API Connections
Connect your external APIs to enuchat so AI and rules can fetch real-time data from your systems.
How It Works
API Connections let you integrate enuchat with your own backend systems — booking engines, CRMs, order management, inventory, and more. When a visitor asks a question, enuchat can call your API to get real data and include it in the response.
The Flow
- Configure a connection — your API's base URL and authentication
- Add endpoints — specific API calls with path templates and response mapping
- Create a rule — an AI or static rule with a CALL_API action
- Visitor asks a question — the rule triggers, calls your API, maps the response to session variables
- AI responds with real data — the session variables are available to AI for generating an accurate answer
Example: Hotel Room Availability
Visitor: "Is room 205 available next week?"
AI Rule matches: "When visitor asks about room availability"
CALL_API action: GET https://api.hotel.com/rooms/205/availability
Response mapped: room_available = true, price = "€120/night"
AI responds: "Room 205 is available next week at €120/night. Would you like to book it?"
Setting Up a Connection
Go to Settings → API Connections in your dashboard.
1. Create a Connection
A connection represents one external API. You need:
| Field | Description | Example |
|---|---|---|
| Name | A label for this connection | Hotel Booking API |
| Base URL | The API's root URL | https://api.hotel.com/v1 |
| Auth Type | How to authenticate | Bearer Token, OAuth2, etc. |
2. Authentication Types
None
For public APIs that don't require authentication.
API Key
Sends a static key as a header or query parameter.
| Field | Description |
|---|---|
| Key | Your API key value |
| Header Name | Header to use (default: X-Api-Key) |
The key is sent as: X-Api-Key: your_key_here
Bearer Token
Sends a static token in the Authorization header.
Sent as: Authorization: Bearer your_token_here
Basic Auth
Sends username and password, base64-encoded.
Sent as: Authorization: Basic dXNlcjpwYXNz
OAuth 2.0 (Client Credentials)
Fetches an access token automatically and caches it until expiry. Best for modern APIs like Salesforce, Google, or custom OAuth servers.
| Field | Description |
|---|---|
| Token URL | OAuth token endpoint (e.g. https://auth.example.com/oauth/token) |
| Client ID | Your OAuth client ID |
| Client Secret | Your OAuth client secret |
| Scope | Space-separated scopes (e.g. read write) |
enuchat handles the token lifecycle automatically — fetches on first call, caches until expiry, refreshes when needed.
Security: All credentials are encrypted at rest using libsodium. They are never exposed in API responses — only masked values are shown in the dashboard.
Configuring Endpoints
Each connection can have multiple endpoints — specific API calls you want to make.
| Field | Description | Example |
|---|---|---|
| Name | Label for this endpoint | Check availability |
| Method | HTTP method | GET, POST, PUT, DELETE |
| Path | URL path (appended to base URL). Use {'{'}variable} for dynamic values | /rooms/{'{'}roomId}/availability |
| Query Params | URL parameters as key-value pairs. Values support {'{'}variable} | date={'{'}checkIn} |
| Body Template | JSON body for POST/PUT. Supports {'{'}variable} interpolation | {'{'}"guest": "{'{'}name}"} |
| Response Mapping | Map JSON response fields to session variables using dot notation | data.available → room_available |
| Description | Context for AI (what data this endpoint returns) | Returns room availability and pricing |
Variable Interpolation
Use {'{'}variableName} in paths, query params, and body templates. Variables come from:
- Session variables — set by previous rules (SET_VARIABLE action)
- Action params — hardcoded in the CALL_API rule action
Response Mapping
Map JSON response fields to session variables using dot notation:
// API returns:
{'{'}
"data": {'{'}
"available": true,
"price": {'{'} "amount": 120, "currency": "EUR" }
}
}
// Mapping:
data.available → room_available // "true"
data.price.amount → room_price // "120"
data.price.currency → room_currency // "EUR"Mapped variables are stored as session variables on the conversation and are available to AI for generating responses.
Using with Rules
API calls are triggered by the CALL_API action in rules. You can combine them with other actions.
Recipe: Order Status Lookup
Connection: Order Management API — https://api.shop.com/v2 — Bearer Token
Endpoint: GET /orders/{'{'}orderId} → maps data.status → order_status, data.eta → delivery_eta
Rule (AI type): "When the visitor asks about their order status or delivery"
Actions:
- CALL_API → Order Status endpoint
- REPLY_AI → AI uses
order_statusanddelivery_etato respond
Result: Visitor: "Where is my order #4521?" — AI: "Your order #4521 is currently being shipped and should arrive by Thursday."
Recipe: Real-Time Pricing
Connection: Pricing API — https://pricing.example.com — API Key
Endpoint: GET /products/{'{'}productId}/price → maps price → current_price, currency → price_currency
Rule (static): MESSAGE_MATCHES_REGEX: /\b(price|cost|how much)\b/i
Actions:
- CALL_API → Pricing endpoint
- REPLY_TEXT → "The current price is {'{'}current_price} {'{'}price_currency}."
Testing
Always test your connections and endpoints before using them in rules:
- Test Connection — verifies authentication works (for OAuth2: fetches a token)
- Test Endpoint — makes a real API call with sample variables and shows the response
- Test Rule (dry-run) — on the Rules page, test whether a rule would match and what actions would execute
Tip: Start by testing the connection, then each endpoint, then the complete rule. This way you can isolate issues at each level.
Security
- Encryption at rest — all credentials are encrypted using libsodium before storage
- Never exposed — API responses never include decrypted credentials, only masked values
- SSRF protection — enuchat blocks calls to localhost, private IPs, and internal hostnames
- Timeout — external API calls have a 5-second timeout to prevent hanging
- OAuth2 token caching — access tokens are cached securely and refreshed automatically
- Tenant isolation — connections are scoped to your tenant, inaccessible to others