SecureAI provides a REST API that gives you programmatic access to conversations, knowledge bases, assistants, models, and administrative functions. Whether you are automating workflows, building custom integrations, or embedding AI capabilities into your own applications, the API is the foundation.
This guide covers what the API can do, how it is organized, rate limits, error handling, and versioning. For authentication setup, see the API Authentication Guide. For embedding and integration patterns, see Embedding SecureAI in Your Applications.
Base URL
All API requests use your SecureAI instance's base URL:
https://your-secureai-instance.com/api/v1
Self-hosted deployments use whatever domain or IP address your instance is running on. If you are unsure, check with your administrator.
API Capabilities
The API is organized around resources. Each resource supports standard CRUD operations plus resource-specific actions.
| Resource | Endpoint | What You Can Do |
|---|---|---|
| Chats | /chats |
Create, list, search, archive, and delete conversations |
| Chat Completions | /chat/completions |
Send messages and receive AI responses (streaming and non-streaming) |
| Knowledge Bases | /knowledge |
Create, update, list, and delete knowledge bases; upload and manage documents |
| Assistants | /assistants |
Create, configure, list, and manage custom assistants with system prompts and tool bindings |
| Models | /models |
List available AI models, check model status, and view model capabilities |
| Users | /users |
List users, update roles, manage permissions (admin only) |
| Documents | /documents |
Upload, list, and delete files attached to knowledge bases |
| Prompts | /prompts |
Create, list, and manage saved prompt templates |
| Tools | /tools |
Register, list, and manage custom tools available to assistants |
| Configs | /configs |
Read and update system configuration (admin only) |
| Audit Logs | /auditlogs |
Query user activity and system events (admin only) |
Request Format
All requests use JSON for request and response bodies.
Required headers:
Authorization: Bearer <your-api-key>
Content-Type: application/json
Example -- list your conversations:
curl -X GET https://your-secureai-instance.com/api/v1/chats \
-H "Authorization: Bearer sk-your-api-key-here" \
-H "Content-Type: application/json"
Example -- send a message and get a completion:
curl -X POST https://your-secureai-instance.com/api/v1/chat/completions \
-H "Authorization: Bearer sk-your-api-key-here" \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4",
"messages": [
{"role": "system", "content": "You are a helpful automotive parts assistant."},
{"role": "user", "content": "What brake pads fit a 2019 Honda Civic?"}
]
}'
Response Format
Successful responses return a JSON object with the resource data. List endpoints return paginated results.
Single resource:
{
"id": "chat-abc123",
"title": "Brake pad compatibility",
"created_at": "2026-03-15T10:30:00Z",
"updated_at": "2026-03-15T10:35:00Z"
}
List response:
{
"data": [
{ "id": "chat-abc123", "title": "Brake pad compatibility" },
{ "id": "chat-def456", "title": "OEM cross-reference" }
],
"total": 42,
"page": 1,
"page_size": 20
}
Pagination
List endpoints accept page and page_size query parameters:
GET /api/v1/chats?page=2&page_size=50
pagedefaults to1.page_sizedefaults to20. Maximum is100.
Streaming Responses
The chat completions endpoint supports server-sent events (SSE) for streaming responses token by token. This is useful for building real-time chat interfaces.
To enable streaming, set "stream": true in your request:
curl -X POST https://your-secureai-instance.com/api/v1/chat/completions \
-H "Authorization: Bearer sk-your-api-key-here" \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4",
"messages": [
{"role": "user", "content": "Explain catalytic converter replacement."}
],
"stream": true
}'
Each event in the stream follows this format:
data: {"id":"resp-123","object":"chat.completion.chunk","choices":[{"delta":{"content":"A catalytic"}}]}
data: {"id":"resp-123","object":"chat.completion.chunk","choices":[{"delta":{"content":" converter"}}]}
data: [DONE]
The stream ends with data: [DONE].
Authentication
Every API request must include a valid authentication credential. SecureAI supports two methods:
| Method | Use Case |
|---|---|
| API keys | Server-to-server integrations, scripts, automation |
| OAuth 2.0 | User-facing applications, delegated access |
For full details on generating keys, OAuth flows, token refresh, and security best practices, see the API Authentication Guide.
Rate Limits
SecureAI enforces rate limits to protect system stability and ensure fair usage across all users.
Default Limits
| Tier | Requests per Minute | Requests per Day | Concurrent Requests |
|---|---|---|---|
| Free | 10 | 500 | 2 |
| Standard | 60 | 10,000 | 10 |
| Professional | 120 | 50,000 | 25 |
| Enterprise | Custom | Custom | Custom |
Chat completion requests (which consume AI model tokens) have separate, lower limits than metadata-only requests like listing chats or users.
Rate Limit Headers
Every API response includes headers that tell you your current rate limit status:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1711234567
| Header | Description |
|---|---|
X-RateLimit-Limit |
Maximum requests allowed in the current window |
X-RateLimit-Remaining |
Requests remaining in the current window |
X-RateLimit-Reset |
Unix timestamp when the window resets |
Handling Rate Limits
When you exceed the limit, the API returns a 429 Too Many Requests response:
{
"error": {
"type": "rate_limit_exceeded",
"message": "Rate limit exceeded. Retry after 23 seconds.",
"retry_after": 23
}
}
Best practices for handling rate limits:
- Check headers proactively. Monitor
X-RateLimit-Remainingand slow down before hitting zero. - Implement exponential backoff. On a 429 response, wait the
retry_afterduration, then retry with increasing delays (e.g., 1s, 2s, 4s). - Queue requests. For batch operations, use a queue that respects your per-minute limit rather than firing all requests simultaneously.
- Cache responses. If you repeatedly fetch the same data (e.g., model list, assistant configurations), cache the result and use
If-None-Match/ETagheaders to avoid unnecessary requests.
Error Handling
The API uses standard HTTP status codes. Error responses include a JSON body with details.
Status Codes
| Code | Meaning | Common Cause |
|---|---|---|
200 |
Success | Request completed |
201 |
Created | Resource created successfully |
204 |
No Content | Resource deleted successfully |
400 |
Bad Request | Invalid JSON, missing required field, invalid parameter value |
401 |
Unauthorized | Missing or invalid API key / token |
403 |
Forbidden | Valid credentials but insufficient permissions |
404 |
Not Found | Resource does not exist or you do not have access |
409 |
Conflict | Duplicate resource (e.g., duplicate slug or name) |
422 |
Unprocessable Entity | Request is well-formed but semantically invalid |
429 |
Too Many Requests | Rate limit exceeded |
500 |
Internal Server Error | Unexpected server error -- retry or contact support |
503 |
Service Unavailable | Server is temporarily overloaded or under maintenance |
Error Response Format
{
"error": {
"type": "validation_error",
"message": "The 'model' field is required.",
"details": {
"field": "model",
"constraint": "required"
}
}
}
Tips for debugging errors:
- Read the
messagefield -- it usually tells you exactly what to fix. - For
400errors, check that your JSON is valid and all required fields are present. - For
401errors, verify your API key is correct and has not been revoked. - For
403errors, check that your user role has permission for the requested action. Some endpoints (user management, configs, audit logs) require admin privileges.
Versioning
The API is versioned via the URL path (/api/v1/). The current and only version is v1.
When breaking changes are introduced, a new version (e.g., /api/v2/) will be released. The previous version will remain available for a deprecation period of at least 6 months with advance notice.
Non-breaking changes (new fields in responses, new optional parameters, new endpoints) are added to the current version without a version bump.
Webhooks
SecureAI can send webhook notifications to your application when certain events occur. Webhooks are configured in Admin Panel > Settings > Webhooks.
Available Events
| Event | Trigger |
|---|---|
chat.created |
A new conversation is started |
chat.completed |
An AI response is generated |
document.uploaded |
A file is uploaded to a knowledge base |
document.indexed |
A document finishes indexing and is searchable |
user.created |
A new user account is created |
user.role_changed |
A user's role is updated |
Webhook Payload
{
"event": "document.indexed",
"timestamp": "2026-03-15T10:35:00Z",
"data": {
"document_id": "doc-xyz789",
"knowledge_base_id": "kb-abc123",
"filename": "brake-pads-catalog-2026.pdf",
"status": "indexed",
"page_count": 47
}
}
SecureAI signs webhook payloads with a shared secret so you can verify they are authentic. The signature is sent in the X-SecureAI-Signature header.
SDKs and Client Libraries
While the REST API works with any HTTP client, official and community SDKs simplify common operations:
| Language | Package | Install |
|---|---|---|
| Python | secureai-python |
pip install secureai-python |
| JavaScript / TypeScript | secureai-js |
npm install secureai-js |
Python example:
from secureai import SecureAIClient
client = SecureAIClient(
base_url="https://your-secureai-instance.com",
api_key="sk-your-api-key-here"
)
# Send a message
response = client.chat.completions.create(
model="gpt-4",
messages=[
{"role": "user", "content": "What oil filter fits a 2020 Toyota Camry?"}
]
)
print(response.choices[0].message.content)
JavaScript example:
import { SecureAIClient } from "secureai-js";
const client = new SecureAIClient({
baseUrl: "https://your-secureai-instance.com",
apiKey: "sk-your-api-key-here",
});
const response = await client.chat.completions.create({
model: "gpt-4",
messages: [
{ role: "user", content: "What oil filter fits a 2020 Toyota Camry?" },
],
});
console.log(response.choices[0].message.content);
Common Integration Patterns
Parts Lookup Automation
Automate parts compatibility checks by sending structured queries:
curl -X POST https://your-secureai-instance.com/api/v1/chat/completions \
-H "Authorization: Bearer sk-your-api-key-here" \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4",
"messages": [
{
"role": "system",
"content": "You are a parts compatibility expert. Return results as JSON with fields: part_number, manufacturer, compatible, notes."
},
{
"role": "user",
"content": "Is Bosch BP1087 compatible with a 2021 Ford F-150?"
}
]
}'
Knowledge Base Upload Pipeline
Automate document ingestion into a knowledge base:
# 1. Upload a document
curl -X POST https://your-secureai-instance.com/api/v1/knowledge/kb-abc123/documents \
-H "Authorization: Bearer sk-your-api-key-here" \
-F "file=@brake-catalog-2026.pdf"
# 2. Check indexing status
curl -X GET https://your-secureai-instance.com/api/v1/knowledge/kb-abc123/documents/doc-xyz789 \
-H "Authorization: Bearer sk-your-api-key-here"
Batch Chat Export
Export all conversations for a date range for compliance or analytics:
curl -X GET "https://your-secureai-instance.com/api/v1/chats?created_after=2026-03-01&created_before=2026-03-15&page_size=100" \
-H "Authorization: Bearer sk-your-api-key-here"
Next Steps
- API Authentication Guide -- Set up API keys or OAuth credentials.
- Embedding SecureAI in Your Applications -- Build chat widgets, custom tools, and automation pipelines.
- Understanding Token Usage and Costs -- Monitor API usage and optimize costs.
- Integration Overview -- See all available integrations and connection options.