API Reference

Programmatic access and webhooks.

Agents

Manage agents via the REST API. Find an agent's ID in its Overview tab (click to copy).

# List agents
GET /api/agents

# Create an agent
POST /api/agents
{ "name": "Reception Bot", "agentType": "call" }

Website chat

The embed chat endpoint is public, origin-locked to the agent's allowed domains, and rate-limited (20/min, 500/day per agent + IP):

POST /api/embed/{agentId}/chat
Origin: https://your-allowed-domain.com
{ "messages": [{ "role": "user", "content": "Hi" }] }

Rate limits

The programmatic REST API (`/api/v1`, authenticated with a `cwk_…` key) is rate limited per key by your plan tier, plus a short burst ceiling. A leaked key therefore can't run up unbounded usage.

Plan	Requests / minute
Pay-as-you-go	60
Developer	100
Pro	500
Business	2,000
Enterprise	10,000

Every response carries `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset`. When you exceed a limit you get `429 Too Many Requests` with a `Retry-After` header (seconds). Sustained abuse triggers a short temporary block.

Tip · Requests today / this month and any rate-limit hits per key are shown on the API Keys card in Settings.

Webhooks

Inbound Twilio voice/SMS webhooks are verified by signature. Stripe billing webhooks are verified by signing secret and drive subscription, token-grant, and one-time-purchase events. All webhook handlers are idempotent (keyed off the provider's event/message id) so retries never double-charge.