API Authorisation

Updated 6 months ago by Matthew Clementson


The API uses Json Web Tokens (JWT) to securely authenticate and authorize each request while maintaining low overhead and the ability to be used across different domains.

Each developer is assigned a pair of JWT tokens, which also include in their payload the plan the developer is subscribed to. This means that if you switch plans at some stage, the tokens will change.

You can see your developer token (dev key) and the client token (client key) on the Settings page for the bot:


The developer token is used by the bot developer to make API calls related to the bot or to make changes to the bot itself. This key should not be made public, nor should it be embedded into websites or shared with third parties.

The client token has greatly reduced access rights over the bot. If you want to hand out read-only chat access to your bot or embed a chat script into a website this is the key that should be used.

The token is passed to the API through the Authorization header.

Authorization: Bearer <token></token>
          
          Sample
          
          
          curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsImNhbGciOiJERUYifQ.eNqqVgry93FVgJT8W5Brq5KOkrFpUlAEQtLYwY0NDXQMzSzNdExNLY12LZAszXQNjC8ukZBPz1CQTU6VaAAAAAP__.5h2Snhxo6n1kkS-9wNhfYlIfKJ8tQj6TlKpkboyGaDU"
             ...

Errors

Code
ErrorDescription
401UnauthorizedMissing or invalid authorization header.  
401ForbiddenAccess to the resource has been forbidden, or the JWT token may contain an invalid payload.

How did we do?