Skip to main content

API FAQ

How do I not leak my API key?

When integrating with the Kapa API, one of the most critical security considerations is ensuring that your API key remains private. Never expose your API key in client-side code (e.g., JavaScript running in the browser) because it is impossible to keep it hidden. Attackers can easily extract it and misuse your Kapa instance.

If your integration requires user authentication, the best solution is to store the API key securely on your backend and create authenticated proxy routes that forward requests to the Kapa API. This ensures:

  • The API key remains hidden from the client.
  • Requests can be authenticated and rate-limited before reaching your backend.
  • You maintain control over how the API is accessed.

If your integration does not require authentication, securing your API key is more challenging. Simply proxying requests through your backend is not enough, as anyone could call your backend directly.

A common solution is to use a challenge-response mechanism like CAPTCHA to distinguish between human users and automated bots:

  1. Use a CAPTCHA provider (e.g., Google reCAPTCHA, hCaptcha) and integrate their frontend SDK.
  2. When a user interacts with your integration, the CAPTCHA validates they are human and returns a token.
  3. Send this token along with requests to your backend.
  4. On your backend, verify the CAPTCHA token before forwarding the request to Kapa.

While this approach helps prevent automated abuse, it does not provide full security. Attackers can still call your backend directly if they bypass CAPTCHA. Consider combining this with rate limiting, usage quotas, and domain/referrer validation to ensure that requests originate from an expected client.

What is an integration ID?

An integration ID is an identifier for a Kapa deployment. Deployment options include website widget, Slack and Discord bots, custom API usage, and more.

Integration IDs allow you to track analytics for each type of integration. For example, when making an API call to Kapa, you can provide your private API key along with an integration_id parameter, ensuring that your API interactions with Kapa are being logged.

curl --location 'https://api.placeholder.com/query/v1/projects/{project_id}/chat/' \
--header 'X-API-KEY: <YOUR_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "integration_id": "<YOUR_API_INTEGRATION_ID>",
    "query": "How do I get started?"
}'
note

An integration_id alone does not provide authentication to the Kapa system.

Can I control the length of Kapa's responses?

No. Kapa is optimized for providing accurate, context-specific answers to technical product questions through our answer engine. The response length is determined by the amount of relevant information needed to fully and accurately answer the question. While you can technically apply additional prompting to change response length, we strongly recommend against doing so as it will compromise the accuracy and completeness of answers. This approach aligns with our core mission of providing the most accurate responses.

Where can I find the Kapa API endpoint?

You are shown the Kapa API endpoint when creating a new API key in the Kapa platform.

How do I get my project ID?

In the Kapa platform, click on Manage projects in the project dropdown menu to navigate to the project management screen. Here you can find the id for each of your projects.