API docs

API authentication

AskAnyDocs external API requests require a bearer API key in the Authorization header. Learn how tokens are generated, how team scoping works, how to test a request, and how to keep API keys secure.

Last updated: 2026-05-31

AskAnyDocs uses API keys for the external team API. Every request to /api/external must include a valid bearer token in the Authorization header.

How authentication works

The external API expects this header:

Authorization: Bearer YOUR_API_TOKEN

If the header is missing, empty, malformed, or invalid, the API returns HTTP 401.

{
  "message": "Unauthorized"
}

Authentication happens before the API resolves bots, conversations, messages, or account data. If the token is not valid, no team data is returned.

Generate a key

Create the token in the AskAnyDocs dashboard under the API keys section. The token belongs to the current team. All external API responses are scoped to that team.

Before generating a token, confirm that you are in the correct workspace. If you create a key while viewing a different team, the token will access that team's data instead.

Example request

Use the token from a secure server-side environment:

curl -X GET "https://app.askanydocs.com/api/external/bots" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Accept: application/json"

Do not call the external API directly from public browser JavaScript. Browser code can expose the token to visitors.

Team scoping

The bearer token is resolved to an active API token record. Once validated, the API only returns bots, conversations, and messages for that token's team.

Team scoping means:

  • a token for Team A cannot read Team B data
  • switching teams in the dashboard does not change an existing token
  • integrations should store which workspace a token belongs to
  • separate environments should use separate keys

If an expected bot is missing from the API response, first check whether the token was created in the correct team.

Handling authentication errors

When you receive 401 Unauthorized, check:

  • the Authorization header is present
  • the value starts with Bearer
  • the token has not been copied with extra spaces
  • the token still exists and has not been revoked
  • the integration is calling the external API path, not an internal dashboard route

For 404 responses, authentication may be valid but the requested bot, conversation, or message may not belong to the token's team.

Security recommendations

Treat the token as a secret:

  • keep separate keys for production, staging, and local development
  • store tokens in environment variables or a secret manager
  • rotate keys if they are exposed
  • revoke unused keys
  • do not commit keys to Git
  • do not embed team API keys into browser code
  • limit access to systems that actually need API data

Scope

This page covers only the external API under /api/external. Dashboard routes, widget scripts, and internal application endpoints use different access patterns and should not be treated as bearer-token integration endpoints.

Previous

API overview
Next

External bots, conversations, and messages API

Related articles

API overview

The AskAnyDocs external API lets teams retrieve account, bot, conversation, and message data using bearer API keys. Start here to understand the base path, endpoint categories, authentication model, status codes, and current read-only scope.

External bots, conversations, and messages API

This API reference explains the read-only bot, conversation, and message endpoints available through the AskAnyDocs external team API, including request examples, response shapes, and integration use cases.

Knowledge sources API

Knowledge-source management is not part of the public external API today. This guide explains the current boundary, what integrations can read, and how to manage website pages, sitemaps, URL lists, and files through the dashboard.