Developer
API tokens
Per-bot bearer tokens. Each one is scoped to a single bot and can be revoked independently.
Issue a token
- Open the bot in your dashboard, scroll to API tokens.
- Add an optional label (e.g. Production widget, Local dev) and click Create token.
- The plaintext token appears once in a green banner — copy it now. We only store a SHA-256 hash and the display prefix (
amk_live_abc12345…).
Format
Tokens look like amk_live_ followed by 24 random alphanumerics. Treat them like passwords.
Use the token
Add it as a Bearer header on every request:
Authorization: Bearer amk_live_abc123…The token must match the botId in your request body — cross-bot use is rejected with 401.
Revoke a token
Hit Revoke on any token row in the same panel. The next request that uses it returns 401 immediately.
Best practices
- One token per environment. Use separate tokens for production, staging, and local dev so you can rotate independently.
- Never commit tokens. Use environment variables, secrets managers, or vault systems.
- Rotate on suspicion. Revoke immediately if a token is ever exposed in a log, screenshot, or commit.