Authentication

Every request to the FAQSIR API must be authenticated using a Bearer token. Tokens are linked to a specific site and grant access only to that site's data and features.

API Keys

Your API key is a personal access token generated from the FAQSIR dashboard. Each token is scoped to a single site, meaning it can only interact with resources belonging to that site.

To find your API key, log in to the FAQSIR dashboard and navigate to your site settings. You can create multiple tokens per site if needed — for example, one for your production website and another for a staging environment.

Keep your key secret

Your API key grants full access to your site's FAQSIR data. Never commit it to version control, expose it in client-side code without understanding the implications, or share it publicly. If you believe a key has been compromised, revoke it immediately from the dashboard and generate a new one.

Request Headers

Every API request must include the following headers:

Content-Type: application/json
Accept: application/json
Authorization: Bearer YOUR_API_KEY

The Authorization header uses the standard Bearer token scheme. Replace YOUR_API_KEY with the actual token from your dashboard.

Example Request

curl -X POST https://faqsir.com/api/source \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{"url": "https://example.com/article/my-article"}'

Base URL

All API endpoints use the base URL:

https://faqsir.com/api

When configuring the widget, this is set via options.api_url in the widget configuration.

Authentication Middleware

When the API receives a request, it performs the following checks in order:

Token validation — The Bearer token is verified against the database. If the token is invalid or missing, a 401 Unauthorized response is returned.
Site resolution — The token is linked to a specific site. The API resolves the site context automatically so all subsequent operations are scoped correctly.
Subscription check — The resolved site must have an active subscription (or be in an active trial or grace period). If the subscription has expired or been cancelled, a 402 Payment Required response is returned.

Active subscription required

All API endpoints except webhooks require an active subscription. If your subscription lapses, API requests will return 402 until the subscription is renewed. See Billing & Payments for details on managing your subscription.

Authentication Errors

Status Code	Meaning	When It Occurs
`401`	Unauthorized	Missing, invalid, or revoked API token
`402`	Payment Required	Site subscription is expired, cancelled, or not present
`403`	Forbidden	Token is valid but lacks permission for the requested resource

401 Unauthorized

Returned when the Authorization header is missing, malformed, or contains an invalid token.

{
  "message": "Unauthenticated."
}

Common causes: missing Bearer prefix, expired token, token copied incorrectly, or token revoked from the dashboard.

402 Payment Required

Returned when the site linked to your API token does not have an active subscription.

{
  "message": "Payment required."
}

Resolution: Log in to the FAQSIR dashboard and ensure your site has an active subscription. See Plans & Pricing for available options.

Token Scoping

Each API token is scoped to a single site. This means:

A token created for "Site A" cannot access data belonging to "Site B"
Source content, chat sessions, and analytics are all isolated per site
If you manage multiple sites, you will need a separate API token for each

This scoping ensures data isolation and security across all your sites. You configure the correct token for each site via the api_key field in the widget configuration.

Authentication

API Keys

Request Headers

Example Request

Base URL

Authentication Middleware

Authentication Errors

401 Unauthorized

402 Payment Required

Token Scoping

Next Steps

API Limits

Status Codes

Plans & Pricing

Configuration