Skip to main content
All API requests require a Bearer token in the Authorization header. 
curl https://api.open.cx/contacts \
  -H "Authorization: Bearer YOUR_API_KEY"

Generate an API key

  1. Go to Settings → Access in the OpenCX dashboard.
  2. Click Create API Key.
  3. Give it a name (e.g. “Production”, “Staging”).
  4. Choose access level:
    • Full access — the key can call every endpoint with no restrictions.
    • Custom scopes — select only the resources and actions (read / write) this key needs.
  5. Copy the key.
Existing keys created before scopes were introduced remain full-access.
The full key is only shown once. Store it securely — if you lose it, generate a new one.

Using the key

Pass the key as a Bearer token in the Authorization header on every request: 
Authorization: Bearer ocx_live_abc123...

curl -X GET https://api.open.cx/contacts \
  -H "Authorization: Bearer YOUR_API_KEY"

Scopes

Scopes restrict an API key to specific resources and actions. A full-access key bypasses all scope checks, while a scoped key can only call the endpoints it was granted. Each scope follows the pattern resource:action, where action is read (GET / list) or write (create / update / delete).

Available scopes

ResourceReadWrite
Actionsactions:readactions:write
Autopilotautopilot:readautopilot:write
Blocklistblocklist:readblocklist:write
Chat sessionschat-sessions:readchat-sessions:write
Contactscontacts:readcontacts:write
Crawlcrawl:readcrawl:write
CSATcsat:readcsat:write
Emailemail:reademail:write
Handoff analyticshandoff-analytics:read
SLA analyticssla-analytics:read
Help centerhelp-center:readhelp-center:write
Insightsinsights:readinsights:write
Mediamedia:write
Office hoursoffice-hours:readoffice-hours:write
Organizationorg:readorg:write
Phonephone:readphone:write
Redactionredaction:readredaction:write
Sequencessequences:readsequences:write
SIPsip:readsip:write
SLA policiessla:readsla:write
Tagstags:readtags:write
Teamsteams:readteams:write
Trainingtraining:readtraining:write
WhatsAppwhatsapp:readwhatsapp:write
Widgetwidget:readwidget:write
Workflowsworkflows:readworkflows:write
Handoff analytics and SLA analytics only support read — there is no write scope.
Workflows also expose workflows:trigger, granted independently of read / write. It only authorizes calls to a workflow webhook trigger URL whose trigger configuration has Access Control set to Private (Authentication Required). Public webhook triggers do not require any scope.

Error responses

StatusMeaning
401 UnauthorizedMissing or invalid API key
403 ForbiddenKey is valid but lacks the required scope
401 — invalid or missing key 
{
  "statusCode": 401,
  "message": "Unauthorized",
  "error": "Unauthorized"
}
403 — missing scope 
{
  "statusCode": 403,
  "message": "This API key does not have the required scope: \"tags:read\"."
}

Best practices

  • Never commit keys to source control. Use environment variables or a secrets manager.
  • Rotate keys periodically. You can create multiple keys and revoke old ones from the dashboard.
  • Use separate keys for each environment (production, staging, development) so revoking one doesn’t break the others.
  • Use scoped keys in production. Grant only the permissions each integration needs (principle of least privilege).
  • Prefer separate keys per integration so revoking one doesn’t break others, and each gets only the scopes it needs.