credentials:
- API keys — for your backend to call the REST API as the workspace
- Inbox secret keys — to sign visitor identification payloads
API keys
Generate in Settings → API Keys. The key is shown once. Pass as a bearer token:
curl https://cs.askais.com/api/v1/conversations \
-H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"Revoke any time — the key's hash is stored, not the plaintext.
Signing visitor identification
For logged-in users, sign the identification payload server-side so a hostile visitor can't impersonate other users:
// Node.js example
import { createHmac } from "node:crypto";
const payload = JSON.stringify({
externalId: user.id,
email: user.email,
ts: Date.now(),
});
const signature = createHmac("sha256", INBOX_SECRET_KEY)
.update(payload)
.digest("hex");
res.json({ payload, signature });Then in the browser, pass both to SingChat.identify():
SingChat.identify(JSON.parse(payload), signature);Rotating keys
Rotating an inbox secret key invalidates old signatures immediately. Plan a deploy window; clients fall back to anonymous chat after rotation until your backend ships new signed payloads.
Rate limits
- Public API key: 60 requests/min per key (burst 120)
- Widget identify: 10 per visitor per minute
- Message send: 30 per conversation per minute