Authentication
Authenticate with the AI Connect OS API using bearer tokens.
API tokens
All public API requests require a bearer token. Tokens are issued from Settings → API Tokens in the AI Connect OS dashboard. Each token is scoped to a single organization.
Bearer header (recommended)
curl https://api.aiconnectos.com/v1/contacts \
-H "Authorization: Bearer sk_your_api_key"X-API-Key header (alternate)
curl https://api.aiconnectos.com/v1/contacts \
-H "X-API-Key: sk_your_api_key"Base URL
https://api.aiconnectos.com/v1Treat tokens like passwords. Don't share them in publicly accessible places: GitHub repos, client-side JavaScript, mobile app bundles, screenshots, support tickets, or analytics events.
Token rotation
You can revoke and rotate tokens at any time from the dashboard. Old tokens stop working immediately on revoke - there's no grace period - so coordinate rotations with whoever consumes the token.
Rate limits
Requests are rate-limited per token. Limits depend on your plan. When exceeded, the API returns 429 Too Many Requests with a Retry-After header indicating the number of seconds to wait.
HTTP status codes
| Status | Meaning |
|---|---|
200 | OK |
201 | Created |
204 | No Content (delete succeeded) |
400 | Bad Request - malformed JSON or invalid query parameters |
401 | Unauthorized - invalid, expired, or missing token |
402 | Payment Required - insufficient credits or plan limit reached |
403 | Forbidden - token lacks permission for this resource |
404 | Not Found |
409 | Conflict - duplicate resource (e.g. unique constraint violation) |
422 | Validation Error - request body failed schema validation |
429 | Too Many Requests - rate limited |
500 | Internal Server Error |
503 | Service Unavailable - temporary outage |
Error response shape
All non-2xx responses return JSON with this shape:
{
"error": {
"code": "validation_error",
"message": "phone must be a valid E.164 number",
"field": "phone"
}
}code is stable and safe to switch on. message is human-readable and may change. field is included for 400, 422, and 409 responses when the error points at a specific field.
Webhooks (signature verification)
Some products (Proposals, integrations) post webhooks back to your server. Verify the X-Stride-Signature HMAC-SHA256 header before trusting the payload. The signing secret is shown once when you create the webhook endpoint in the dashboard.
import crypto from 'node:crypto';
function verify(rawBody: string, header: string, secret: string): boolean {
const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
return crypto.timingSafeEqual(Buffer.from(header), Buffer.from(expected));
}