Skip to main content

FAQ

How do I not leak my API key?

When you are writing your own integration for kapa based on the API you will be faced with the question of where to put your API key so it is secure. No matter what you are doing you should never put your API key into client side code that runs on the users browser. It is impossible to hide an API key in your client side code. Users will be able to grab it from the browser and start making programmatic requests to your kapa instance. This you need to avoid.

If your integration runs behind a login the solution is straightfoward. You can add some new authenticated routes to your backend that forward requests to the kapa api. Then you securely store the kapa API key serverside and add it to your requests before forwarding.

If your integration is not protected by an authentication flow this problem gets slightly harder. In this case you can not as easily hide your API key serverside because how do you stop people from calling your kapa instance through your own backend? You have no means of authenticating requests to your proxy routes.

One possible solution in this scenario is to use a captcha. There are many different providers for captcha solutions you can pick from. Most of the providers will have a frontend SDK available you can use. You integrate this code into your client side code. When the user is interacting with your integration this code will try to determine whether the interaction is human. If so your client code will receive a valid token. This token you can attach to the requests you are sending to your proxy routes. On the backend you can validate the token and only then forward the request to kapa. This way you can protect your backend routes without having traditional means of authentication like emails and passwords.

What exactly is an integration_id?

An integration can be thought of as a pathway for interaction with Kapa. Options include API usage, Slack, web widget, Discord, and more.

integration_ids allow you to track analytics for each type of integration. For example, when making an API call to kapa, you can provide your private API key along with an integration_id so your interation with Kapa via API is being logged.

curl --location 'https://api.placeholder.com/query/v1/projects/{project_id}/chat/' \
--header 'X-API-KEY: <YOUR_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
    "integration_id": "<YOUR_API_INTEGRATION_ID>",
    "query": "How do I get started?"
}'

Note: An integration_id alone does not provide authentication to the kapa system.

Can I control the length of kapa's responses?

No. Kapa is optimized for providing accurate, context-specific answers to technical product questions through our answer engine. The response length is determined by the amount of relevant information needed to fully and accurately answer the question. While you can technically apply additional prompting to change response length, we strongly recommend against doing so as it will compromise the accuracy and completeness of answers. This approach aligns with our core mission of providing the most accurate responses.