Getting Started
All API requests require authentication via Bearer token or API key.
Bearer Token
After login or register, you receive an access_token. Pass it in every request:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Tokens expire after 24 hours. Use the refresh endpoint to rotate.
API Key
For server-to-server integrations, create an API key from your Profile page. Keys are prefixed with cm_:
Authorization: Bearer cm_your_api_key_hereAPI keys never expire but can be revoked at any time.
Anthropic SDK (x-api-key header)
When using the Anthropic-compatible endpoint (/v1/messages), you can also authenticate with the x-api-key header:
x-api-key: cm_your_api_key_hereBoth header styles work on the Anthropic endpoint — use whichever your SDK sends by default.
Scopes
When creating an API key you can restrict its access:
| Scope | Description |
|---|---|
bots:read | List and view bots |
bots:write | Create, update, delete bots |
conversations:read | View conversations and messages |
conversations:write | Update conversation status |
knowledge:read | View knowledge base entries |
knowledge:write | Add and remove knowledge entries |
webhooks:write | Trigger outbound calls |
Leave scopes empty for full access.
> Note: Scopes are stored on API keys but enforcement on the unified AI services endpoints (/v1/chat/completions, /v1/audio/*) is coming soon. Currently all valid API keys have full access to these endpoints.