Authentication
All Agentix public API endpoints require authentication via API keys. This page covers how to create, manage, and use API keys.
Creating API Keys
- Navigate to Settings > API Keys in the Agentix dashboard
- Click Create API Key
- Provide a descriptive name (e.g., “Production Widget”, “Mobile App”)
- Select the scopes you need
- Click Create
- Copy the key immediately — it will not be shown again
Key Format
API keys follow this format:
agx_live_<32-character-random-string>Example: agx_live_sk7Gm2xPqR4tN8vW1yBz3dF6hJ9kL0mA
Keys prefixed with agx_live_ are production keys. Test keys (coming soon) will use agx_test_.
Using API Keys
Include your API key in every request using one of these methods:
Bearer Token (Recommended)
curl -H "Authorization: Bearer agx_live_YOUR_KEY" \
https://app.agentix.cl/api/public/agents/{agentId}/chatX-API-Key Header
curl -H "X-API-Key: agx_live_YOUR_KEY" \
https://app.agentix.cl/api/public/agents/{agentId}/chatBoth methods are equivalent. Use whichever fits your HTTP client best.
Scopes
API keys can be restricted to specific scopes:
| Scope | Access |
|---|---|
chat | Send and receive messages via the Chat API |
config | Read agent configuration and widget settings |
conversations | Read and update conversation history |
A key with no explicit scopes has access to all public endpoints. We recommend creating keys with the minimum scopes required.
Organization Binding
API keys are bound to an organization. A key can only access agents owned by the same organization. Attempting to use a key from Organization A to chat with an agent from Organization B returns a 403 ORG_MISMATCH error.
Key Rotation
When rotating API keys, follow this process to avoid downtime:
- Create a new API key
- Update your application to use the new key
- Verify the new key works
- Delete the old key
Rate Limiting
API keys are subject to rate limiting:
| Endpoint Type | Limit |
|---|---|
| Chat endpoints | 60 requests/minute per key |
| Config endpoints | 120 requests/minute per key |
When rate limited, the API returns 429 Too Many Requests with a Retry-After header.
Security Best Practices
- Never expose API keys in client-side code. If embedding the widget, the key is visible in the page source. Use a key scoped only to
chatfor widgets. - Use environment variables to store keys in your server-side applications.
- Rotate keys regularly, especially if you suspect a key has been compromised.
- Use domain restrictions on your agents to limit which domains can use the widget, even if a key is leaked.
- Create separate keys for each environment (development, staging, production).
- Monitor usage in the dashboard to detect unusual patterns.
Error Responses
| Status | Code | Description |
|---|---|---|
401 | MISSING_API_KEY | No API key provided in the request |
401 | INVALID_API_KEY | The API key is not valid or has been deleted |
401 | EXPIRED_API_KEY | The API key has expired |
403 | ORG_MISMATCH | The API key belongs to a different organization |
403 | INSUFFICIENT_SCOPE | The API key does not have the required scope |
429 | RATE_LIMITED | Too many requests, retry after the specified delay |