Authentication
Uchara provides three authentication methods for different use cases:
1. Widget Token → JWT (Visitor SDK)
Section titled “1. Widget Token → JWT (Visitor SDK)”Use Case: Embedding chat widget in customer-facing applications
Flow:
- Get widget token from channel settings (public, embedded in HTML)
- Client calls
POST /v1/widget/sessionwith widget token - Server creates/retrieves contact, returns short-lived JWT (24h)
- Client uses JWT for subsequent REST + WebSocket requests
Security:
- Widget token is public (safe to embed in client-side code)
- JWT is scoped to single contact
- No sensitive operations allowed
Example:
const visitor = new VisitorSDK({ apiURL: 'https://api.uchara.com', widgetToken: 'wgt_abc123', // Public token});
await visitor.init(); // Gets JWT, stores internally2. Email/Password → JWT (Agent SDK)
Section titled “2. Email/Password → JWT (Agent SDK)”Use Case: Building custom agent dashboards
Flow:
- Client calls
POST /v1/auth/loginwith email/password - Server validates credentials, returns access + refresh tokens
- Access token expires in 1h, refresh token in 30d
- Client refreshes with
POST /v1/auth/refresh
Security:
- Credentials transmitted over HTTPS only
- Access token short-lived (1h)
- Refresh token stored securely (httpOnly cookie or secure storage)
Example:
agent = AgentSDK(api_url="https://api.uchara.com")response = agent.login( email="agent@company.com", password="...")# Access token auto-set, refresh handled by SDK3. API Key (Server SDK)
Section titled “3. API Key (Server SDK)”Use Case: Backend-to-backend integration
Flow:
- Generate API key in workspace settings (admin only)
- Client sends API key in
Authorization: Bearer <key>header - Server validates key, extracts workspace context
Security:
- API key is secret — never commit to git, use env vars
- Scoped to workspace, full permissions
- Rotate regularly (90 days recommended)
- Can be revoked instantly
Key Format: uchara_sk_<32_random_chars>
Example:
client := uchara.NewServerSDK(uchara.ServerConfig{ APIURL: "https://api.uchara.com", APIKey: os.Getenv("UCHARA_API_KEY"),})Generating API Keys
Section titled “Generating API Keys”API keys can be generated from the workspace settings:
# Via API (requires admin JWT)POST /v1/admin/api-keys{ "name": "Production Server", "expires_at": "2027-12-31T23:59:59Z"}
# Response (key shown only once!){ "id": "...", "key": "uchara_sk_abc123...", "key_prefix": "uchara_sk_ab...", "created_at": "..."}Best Practices
Section titled “Best Practices”Visitor SDK
Section titled “Visitor SDK”- Call
init()once on app start - JWT expires in 24h — SDK handles refresh automatically
- Store widget token in config, not hardcoded
Agent SDK
Section titled “Agent SDK”- Store refresh token securely (keychain/keystore on mobile)
- Implement token refresh before expiry (proactive, not reactive)
- Clear tokens on logout
Server SDK
Section titled “Server SDK”- Load API key from environment variables
- Rotate keys every 90 days
- Use separate keys for staging/production
- Revoke compromised keys immediately
Token Expiry
Section titled “Token Expiry”| Token Type | Lifetime | Refresh |
|---|---|---|
| Visitor JWT | 24 hours | Auto on init() |
| Agent Access Token | 1 hour | Via refresh token |
| Agent Refresh Token | 30 days | Re-login required |
| API Key | Custom (default: no expiry) | Rotate manually |
Error Handling
Section titled “Error Handling”All SDKs normalize authentication errors:
try { await sdk.sendMessage(conversationId, { content: 'Hello' });} catch (error) { if (error.status === 401) { // Token expired, re-authenticate await sdk.login(...); }}Security Considerations
Section titled “Security Considerations”- Never commit secrets - Use environment variables
- HTTPS only - All requests over TLS
- Rotate regularly - API keys every 90 days
- Scope appropriately - Use least privilege
- Monitor usage - Track API key last_used_at
- Revoke on breach - Instant revocation via API