AutoAsistente/Docs/Chat API
My endpoint →Sign in to panel
API in production · v1

Chat API

Integrate the AutoAsistente AI agent into any external system via an HMAC SHA-256 signed REST endpoint. Synchronous response (<15s), optional polling for human handover. Designed for custom chats, mobile apps, IVRs or any channel where you want automated customer support.

Premium planHMAC SHA-256Server-to-server60 req/min default
→ Get started
4-step quickstart
→ Reference
3 documented endpoints
→ Errors
Codes and troubleshooting

Quickstart

Four steps to get the bot replying from your own system.

  1. 1

    Enable Chat API

    From the panel: Connections → Chat via API. Click Create endpoint.

  2. 2

    Save your secret

    The modal shows your endpoint_id and secret. The secret is shown only once. If you lose it you'll have to rotate.

  3. 3

    Send a signed message

    From your backend, sign the body with HMAC SHA-256 using your secret. Never expose the secret on the client — server-side code only.

    # Replace YOUR_ENDPOINT_ID and YOUR_SECRET with the values from your panel
ENDPOINT="cae_xxxxxxxxxxxxxxxxxxxxxxxxxx"
SECRET="aakey_live_xxxxxxxxxxxxxxxxxxxxxxxxxx"

BODY='{"visitor_id":"user_42","message":"Hi, are you open?"}'
SIG=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$SECRET" -hex | sed 's/^.* //')

curl -X POST "https://autoasistente.com/api/v1/chat-api/$ENDPOINT/messages" \
  -H "Content-Type: application/json" \
  -H "X-AA-Signature: sha256=$SIG" \
  -d "$BODY"
  4. 4

    Receive the agent's reply

    The bot's response comes back in the same HTTP response (sync). In case of timeout or human handover, you'll get status:"queued" and need to poll.

    HTTP 200 · status: replied
    {
  "success": true,
  "status": "replied",
  "conversation_id": "12345",
  "message_id": "67890",
  "reply": {
    "id": "67891",
    "role": "assistant",
    "content": "Yes! We're open 9am to 6pm. How can I help?"
  }
}

Authentication

Every request carries an HMAC-SHA256 signature of the body in the X-AA-Signature header. This prevents body tampering in transit and proves to the server that the caller holds the secret.

Header format

HTTP
X-AA-Signature: sha256=<64-hex-chars>

How to compute the signature

  1. Serialize the body to a JSON string.
  2. Compute HMAC-SHA256(secret, body) in hex.
  3. Prefix with sha256= and send as a header.

⚠ Important: Treat the secret like a password. Don't commit it to Git, don't expose it in client code (browser, mobile app). Use it only in code that runs on your server.

For GET requests

GET has no body. Sign an empty string:

BASH
SIG=$(printf '' | openssl dgst -sha256 -hmac "$SECRET" -hex | sed 's/^.* //')

Rate limits

Default 60 requests per minute per endpoint, sliding window. Response headers:

ParameterTypeDescription
X-RateLimit-LimitintegerMax requests per minute for this endpoint.
X-RateLimit-RemainingintegerRequests available in the current window.
Retry-AfterintegerSeconds until you can retry. Only present on 429 responses.

If you need a higher limit contact support for your business. Each endpoint has its own bucket — multiple endpoints from the same business don't share quota.

Errors

Error responses use standard HTTP status codes plus a JSON body with consistent structure:

HTTP 401
{
  "success": false,
  "error": {
    "code": "SIGNATURE_INVALID",
    "message": "Invalid HMAC signature"
  }
}

Error codes

400VALIDATION_ERROR

The body doesn't match the schema (visitor_id 1-50 chars, message 1-4000 chars).

401SIGNATURE_REQUIRED

Missing X-AA-Signature header.

401SIGNATURE_INVALID

HMAC signature doesn't match. Check your secret and the body being signed.

403ENDPOINT_INACTIVE

The endpoint was deactivated from the panel. Create a new one.

404ENDPOINT_NOT_FOUND

The endpoint_id doesn't exist or has an invalid format.

429RATE_LIMITED

Over 60 req/min. Wait the amount indicated by Retry-After.

500SERVER_ERROR

Internal error. Report to support with the conversation_id if you received one.

API Reference

Endpoints

Base URL: https://autoasistente.com/api/v1/chat-api

Send message

Send a user message to the AI agent and wait synchronously for the reply. If the agent responds within 15s, you get the reply in the same HTTP request. If it's in human handover or timeout, you get status:"queued" and must poll.

POSThttps://autoasistente.com/api/v1/chat-api/{endpoint_id}/messages

Auth: HMAC SHA-256 of the body in X-AA-Signature.

Path parameters

ParameterTypeDescription
endpoint_idreqstringYour public endpoint, format cae_<26 chars base32>. Visible in the panel.

Body parameters

ParameterTypeDescription
visitor_idreqstringUnique identifier for the visitor in your system (max 50 chars). Determines the conversation — same visitor_id = same conversation with context.
messagereqstringText of the user's message (max 4000 chars).
namestringVisitor name shown in the business owner's panel (optional).
metadataobjectOptional extra metadata (persisted with the message, doesn't affect the agent).

Headers

ParameterTypeDescription
Content-Typereqstringapplication/json
X-AA-SignaturereqstringHMAC signature of the body with your secret. Format sha256=<hex>.

Response examples

200status: replied
Bot replied in <15s
JSON
{
  "success": true,
  "status": "replied",
  "conversation_id": "12345",
  "message_id": "67890",
  "reply": {
    "id": "67891",
    "role": "assistant",
    "content": "Yes! We're open 9am to 6pm. How can I help?"
  }
}
202status: queued
Human handover or timeout — use polling
JSON
{
  "success": true,
  "status": "queued",
  "conversation_id": "12345",
  "message_id": "67890",
  "message": "Message received. A human agent will reply shortly. Poll GET /messages/poll."
}

Poll messages

When the bot is in human handover or the synchronous response timed out, poll this endpoint to receive new messages from a cursor. Every agent reply (bot or human) shows up here.

GEThttps://autoasistente.com/api/v1/chat-api/{endpoint_id}/messages/poll

We recommend polling every 3 seconds.

Query parameters

ParameterTypeDescription
visitor_idreqstringIdentifier of the visitor whose conversation you want to read.
sinceintegerCursor (message_id). Returns only messages with id > since. Default 0.
limitintegerMax messages per response. Default 20, max 50.

Example

Polling
# The body of a signed GET is an empty string
SIG=$(printf '' | openssl dgst -sha256 -hmac "$SECRET" -hex | sed 's/^.* //')

curl "https://autoasistente.com/api/v1/chat-api/$ENDPOINT/messages/poll?visitor_id=user_42&since=0" \
  -H "X-AA-Signature: sha256=$SIG"

Response

HTTP 200
{
  "success": true,
  "messages": [
    {
      "id": "67892",
      "role": "agent",
      "content": "Hi, I'm Maria from the support team.",
      "created_at": "2026-05-15T19:42:11.000Z"
    }
  ],
  "next_cursor": "67892"
}

Health check

Public no-auth endpoint to check service availability (useful for uptime monitors).

GEThttps://autoasistente.com/api/v1/chat-api/health

No authentication required.

HTTP 200
{"ok":true,"service":"chat-api"}

Human handover

The bot can escalate to a human when:

  • It detects urgency (words like "emergency", "urgent").
  • The visitor explicitly asks to "talk to a person".
  • The business operator takes over the conversation from the panel.

When this happens:

  1. Your next POST /messages gets status:"queued".
  2. Your system should start polling /messages/poll every 3s.
  3. Human replies arrive with role:"agent" or role:"admin".
  4. When the human closes the conversation, it returns to bot mode automatically on the next message.

Idempotency

For safe retries on timeout or network error, include the header X-AA-Idempotency-Key with a unique UUID v4 per logical request.

If we receive the same key within 24h, we return the cached response without re-processing the message. Recommended in any production integration.

BASH
curl -X POST "https://autoasistente.com/api/v1/chat-api/$ENDPOINT/messages" \
  -H "X-AA-Signature: sha256=$SIG" \
  -H "X-AA-Idempotency-Key: 7c9e6679-7425-40de-944b-e07fc1f90ae7" \
  -H "Content-Type: application/json" \
  -d "$BODY"

Best practices

Sign server-side, always

Never include the secret in browser or mobile app code. Only from your backend.

Use Idempotency-Key

Prevents duplicates on retry after a network timeout.

Handle status: queued

Don't assume there's always a sync reply. Implement polling for the slow path.

Persist the visitor_id

Keep the same ID per user session so the agent has multi-turn context.

Respect rate limits

Implement exponential backoff on 429 responses honoring Retry-After.

Rotate secret periodically

Every 90 days or after incidents. Rotation invalidates the previous one immediately.

Ready to integrate?

Enable Chat API from your panel and get your endpoint in 30 seconds.

Go to panelContact support

Chat API v1 · AutoAsistente © 2026 · Premium plan