Skip to main content
Every Open API request authenticates with an API key and a matching secret, sent as request headers. Keys are created and managed in the dashboard, scoped to a single agent, and granted only the permissions you choose. This page covers creating a key, the scopes you can grant, and how to send credentials on each request. Open Settings → API Permissions in the dashboard to manage keys.

Prerequisites

  • Owner or Admin role — only Owners and Admins can create or change API keys.
  • The agent you want the key to act on, already created.

Create an API key

1

Open API Permissions

Go to Settings → API Permissions and select Add API Key.
2

Name the key and pick the agent

Give the key a recognizable name (for example, “Production sync”) and choose the agent it should act on. A key is scoped to one agent.
3

Grant permissions

Select which operations the key may perform. See Permission scopes below.
4

Save and copy the secret

Save the key. Copy the API key and secret immediately and store them securely — treat the secret like a password.
Store the API key and secret in a secure secret manager or environment variable. Never commit them to source control or expose them in client-side (browser) code — the Open API is a server-to-server interface. If a key is exposed, delete it in Settings → API Permissions and create a new one. Deleting a key immediately revokes access for any application using it.

Authenticate a request

Send both the key and the secret as headers on every request:
X-API-Key: your-api-key
X-API-Secret: your-api-secret
Content-Type: application/json
If either header is missing, the request is rejected with a message asking for the x-api-key and x-api-secret headers.
curl -X GET "https://api.a2v2.ai/v1/open/contacts/chatbots/<AGENT_ID>" \
  -H "X-API-Key: your-api-key" \
  -H "X-API-Secret: your-api-secret"
https://api.a2v2.ai is the production API base URL (see API Overview). Replace <AGENT_ID> with the ID of the agent the key is scoped to.

Permission scopes

Each key is granted permissions per resource, with separate create, read, update, and delete actions. A request that needs a permission the key doesn’t have is rejected.
ScopeCoversActions
Contact Access (contacts)CRM contacts and contact files for the agentcreate, read, update, delete
Document Extraction Access (document-extraction)AI extraction of structured data from uploaded documentscreate, read
Grant the narrowest set of actions a key actually needs. A read-only reporting integration, for example, only needs read on Contact Access.

Key settings

When you create or edit a key, you can also configure:
SettingWhat it controlsNotes
NameA label to identify the keyRequired
DescriptionFree-text note on the key’s purposeOptional
PermissionsThe scopes and actions aboveAt least one required
Rate limitsRequests per minute / per hourDefaults 60/min and 1,000/hour; configurable up to 1,000/min and 10,000/hour
Allowed IPsRestrict use to specific IPv4 addresses or CIDR rangesOptional; leave unset to allow any IP
ExpiryA date after which the key stops workingOptional

Scoping and isolation

  • A key only works for the agent it’s scoped to. Calling another agent’s endpoint with the wrong key is rejected.
  • Keys are scoped to your organization’s data only — there is no cross-tenant access.
  • Usage is tracked per key, so you can review activity in the dashboard.

Troubleshooting

Both X-API-Key and X-API-Secret headers must be present and spelled exactly. Confirm your client isn’t dropping custom headers on redirects.
The key lacks the required scope or action. Edit the key in Settings → API Permissions and grant the needed permission (for example, create on Contact Access to create contacts).
The key may have an Allowed IPs restriction. Add the new server’s IP, or remove the restriction.
Check whether it reached its expiry date or was deleted. Create a new key and update your integration’s stored credentials.

API Overview

Base URL, response format, and rate limits.

Endpoints

Every Open API endpoint, grouped by domain.

API keys in Settings

Manage keys from the dashboard.

CRM Contacts

Understand the contact data your API reads and writes.