API
Enable Operator to access data and take actions in your internal systems.
Some customer issues, like checking recent orders, require Operator to access your product’s data and functionalities. You can grant this access by linking your APIs to Operator.
Authentication
All requests to your APIs are HMAC-signed to ensure request authenticity and prevent replay attacks. You can view your Operator’s signing key on the API page.
To protect against unauthorized access, verify the request signatures using the following logic:
We’re happy to help you write and test your signature verification logic in any programming language or framework your company uses. We have sample implementations available for common frameworks:
If you need a different authentication mechanism—such as API keys, asymmetric signatures, or mTLS—let us know! We’ll work with your team to meet your internal security requirements.
Idempotency
If a request to your API fails, it will be retried multiple times using exponential
backoff and jitter. To prevent duplicate operations, each request includes a unique
X-Idempotency-Key
header.
To implement idempotency, cache both the idempotency key and the request result. When you receive a request with a previously seen idempotency key, return the cached response instead of executing the operation again.
Requests may be retried within a 5-minute window, so ensure your idempotency cache has a TTL of more than 5 minutes. We guarantee that Operators won’t reuse an idempotency key for at least 24 hours.
Note: Idempotency guarantees are only necessary for endpoints that modify your internal systems—read-only endpoints don’t require it.
Describing APIs
We currently only support integrations with HTTP APIs. Please reach out if your API follows a different protocol.
Each API description consists of:
- Name: Your Operator will refer to this API by its name. Choose a name that clearly represents the API’s action and output to ensure your Operator calls it at the appropriate time.
- Description: Your Operator uses this to determine if the API can help solve the current customer problem.
- URL: The URL of the API.
- Method: The HTTP method of the API—only
GET
andPOST
are supported. - Inputs: The specification of the data that the API accepts.
- Outputs: The specification of the data that the API returns.
Currently, inputs and outputs only support two formats: URL Search Parameters (for GET request inputs) and JSON serialization (for POST request inputs and outputs). Please reach out if you need support for a different format!
Inputs and outputs values are described by the following specification:
An example API input/output spec is: