API and OAuth

Everything you can click, you can do programmatically

Create agents, manage training sources and wire AssistLoop into your own systems from code. Keys are scoped to exactly what you grant them, and expire when you say so.

  • API keys scoped per capability, not all-or-nothing
  • Set an expiry date on any key, and revoke it at any time
  • Build an app that connects to AssistLoop accounts over OAuth

API keys

Productional_live_••••4f2c
agent:readsource:createexpires 12 Mar 2027
CI pipelineal_live_••••9d10
agent:readexpires 12 Mar 2027

curl -H "Authorization: Bearer $KEY"
https://api.assistloop.ai/v1/agents

Scoped per key. Revocable. Never wider than you grant.

What you can build

The API covers the objects that matter operationally: the agents themselves and the sources they are trained on.

Manage agents

Read, create, update and delete agents from code. Useful the moment you are running more than a handful and clicking through them stops scaling.

Manage training sources

Push sources programmatically. If your documentation lives in a repository, your pipeline can keep the agent in step with it.

Granular scopes

Each key carries exactly the permissions you grant: read an agent, create a source, and nothing more. A key for a read-only dashboard cannot delete anything.

Expiring keys

Set an expiry date when you mint a key. Credentials that live forever are the ones that end up in a public repository.

Owner controlled

Only an organisation owner can mint or revoke keys, so a team member cannot quietly hand out programmatic access to your data.

OAuth for third-party apps

AssistLoop can act as an OAuth provider, so an app you build can ask a customer to authorise it, and they can revoke that access whenever they choose.

Getting started

  1. 01

    Mint a key

    From the API keys screen, choose the scopes it needs and an expiry date. Copy it once, because it is not shown again.

  2. 02

    Call the API

    Standard REST over HTTPS, authenticated with a bearer token. Nothing exotic and no SDK required.

  3. 03

    Rotate on a schedule

    Mint the replacement, move your systems over, revoke the old one. Expiry dates make this a habit rather than an emergency.

The API in depth

Scopes are the point

Most products treat an API key as a single, undifferentiated grant of power: you have the key, so you can do everything the account can do. That is convenient exactly until the key leaks, at which point it is the worst possible design.

Here, a key carries only the capabilities you attach to it. Reading agents is a separate permission from creating them, which is separate again from deleting them, and the same is true of training sources. A key that only needs to read cannot delete, no matter who ends up holding it.

This matters most for the keys you are least careful with. The one in your CI pipeline, the one in the internal dashboard somebody built in an afternoon, the one pasted into a shared environment file. Those keys should be able to do one narrow thing, and with scopes, they can be.

Reading, creating and deleting are separate permissions, for agents and for training sources alike. A key that only needs to read cannot delete, no matter who ends up holding it.

Expiry, and why you should use it

Every key can be given an expiry date when it is created. It is optional, and you should use it anyway.

The reason is simple. Credentials that never expire are the ones that quietly outlive the project they were created for, the employee who created them, and eventually your memory of what they were for. When you eventually find one, you cannot revoke it, because nobody knows what will break. An expiry date turns that from a decision you never make into a decision that gets made for you.

Key management is restricted to organisation owners, so this is not something a team member can route around.

Any key can be given an expiry date when it is minted, and key management is restricted to organisation owners.

Where an API earns its keep

The obvious case is scale. If you are an agency running agents for thirty clients, or a platform provisioning one per tenant, creating them by hand stops being viable quickly. The API makes agent creation part of your onboarding flow rather than a task on somebody’s list.

The less obvious case is keeping training data current. Retraining is a manual action in the dashboard, which is fine when your documentation changes monthly and painful when it changes daily. If your docs live in a repository, your existing pipeline can push sources through the API when they change, and the agent stays in step with the content without anybody remembering to make it happen.

Retraining is manual in the dashboard. If your docs live in a repository, your pipeline can push sources through the API so the agent stays in step without anyone having to remember.

OAuth, for when the account is not yours

API keys are the right tool when you are automating your own organisation. They are the wrong tool when you are building something other people will use against *their* AssistLoop accounts, because it would mean asking your users to paste a long-lived credential into your product.

For that, AssistLoop acts as an OAuth provider. Your app sends the user through an authorisation screen, they approve the access, and your app receives a token scoped to what they granted. They can see which apps they have connected and revoke any of them at any time, without touching a key or breaking anything else.

This is also the mechanism behind the tools you can connect from inside the dashboard. See the integrations page for what is available today, and agent actions if you want the agent itself calling your endpoints during a conversation rather than you calling ours.

Use an API key to automate your own organisation. Use OAuth when other people will connect their own AssistLoop accounts to an app you built.

Frequently asked questions

Does AssistLoop have an API?

Yes. It is a REST API over HTTPS, authenticated with a bearer token, covering agents and their training sources. You can read, create, update and delete both from code.

How are API keys secured?

Each key carries granular scopes, so it holds only the permissions you grant it. Reading agents, creating them and deleting them are separate permissions, as are the equivalents for training sources. A key can also be given an expiry date and revoked at any time.

Who can create API keys?

Only organisation owners. A team member cannot mint or revoke programmatic access to your data.

What is the difference between an API key and OAuth?

Use an API key when you are automating your own organisation. Use OAuth when you are building an app that other people will connect to their own AssistLoop accounts, so they can authorise it explicitly and revoke it later without sharing a long-lived credential with you.

Can I keep my training data in sync automatically?

Yes, via the API. Retraining is a manual action in the dashboard, but if your documentation lives in a repository, your pipeline can push sources through the API when they change so the agent stays current without anyone having to remember.

Is the API available on every plan?

API key management is a premium capability. See the pricing page for which tiers include it.

Keep exploring

Wire it into what you already run

Mint a scoped key, call the API, and stop clicking through the dashboard for things a script should be doing.