Programming Language

Complete API Reference

Production-ready REST API with streaming support, multi-tenant isolation, and AI-powered features. Integrate in any language.

Quick Start Guide

Get started by creating a new tenant account. You'll receive an API key and Tenant ID primarily used for authenticating subsequent requests.

1Register & Get API Key

Response Schema

{
  "success": true,
  "data": {
    "apiKey": "sk_live_...",
    "tenantId": "550e84...",
    "scopes": ["tenant:read", ...]
  }
}

request.sh

curl -X POST http://localhost:3000/api/v1/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@company.com",
    "organizationName": "Your Company"
  }'

Chat API (Streaming)

The Chat API provides AI-powered conversational capabilities with real-time streaming responses, RAG (Retrieval-Augmented Generation) support, and function calling. Perfect for customer support, sales assistance, and interactive chatbots.

POST /api/v1/chat

Initiates a chat conversation with the AI. Responses are streamed in real-time using Server-Sent Events (SSE), allowing for immediate feedback and progressive rendering of text. The API automatically retrieves relevant documents from your RAG store and can execute function calls for dynamic actions.

Request Body

Param	Type	Req.
tenantId	string	Yes
message	string	Yes
accountId	string	Opt.
files	string[]	Opt.
prompt	string	Opt.

Event Types

text-deltatool-inputtool-outputdata-citationsfinish

curl-request.sh

curl -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tenantId": "YOUR_TENANT_ID",
    "message": "What is the price for 2 cbm storage?",
    "accountId": "customer-123"
  }' \
  http://localhost:3000/api/v1/chat

# Example streaming response:
# data: {"type":"text-delta","delta":"The "}
# data: {"type":"text-delta","delta":"price "}
# data: {"type":"data-citations","citations":[{"fileName":"pricing.pdf"}]}
# data: {"type":"finish"}

Chat History Management

Retrieve and manage conversation history. Access past chats for audit trails, customer support review, or conversation analytics. All endpoints enforce strict tenant isolation for security.

GET /chat/history

List Conversation History

Retrieve all conversations for a tenant. Results are automatically sorted by most recent activity. Filter by accountId to get conversations for specific customers.

Query Parameters

Param	Type	Required
tenantId	string	Yes
accountId	string	Opt.

Response Data

• Sorted by updated_at DESC (newest first)
• Includes message count per conversation
• Returns metadata timestamps (created, updated)

Required Scope

chat:read

list-chats.sh

curl -H "x-api-key: YOUR_API_KEY" \  "https://api.example.com/api/v1/chat/history?tenantId=YOUR_TENANT_ID"

# Response (200 OK):
{
  "success": true,
  "data": [
    {
      "id": "conv_abc123",
      "title": "Storage inquiry",
      "created_at": "2026-01-14T10:30:00Z",
      "updated_at": "2026-01-14T10:35:00Z",
      "message_count": 5,
      "user_id": "tenant_xyz"
    }
  ]
}

DELETE /chat/history/{chatId}

Delete Conversation

Permanently delete a specific conversation and all its messages. The system validates that the conversation belongs to the tenant before deletion to prevent unauthorized access.

Path Parameters

Param	Description
chatId	Conversation UUID to delete

Important Notes

• Permanent deletion - Cannot be undone
• Tenant isolation - Validates ownership before delete
• Returns 403 if chat doesn't belong to tenant
• Returns 404 if chat ID doesn't exist

Required Scope

chat:delete

delete-chat.sh

curl -X DELETE \  -H "x-api-key: YOUR_API_KEY" \  https://api.example.com/api/v1/chat/history/conv_abc123

# Response (200 OK):
{
  "success": true,
  "data": {
    "deleted": true
  }
}

Estimator API (Streaming)

The Estimator API analyzes images to detect items, calculate dimensions and volumes, and provide packing recommendations for moving and storage.

POST /analyze

Upload one or more images of items to receive AI-powered analysis including item detection, size estimation, and volume calculation. Results stream in real-time.

Request Body

Param	Type	Req.
images	string[]	Yes
tenantId	string	Yes

Constraints

• Max 10 images per request
• Max 10MB per image file
• Formats: JPEG, PNG, WebP

analyze.sh

curl -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tenantId": "YOUR_TENANT_ID",
    "images": [
      "https://example.com/chair.jpg",
      "https://example.com/table.jpg"
    ]
  }' \
  http://localhost:3000/api/v1/estimator/analyze

# Example response stream:
# data: {"type":"text-delta","delta":"I can see "}
# data: {"type":"data-status-update","status":"Analyzing images..."}
# data: {"type":"data-manageItems","items":[{"name":"Chair","dimensions":{"length":50,"width":50,"height":90},"volume":0.225}]}
# data: {"type":"data-recommendation","recommendationDetails":{"recommendedBox":"Medium","totalVolume":0.5}}

Files & RAG Store API

Manage your RAG (Retrieval-Augmented Generation) document store. Sync from AssetVault and configure citation settings.

GET /store

Retrieve comprehensive information about your RAG store including file count, storage usage, and sync status.

Response Data

• Storage usage & quotas
• Active/Excluded file counts
• Full file list with IDs

get-store.sh

curl -H "x-api-key: YOUR_API_KEY" \
  http://localhost:3000/api/v1/tenants/YOUR_TENANT_ID/store

POST /sync

Import documents from AssetVault into the RAG store. Sync specific files by providing a list of asset IDs.

Constraints

• Supported: PDF, TXT, DOCX
• Async processing (~30s/file)

sync-files.sh

curl -X POST \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"fileIds": ["asset-1", "asset-2"]}' \
  http://localhost:3000/api/v1/tenants/YOUR_ID/store/sync

RAG Store - Advanced Operations

Monitor and debug RAG store operations with real-time progress tracking and comprehensive audit logs. Essential for production debugging and ensuring reliable AI document synchronization.

GET /store/progress

Real-Time Sync Progress

Get live progress updates during RAG store sync operations. Returns completion percentage, processed file count, ETA, and current file being processed. Use smart polling pattern for optimal performance.

Operation Status Values

• idle - No operation in progress

• in_progress - Currently syncing files

• completed - Sync finished successfully

• failed - Sync encountered errors

Smart Polling Pattern

• Poll every 1.5 seconds (optimal interval)
• Stop when status is completed, failed, or idle
• Use exponential backoff on errors
• Set max timeout (recommended: 5 minutes)

poll-progress.sh

# Poll for real-time sync progress
curl -H "x-api-key: YOUR_API_KEY" \  https://api.example.com/api/v1/tenants/YOUR_ID/store/progress

# Response during sync:
{
  "success": true,
  "data": {
    "operationStatus": "in_progress",
    "progress": {
      "totalFiles": 10,
      "processedFiles": 7,
      "failedFiles": 0,
      "percentage": 70
    },
    "estimatedTimeRemaining": "45s",
    "currentFileName": "product-catalog.pdf",
    "startedAt": "2026-01-14T10:00:00Z"
  }
}

# Response when idle:
{
  "success": true,
  "data": {
    "operationStatus": "completed",
    "progress": {
      "totalFiles": 10,
      "processedFiles": 10,
      "failedFiles": 0,
      "percentage": 100
    },
    "completedAt": "2026-01-14T10:05:30Z"
  }
}

GET /store/audit

RAG Store Audit Logs

Get complete audit trail for RAG store operations. Essential for debugging sync failures, tracking file processing history, and compliance requirements. Filter by specific file or retrieve all tenant logs.

Query Parameters

Param	Description
assetId	Filter logs for specific file (optional)
limit	Max logs to return (default: 100)
offset	Pagination offset (default: 0)

Common Event Types

• sync_started - File sync initiated

• sync_completed - File successfully processed

• sync_failed - Processing error occurred

• file_excluded - File marked as excluded

• file_deleted - File removed from store

Debugging Workflow

1. Check file status in UI
2. Query audit logs for specific assetId
3. Look for sync_failed events
4. Review details.error_message for root cause

audit-logs.sh

# Get audit logs for a specific file
curl -H "x-api-key: YOUR_API_KEY" \  "https://api.example.com/api/v1/tenants/YOUR_ID/store/audit?assetId=FILE_ID"

# Response:
{
  "success": true,
  "data": {
    "logs": [
      {
        "id": "log_123",
        "event": "sync_completed",
        "file_id": "asset_abc",
        "file_name": "pricing.pdf",
        "status": "success",
        "details": {
          "google_file_id": "files/xyz",
          "processing_time_ms": 28500
        },
        "created_at": "2026-01-14T10:05:30Z"
      },
      {
        "id": "log_124",
        "event": "sync_started",
        "file_id": "asset_abc",
        "status": "in_progress",
        "created_at": "2026-01-14T10:05:01Z"
      }
    ],
    "total": 2
  }
}

# Get all audit logs for tenant (paginated)
curl -H "x-api-key: YOUR_API_KEY" \  "https://api.example.com/api/v1/tenants/YOUR_ID/store/audit?limit=50&offset=0"

Tenants & Accounts API

Multi-tenant architecture APIs for managing organizations and user accounts.

POST /tenants

Create a new tenant organization with isolated data storage. Each tenant gets a unique ID and independent RAG store.

Admin Required

Requires systemic admin-level API key authorization.

create-tenant.sh

curl -X POST \
  -H "x-api-key: ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corporation",
    "config": {"tier": "premium"}
  }' \
  http://localhost:3000/api/v1/tenants

POST /accounts

Create specific user accounts under a tenant. Accounts provide individual file storage boundaries and permissions.

RBAC Roles

• admin → Full access, can create API keys
• member → Read/write, cannot create API keys
• viewer → Read only access

create-account.sh

curl -X POST \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "role": "member"
  }' \
  http://localhost:3000/api/v1/tenants/{id}/accounts

# Roles: admin, member, viewer
# admin  → admin, read, write, delete (can create API keys)
# member → read, write (cannot create API keys)
# viewer → read only

API Key Management

Create and manage API keys for your tenant. Essential for multi-environment deployments (development, staging, production) and implementing key rotation for security compliance.

GET /api-keys

List API Keys

Retrieve all API keys for a tenant. Returns metadata including scopes, creation date, and last used timestamp. The actual secret key is NEVER returned for security.

Response Fields

• id - Key identifier
• name - Human-readable name
• scopes - Array of permissions
• last_used_at - Activity tracking
• expires_at - Expiration (if set)

Security Notes

• Raw API keys are NEVER returned
• Only hashes are stored in database
• Monitor last_used_at for inactive keys

list-keys.sh

curl -H "x-api-key: YOUR_API_KEY" \  https://api.example.com/api/v1/tenants/YOUR_TENANT_ID/api-keys

# Response:
{
  "success": true,
  "data": [
    {
      "id": "key_abc123",
      "name": "Production Key",
      "scopes": ["chat:create", "file:read", "store:write"],
      "created_at": "2026-01-01T00:00:00Z",
      "last_used_at": "2026-01-14T10:30:00Z",
      "expires_at": null
    }
  ]
}

POST /api-keys

Create API Key

Generate a new API key with custom name and scopes. The raw secret key is returned ONLY ONCE during creation and must be saved immediately. Lost keys cannot be recovered.

Request Body

Field	Type	Required
name	string	Yes
scopes	string[]	Opt.

CRITICAL WARNING

🔴 The apiKey field is shown ONLY ONCE

🔴 If lost, you MUST create a new key

🔴 Save to secure storage immediately (e.g., AWS Secrets Manager)

🔴 Never commit keys to version control

Best Practices

• Principle of Least Privilege: Grant minimum scopes
• Environment Separation: Separate keys for dev/staging/prod
• Key Rotation: Rotate every 90 days
• Monitoring: Track last_used_at for anomalies

create-key.sh

curl -X POST \  -H "x-api-key: YOUR_API_KEY" \  -H "Content-Type: application/json" \  -d '{
    "name": "Production API Key",
    "scopes": ["chat:create", "chat:read", "file:read", "file:upload"]
  }' \  https://api.example.com/api/v1/tenants/YOUR_TENANT_ID/api-keys

# Response (201 Created):
{
  "success": true,
  "data": {
    "id": "key_new123",
    "apiKey": "sk_live_a1b2c3d4e5f6g7h8i9j0...",
    "name": "Production API Key",
    "scopes": ["chat:create", "chat:read", "file:read", "file:upload"],
    "created_at": "2026-01-14T12:00:00Z"
  }
}

⚠️  CRITICAL: Save the apiKey immediately!
   It will NEVER be shown again.

Usage & Quota Tracking

Monitor API usage, track quotas, and implement proactive alerts before hitting limits. Essential for billing transparency, capacity planning, and preventing service interruptions.

GET /usage

Get Current Usage Statistics

Retrieve comprehensive usage metrics including requests, tokens, rate limits, and plan details. Response includes both absolute values and percentages for easy monitoring dashboards.

Usage Metrics

• Requests: Monthly API calls (used/limit/remaining)

• Tokens: AI model tokens consumed

• Rate Limits: Current minute usage (anti-abuse)

• Daily Limits: Today's request count

Response Headers

Every API response includes usage headers:

X-Usage-Requests-Remaining
X-Usage-Tokens-Remaining
X-Usage-Requests-Percent
X-Usage-Tokens-Percent

Quota Exceeded Scenarios

• Monthly Quota: Returns 429, resets on billing anchor day

• Rate Limit: Returns 429, retry after 60 seconds

• Daily Limit: Returns 429, resets at midnight UTC

Monitoring Best Practices

• Set alerts at 80% usage threshold
• Check usage before batch operations
• Track percentUsed trends over time
• Implement graceful degradation on quota limits

check-usage.sh

curl -H "x-api-key: YOUR_API_KEY" \  https://api.example.com/api/v1/usage

# Response (200 OK):
{
  "success": true,
  "data": {
    "plan": {
      "id": "starter",
      "name": "Starter Plan",
      "features": ["Basic chat", "File uploads", "Email support"]
    },
    "usage": {
      "requests": {
        "used": 1250,
        "limit": 10000,
        "remaining": 8750,
        "percentUsed": 12.5
      },
      "tokens": {
        "used": 45000,
        "limit": 500000,
        "remaining": 455000,
        "percentUsed": 9.0
      },
      "today": {
        "requests": 45,
        "dailyLimit": 500
      },
      "rateLimit": {
        "currentMinute": 5,
        "limitPerMinute": 60
      }
    },
    "billing": {
      "overageEnabled": false,
      "billingAnchorDay": 1
    }
  }
}

# Response Headers (Usage Tracking):
X-Usage-Requests-Remaining: 8750
X-Usage-Tokens-Remaining: 455000
X-Usage-Requests-Percent: 12.5
X-Usage-Tokens-Percent: 9.0

Asset Manager Authentication

Manage authentication for the Asset Manager (file storage interface). Features OWASP-compliant password validation, rate limiting, and secure password generation patterns for automated onboarding flows.

PUT /asset-auth/password

Update Asset Manager Password

Set or update the password for tenant's Asset Manager account. Used during onboarding or password reset. Implements OWASP password strength validation and rate limiting to prevent brute force attacks.

Request Body

Field	Type	Required
newPassword	string	Yes
confirmPassword	string	Yes

OWASP Password Requirements

• Minimum 8 characters (recommended: 16+)
• At least one uppercase letter (A-Z)
• At least one lowercase letter (a-z)
• At least one number (0-9)
• At least one special character (!@#$%^&*)
• Maximum 128 characters

Rate Limiting

• 5 attempts per 15 minutes per tenant

• Returns 429 when exceeded

• Prevents brute force attacks

Automated Onboarding

For automated tenant provisioning:

1. Generate cryptographically strong password (16+ chars)
2. Call this endpoint to set password
3. Store credentials in secrets manager
4. Email credentials to tenant securely

Security Best Practices

• Never log or display passwords in plain text
• Use cryptographically secure random generation
• Store in secrets manager (AWS Secrets, HashiCorp Vault)
• Enforce password rotation every 90 days
• Use HTTPS for all password transmissions

update-password.sh

curl -X PUT \  -H "x-api-key: YOUR_API_KEY" \  -H "Content-Type: application/json" \  -d '{
    "newPassword": "SecurePass123!@#",
    "confirmPassword": "SecurePass123!@#"
  }' \  https://api.example.com/api/v1/tenants/YOUR_ID/asset-auth/password

# Response (200 OK):
{
  "success": true,
  "data": {
    "message": "Password updated successfully",
    "assetManager": {
      "email": "tenant-abc12345@mystorage.asia",
      "loginUrl": "https://app.example.com"
    }
  }
}

# Error Response (400 - Weak Password):
{
  "success": false,
  "error": {
    "code": "WEAK_PASSWORD",
    "message": "Password must contain uppercase, lowercase, number, and special character."
  }
}

Health & Monitoring APIs

Production-ready health check endpoints for Kubernetes, load balancers, and monitoring systems. Implement proper liveness and readiness probes following cloud-native best practices.

GET /health

Liveness Probe - Kubernetes Health Check

Fast, lightweight health check that verifies the service process is running. Returns service metadata including version, uptime, and memory usage. Does NOT check external dependencies.

Response Fields

• status - "healthy" | "degraded" | "unhealthy"
• version - Deployment version
• uptime - Seconds since start
• memory - Heap usage (MB)

Kubernetes Configuration

livenessProbe:

path: /api/v1/health

initialDelaySeconds: 10

periodSeconds: 30

health-check.sh

curl https://api.example.com/api/v1/health

# Response (200 OK):
{
  "status": "healthy",
  "service": "convo-agents-api",
  "version": "1.0.0",
  "timestamp": "2026-01-14T06:00:00.000Z",
  "uptime": 3600,
  "environment": "production",
  "memory": {
    "heapUsed": 128,
    "heapTotal": 256,
    "external": 12
  }
}

GET /ready

Readiness Probe - Dependency Health Check

Comprehensive health check that validates ALL critical dependencies including Database (Supabase), Redis, and optionally Gemini API. Load balancers use this to determine if service can accept traffic.

Dependency Checks

• Database: Supabase query (timeout: 5s)
• Redis: PING command (timeout: 2s)
• Gemini API: Endpoint reachability (optional)

Status Codes

• 200: All critical checks passed (ready)
• 503: One or more critical checks failed (not ready)

Production Best Practices

• Use in load balancer health checks
• Poll before deployment rollout
• Implement retry logic with backoff
• Monitor totalLatencyMs for performance

ready-check.sh

curl https://api.example.com/api/v1/ready

# Response (200 OK - Ready):
{
  "status": "ready",
  "service": "convo-agents-api",
  "timestamp": "2026-01-14T06:00:00.000Z",
  "checks": {
    "database": { "status": "ok", "latencyMs": 45 },
    "redis": { "status": "ok", "latencyMs": 12 },
    "gemini": { "status": "ok", "latencyMs": 230 }
  },
  "totalLatencyMs": 287,
  "summary": "db:ok, redis:ok, gemini:ok"
}

# Response (503 Service Unavailable - Not Ready):
{
  "status": "not_ready",
  "checks": {
    "database": {
      "status": "error",
      "latencyMs": 5001,
      "message": "Database check timeout"
    },
    "redis": { "status": "ok", "latencyMs": 15 }
  }
}

Authentication

API KEY HEADER

All API requests require authentication via the x-api-key header. Keys are managed in the dashboard under Security settings.

Security Architecture

We implement a Backend-for-Frontend (BFF) proxy. Internal keys are never exposed to the client-side network traffic.

Best Practices

• Store keys in secure environment variables
• Rotate production keys every 90 days
• Use tenant-scoped keys for distribution

auth-example.sh

curl -H "x-api-key: YOUR_API_KEY" \
  http://localhost:3000/api/v1/chat

Error Handling

HTTP Status Codes

200

Success

Request completed successfully

201

Created

Resource created successfully

400

Bad Request

Invalid request body or parameters

401

Unauthorized

Missing or invalid API key

403

Forbidden

Insufficient permissions

404

Not Found

Resource does not exist

429

Rate Limit Exceeded

Too many requests

500

Internal Server Error

Server error - contact support

Error Response Format

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API Key"
  }
}

Complete API Reference - 32 Endpoints

All available endpoints organized by category with required scopes

POST

/api/v1/register

Public

Authentication

GET

/api/v1/health

Liveness probe (Kubernetes)

Public

Monitoring

GET

/api/v1/ready

Readiness probe with dependency checks

Public

Monitoring

GET

/api/v1/tenants

Get own tenant information

tenant:read

Tenants

POST

/api/v1/tenants

Create new tenant (admin only)

admin / internal

Tenants

GET

/api/v1/tenants/{tenantId}

Get tenant details

tenant:read

Tenants

POST

/api/v1/chat

Send chat message (streaming SSE)

chat:create

Chat

GET

/api/v1/chat/history

Get conversation history

chat:read

Chat

DELETE

/api/v1/chat/history/{chatId}

Delete conversation

chat:delete

Chat

POST

/api/v1/estimator/analyze

Analyze images (streaming)

estimator:use

Estimator

GET

/api/v1/tenants/{tenantId}/store

Get RAG store details

store:read

RAG Store

POST

/api/v1/tenants/{tenantId}/store/sync

Sync files from AssetVault

store:write

RAG Store

POST

/api/v1/tenants/{tenantId}/store/refresh

Refresh document metadata

store:write

RAG Store

POST

/api/v1/tenants/{tenantId}/store/files/actions

Bulk file operations

store:write

RAG Store

GET

/api/v1/tenants/{tenantId}/store/progress

Real-time sync progress

store:read

RAG Store

GET

/api/v1/tenants/{tenantId}/store/audit

Get audit logs

store:read

RAG Store

POST

/api/v1/tenants/{tenantId}/accounts

Create account

account:write

Accounts

GET

/api/v1/tenants/{tenantId}/accounts/{accountId}

Get account details

account:read

Accounts

PATCH

/api/v1/tenants/{tenantId}/accounts/{accountId}

Update account

account:write

Accounts

POST

/api/v1/tenants/{tenantId}/accounts/{accountId}/files

Upload file to RAG store

file:upload

Files

GET

/api/v1/tenants/{tenantId}/accounts/{accountId}/files

List files

file:read

Files

DELETE

/api/v1/tenants/{tenantId}/accounts/{accountId}/files/{fileId}

Delete file

file:delete

Files

GET

/api/v1/tenants/{tenantId}/api-keys

List API keys

tenant:read

API Keys

POST

/api/v1/tenants/{tenantId}/api-keys

Create API key

tenant:write

API Keys

PUT

/api/v1/tenants/{tenantId}/asset-auth/password

Update Asset Manager password

store:write

Asset Auth

GET

/api/v1/usage

Get usage statistics and quotas

tenant:read

Usage

Ready to Get Started?

Get your API key and start building in minutes