Skip to content

Gateway API

The SUPERWISE Chat gateway is a JSON REST API. Every product endpoint lives under the /v1 prefix, accepts and returns JSON, and streams chat responses over Server-Sent Events (SSE). This page is the lookup reference for the endpoints you’ll use to build on Chat.

For how to authenticate, see Authentication. For end-to-end build walkthroughs, see Integrate. For inbound alert delivery, see Webhooks.

All requests go to your SUPERWISE Chat base URL:

https://api.superwise-chat.company.com
  • Versioning — all product endpoints are under /v1. The OpenAI-compatible surface uses its own segment, /openai/v1.
  • Content type — send Content-Type: application/json on every request with a body. Responses are JSON, except streaming chat and progress channels, which are text/event-stream.
  • Request IDs — every request is tagged with an x-request-id (generated if you don’t supply one) and echoed back in error responses. Include it when reporting an issue.
  • Tenant isolation — every request runs scoped to your tenant. You can only ever read or write your own tenant’s data; cross-tenant access returns 404.

Pick the mechanism that matches the surface you’re calling. Full detail is in Authentication.

SurfaceHeaderUse it for
/v1/* product APIAuthorization: Bearer <JWT>Apps acting on behalf of a signed-in user
/v1/* (programmatic)Authorization: Bearer swk_...Server-to-server with a tenant API key
/openai/v1/*Authorization: Bearer swk_...OpenAI-compatible drop-in clients
/v1/embed/*X-Embed-Key: <key>The website chat widget
/v1/webhooks/{channel_id}X-Webhook-Signature: <hmac>Inbound monitoring alerts

API keys (swk_...) authenticate server-to-server calls and the OpenAI-compatible surface. Manage them under /v1/tenant/api-keys (requires the rbac.manage capability).

MethodPathNotes
GET/v1/tenant/api-keysList keys (metadata only — never the secret)
POST/v1/tenant/api-keysCreate a key; the full secret is returned once
DELETE/v1/tenant/api-keys/{id}Revoke a key
  • Format: swk_<tenant-slug>_<random>. Create requires a non-empty scopes array; keys may carry an expires_at.
  • The full secret is shown only at creation time — store it securely. Only a short prefix is retained afterward, so a lost key must be revoked and replaced.

A conversation is a chat thread. Messages are sent into a conversation and the assistant’s reply streams back.

MethodPathPurpose
POST/v1/conversationsCreate a conversation. Returns 201 with a Location header
GET/v1/conversationsList conversations (keyset pagination; see below)
GET/v1/conversations/{id}Get one conversation
PATCH/v1/conversations/{id}Update title or tier
DELETE/v1/conversations/{id}Delete a conversation
GET/v1/conversations/{id}/messagesList messages
POST/v1/runtime/chatSend a message and stream the reply (SSE)
PATCH/v1/conversations/{id}/messages/{mid}Edit a message (needs message.edit)
DELETE/v1/conversations/{id}/messages/{mid}Delete a message (needs message.delete)
GET/v1/conversations/{id}/messages/{mid}/repliesList threaded replies (needs message.read)

GET /v1/conversations uses keyset (cursor) pagination, not offset paging.

Query paramMeaning
limitItems per page (default 50, max 100)
cursorThe last_activity_at timestamp of the last item from the previous page (ISO 8601). Omit for the first page

The response includes next_cursor; pass it back as cursor to fetch the next page. When next_cursor is null, you’ve reached the end.

{ "conversations": [ ... ], "limit": 50, "next_cursor": "2026-06-10T14:30:00.000Z" }
POST /v1/runtime/chat
Authorization: Bearer <JWT>
Content-Type: application/json
Accept: text/event-stream
{
"conversation_id": "conv-abc123",
"content": "What's our Q4 revenue target?",
"tier": "QUICK"
}

tier is optional and selects how much reasoning the assistant applies, trading speed for depth:

tierBest for
QUICKFast, single-pass answers
THINKINGThe default — reasoning with search
RESEARCHDeeper search, synthesis, and citations
THOUGHT_PARTNERThe full pipeline — search, reasoning, and tools

Omit tier to use the default (THINKING).

The response is an SSE stream. Each event has an event: line and a JSON data: line.

event: assistant_message
data: {"message_id":"msg-123","content":"Our Q4 revenue target is..."}
event: search_transparency
data: {"query":"Q4 revenue","sources":[ ... ]}
event: done
data: {"message_id":"msg-123","block_count":2}

Event types

EventMeaning
assistant_messageA chunk or full assistant message
thinking_step / thinking_completeProgress while the assistant reasons
execution_tracePer-phase timing breakdown
phase_latencyLatency of a single pipeline phase
search_transparencyWhat sources the assistant looked at
swtoken_updateUsage update for the request
memory_proposalA suggestion to remember a fact
guardrail_resultThe outcome of a trust check
metadataRequest metadata
preflight_warningA non-fatal heads-up (e.g. a fallback was used)
doneThe stream completed successfully

Control / error events: interrupted, error, token_expired, stream_expired, reconnect.

Response block types (inside an assistant message): text, code, table, list, citation, image, vega, memory_proposal, knowledge_proposal.

MethodPathPurpose
GET / POST/v1/knowledge/collectionsList or create collections (create needs knowledge.create)
POST/v1/knowledge/collections/{id}/promotePromote a message into a collection
GET/v1/knowledge/search?q=Search knowledge manually
GET / POST/v1/memoriesList or create memories (with scope and category)
GET / PATCH / DELETE/v1/memories/{id}Read, update, or delete a memory
*/v1/notesPersonal notes CRUD

Knowledge is also searched automatically while the assistant answers, so you rarely need to call search yourself.

GroupPathNotes
Personas/v1/personasCRUD plus POST /{id}/publish; visibility private / team / org / public
Folders/v1/foldersThe current workspace surface
Projects/v1/projectsDeprecated alias for folders. GET requests redirect (301); responses carry Deprecation and Sunset headers. Use folders for new work
Templates/v1/templatesReusable prompts; GET /v1/templates/search?q=. Built-in system templates can’t be edited
Feedback/v1/feedbackThumbs up/down on a response. The query text is hashed before storage, never stored raw
MethodPathPurpose
GET/v1/meThe current user’s identity, read straight from the token
GET/v1/receptorThe server-evaluated view of what this user can see and do
GET/v1/rbac/meThe user’s roles and computed permissions
GET/v1/roles, /v1/groups, /v1/permissionsRead role, group, and permission data
MethodPathPurpose
POST / GET / DELETE/v1/chat/{id}/share[/{user_id}]Share with a user (READ / WRITE), list grants, or revoke
POST/v1/chat/{id}/share-linkCreate a time-limited public link (1h / 24h / 7d / 30d)
GET / DELETE/v1/chat/{id}/share-link[s]/{link_id}List or revoke links by link_id
GET/v1/shared/{token}View a shared conversation (no auth — see below)

When you create a public link, the response includes both a token (returned once, used in the public URL) and a link_id (the stable handle you use to revoke it). The raw token is never stored on the server.

A small set of endpoints are intentionally open:

EndpointPurpose
GET /healthLiveness and readiness
GET /v1/config/feature-flagsFront-end bootstrap flags
GET /v1/shared/{token}View a shared conversation; 410 Gone if the link is revoked or expired. Rate-limited to 30 req/min
GET /v1/consent/activitiesGDPR Article 13 consent activities

Chat applies trust checks while answering and records every action for review. Most governance endpoints are admin-scoped; the developer-facing ones are below.

MethodPathPurpose
GET / POST/v1/approvalsList or request an approval. Types: tool_execution, export, share, data_access. Risk levels: low / medium / high / critical
GET/v1/approvals/{id}Get an approval request
POST/v1/approvals/{id}/decideApprove, deny, or edit a pending request
POST/v1/approvals/{id}/cancelCancel a request you made
GET/v1/policyThe tenant’s active policy (banner, classification, retention, export rules)

When an action needs sign-off, the API returns the approval request instead of performing the action — once approved, the action proceeds. This keeps sensitive operations under human review without breaking your integration flow.

The website chat widget authenticates with a per-tenant embed key.

MethodPathAuthNotes
POST/v1/embed/sessionsX-Embed-KeyStart or resume a widget session. Requires an Idempotency-Key header
GET/v1/embed/sessions/{id}X-Embed-KeyCheck session status

These routes are CORS-open because they’re called from customer websites. An invalid or revoked key returns 401.

A drop-in surface for clients built against the OpenAI Chat Completions shape.

MethodPathAuthNotes
POST/openai/v1/chat/completionsswk_... API keyStandard chat completions request/response shape
GET/openai/v1/modelsswk_... API keyList available models

Point an OpenAI-compatible SDK at the base URL https://api.superwise-chat.company.com/openai/v1 and use a tenant API key as the bearer token. No Idempotency-Key is required. Errors on this surface use the OpenAI error shape ({ "error": { "message", "type", "code" } }) rather than the standard gateway error format. This surface has its own rate limit, separate from the /v1 limit.

SurfaceLimit
/v1/* (default)~60 requests/min per tenant
/v1/shared/{token}30 requests/min
/openai/v1/*Its own per-API-key limit
/healthA looser dedicated limit

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset (epoch seconds). When you exceed the limit you get a 429 — back off until the reset time. Tenants can have per-tenant overrides, so treat the headers on your own responses as authoritative rather than hard-coding a number.

The gateway returns errors in RFC 9457 problem+json:

{
"type": "not-found",
"title": "Not Found",
"status": 404,
"detail": "No route matches GET /v1/conversations/missing",
"request_id": "1a2b3c..."
}

Some endpoints return a simpler { "error", "message" } shape, and validation failures add an errors array listing each problem. Always read status for the outcome and request_id for support.

StatusMeaning
400Bad request or validation failure
401Missing or invalid credentials
403Authenticated, but not allowed
404Not found, or it belongs to another tenant
409Conflict (e.g. a duplicate name or already-registered channel)
410Gone (a revoked/expired share link, or a removed legacy endpoint)
422The request body is structurally invalid
429Rate limited
500Unexpected server error
Terminal window
# 1. Create a conversation
curl -X POST https://api.superwise-chat.company.com/v1/conversations \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"title": "My first conversation"}'
# 2. Send a message and stream the reply
curl -N -X POST https://api.superwise-chat.company.com/v1/runtime/chat \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-H "Accept: text/event-stream" \
-d '{"conversation_id": "conv-abc123", "content": "What is our Q4 revenue target?"}'
  • Authentication — tokens, API keys, and embed keys in depth
  • Integrate — build a working integration step by step
  • Webhooks — receive monitoring alerts into a conversation