Skip to content

API reference

Base URL: your serverUrl. All /api/* endpoints require Authorization: Bearer <session-jwt>. Responses are JSON; errors are { error, message } with an appropriate status.

The SDK calls these for you — this reference is for debugging and for teams extending the backend.

Health

MethodPathAuthDescription
GET/healthLiveness. Always 200 if the process is up.
GET/readyReadiness. Checks DB + Intercom breaker. 200 / 503.

Conversations

MethodPathDescription
GET/api/conversationsList the user's conversations (summaries).
POST/api/conversationsStart a request. Body { body?, reason?, meta? } — see below.
GET/api/conversations/:idFull conversation: messages + state + rating.
GET/api/conversations/:id/poll?since=<ms>New messages and live state (below).
POST/api/conversations/:id/readMark the conversation read (clears the unread badge).
POST/api/conversations/:id/closeClose the request (user-initiated). Triggers the CSAT prompt.
POST/api/conversations/:id/replySend a message. Body { body, attachmentIds? }.

Starting a requestbody is optional. If you pass a reason ({ main, sub? }) with no body, the backend opens the conversation from the topic alone (the picked topic is recorded as an internal note/tag, not shown as a user message). meta carries browser/IP-style context used to enrich the Intercom contact. At least one of body / reason is required.

Poll response — besides messages, the poll returns live conversation state so operator-side changes reflect within one interval without a reload:

json
{
  "messages": [ /* … newer than `since` */ ],
  "latestTimestamp": 1719750000,
  "state": "open",          // "open" | "closed" | "snoozed"
  "snoozedUntil": null,
  "rated": false            // true once a CSAT tag is on the conversation
}

Tickets

MethodPathDescription
GET/api/ticketsList the user's tickets (newest first; includes rated).
GET/api/tickets/search?q=AW-123Filter by reference.
GET/api/tickets/:idTicket detail: messages + status timeline.
POST/api/tickets/:id/replyReply. Reopens the ticket if it was resolved.
POST/api/tickets/:id/clarifyRoute a "clarify status" message to the chat.

Files

MethodPathAuthDescription
POST/api/files/uploadBearermultipart/form-data (file). Validates, then S3/local.
GET/api/files/:idBearerDownload/redirect for the in-app viewer.
GET/files/:id?t=<hmac>publicSigned URL so Intercom can fetch a user's attachment (it sends no auth header).

Upload validation: size cap MAX_FILE_MB (default 20 MB), count cap MAX_FILES_PER_MSG (default 10), a fixed allow-list (JPEG, PNG, GIF, WEBP, BMP, PDF, MP4, TXT) verified by magic bytes (name/MIME are never trusted), stored under a randomized owner-tagged key and served with X-Content-Type-Options: nosniff.

CSAT & complaints (bypass Intercom → our DB)

MethodPathBodyDescription
POST/api/csat{ stars 1–5, comment?, ticketId?, conversationId? }Idempotent per (user, ticket); duplicate → { id: null, duplicate: true }.
POST/api/complaints{ category, description (≥10), chatId?, dialogId? }Stores a complaint.

Complaint categories: funds · security · operator · technical · other.

Devices & settings

MethodPathDescription
POST/api/devices/register{ platform: "mobile"|"tma", token }. Upserts.
DELETE/api/devices/:idUnregister (on logout).
GET/api/settings/notificationsPreferences (defaults all-on).
PUT/api/settings/notifications{ chatMessages?, ticketUpdates?, systemNotices? }.

Diagnostics

MethodPathDescription
POST/api/diagnosticsLog device telemetry (no PII). 204.

Webhooks

MethodPathDescription
POST/webhooks/intercomIntercom events. Public; HMAC-verified. See Webhooks.

Error codes

StatuserrorWhen
400validation_error / bad_requestBad input.
401unauthorizedMissing/invalid/expired token.
429rate_limitedPer-user rate limit (see Retry-After).
502service_unavailableIntercom down / circuit open.
500internal_errorUnexpected.

AW Chat SDK — internal integration docs.