Skip to content

API overview & authentication

CXGear exposes an HTTP API for the web app and for external systems (CRMs, middleware, scripts). This page is the map: who authenticates how, and where to send requests.

You do not need to be a platform engineer to follow it — if you integrate CXGear with another product, start here.

AudienceCredentialTypical use
People in the browserUser JWT (session token after login)Everything the UI does
External systemsOrganization API key (cxg_…)Ingest rows, trigger published spinners

Mixing them up is the most common integration mistake. A browser session token is not an API key, and an API key cannot open the full admin UI.

When someone signs in, CXGear issues a short-lived access token (JWT). The web app sends it as:

Authorization: Bearer <access_token>

That token is tied to:

If the session expires, is revoked, or is replaced on another device, API calls return auth errors and the UI sends the person back to login.

Use JWTs only for interactive clients you control (the official web app, or a trusted internal tool that completes login). Do not embed a personal JWT in a CRM or shared middleware.

API keys let systems act for the organization without a human session.

  • Keys start with cxg_
  • You create them under user menu → API keys
  • The secret is shown once — store it in your secrets manager
  • Keys have scopes such as ingest and trigger
Authorization: Bearer cxg_your_key_here

See Org API keys and Public ingest & trigger.

Screenshot needed
API keys page with generate action and a key row (prefix only).
Where: User menu → API keys
Save as: src/assets/screenshots/29-api-keys.png

All versioned routes live under /api/v1 on your API host.

EnvironmentBase URL
Productionhttps://api.cxgear.ai/api/v1
Localhttp://localhost:3000/api/v1

Examples:

POST https://api.cxgear.ai/api/v1/public/ingest
POST https://api.cxgear.ai/api/v1/public/trigger/{spinnerId}
POST https://api.cxgear.ai/api/v1/auth/login

Your deployment may use a different host. The important part is: call the API host, not the web app host (app.cxgear.ai) and not the docs host (docs.cxgear.ai).

Interactive OpenAPI docs (when the API is running):

https://api.cxgear.ai/docs
http://localhost:3000/docs

See OpenAPI / Swagger.

Route styleAuthPurpose
/auth/…Public (credentials in body)Sign up, login, password reset
Most /projects, /spinners, …User JWTProduct UI and admin tools
/public/ingest, /public/trigger/…API key + scopeCRM / middleware automation
/public/data-tables/ingest/:tokenTable ingest token in URLPer-table webhook (no org key)
Channel OAuth callbacksProvider-specificWhatsApp / Meta redirects

Webhook and callback URLs must use the public API URL (PUBLIC_API_URL in deployment). See Webhooks & callbacks and Deployment notes.

API keys do not bypass billing. Creating resources or starting jobs through the public API enforces the same plan meters as the UI. Failures return PLAN_LIMIT — see Rate limits & errors.

  • Browser traffic uses JWTs; automation uses API keys
  • Integrators call the correct API base URL over HTTPS
  • Keys are scoped narrowly (ingest and/or trigger only as needed)
  • Secrets never appear in frontend code or public repos
ProblemLikely causeWhat to do
401 Invalid API keyWrong key, revoked key, or missing BearerRegenerate key; check header format
403 Key missing scopeKey lacks ingest or triggerCreate a key with the right scopes
Calls hit the web app URLUsing app. instead of api.Switch to the API base URL
Session errors in a scriptUsing a user JWT in middlewareSwitch to an org API key
Works locally, fails in prodWrong host or HTTP vs HTTPSAlign with deployment PUBLIC_API_URL