Overview
Convosphere AI supports multiple authentication methods:
- Email/Password: Traditional credentials-based authentication
- OAuth Providers: Google, Facebook, GitHub
- API Keys: For programmatic access
User Authentication
Email/Password Signup
- Visit the signup page
- Enter your:
- Name
- Email address
- Password (minimum 8 characters)
- Optional: Company, country, phone
- Click Sign Up
- Check your email for verification link
- Click the verification link to activate your account
Email/Password Login
- Go to the login page
- Enter your email and password
- Click Login
Email verification is required for credentials-based accounts.
OAuth Login
You can sign in with:
- Google: Click “Sign in with Google”
- Facebook: Click “Sign in with Facebook”
- GitHub: Click “Sign in with GitHub”
OAuth accounts are automatically verified and don’t require email verification.
Password Reset
- Go to the login page
- Click Forgot Password
- Enter your email address
- Check your email for reset instructions
- Click the reset link and set a new password
API Authentication
API Keys
API keys provide programmatic access to Convosphere AI without user sessions.
Creating an API Key
- Go to your dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Enter a name for the key (e.g., “Production API Key”)
- Select scopes (permissions):
agents:read - Read agentsagents:write - Create/update agentschat:read - Read conversationschat:write - Send messagesknowledge:read - Read knowledge baseknowledge:write - Manage knowledge base
- Optionally set an expiration date
- Click Create
- Copy the key immediately - it won’t be shown again
Using API Keys
Include your API key in the Authorization header:
curl -H "Authorization: Bearer conv_YOUR_API_KEY" \
https://api.convosphere.site/api/agents
conv_<base64-encoded-random-string>
conv_abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
API Key Scopes
agents:read: List and view agentsagents:write: Create, update, and delete agentschat:read: Read conversations and messageschat:write: Send messages and create conversationsknowledge:read: Read knowledge base documentsknowledge:write: Add, update, and delete knowledge base documentsintegrations:read: View integrationsintegrations:write: Manage integrationswebhooks:read: View webhookswebhooks:write: Manage webhooks
Managing API Keys
- View Keys: See all your API keys with their prefixes
- Revoke Keys: Disable a key immediately
- Rotate Keys: Create a new key and revoke the old one
- Set Expiration: Keys can have expiration dates
JWT Tokens
For session-based authentication, Convosphere AI uses JWT tokens.
Getting a Token
Login via the API:
POST /api/auth/login
Content-Type: application/json
{
"email": "user@example.com",
"password": "your-password"
}
{
"success": true,
"user": {
"id": "user_123",
"email": "user@example.com",
"name": "John Doe"
},
"tokens": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
}
Using Access Tokens
Include the access token in the Authorization header:
GET /api/agents
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Refreshing Tokens
Access tokens expire after 15 minutes. Use the refresh token to get a new access token:
POST /api/auth/refresh
Content-Type: application/json
{
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Security Best Practices
For Users
- Use Strong Passwords: Minimum 8 characters, mix of letters, numbers, and symbols
- Enable 2FA: If available, enable two-factor authentication
- Don’t Share Credentials: Never share your password or API keys
- Use OAuth When Possible: OAuth is more secure than passwords
- Regular Key Rotation: Rotate API keys periodically
For Developers
- Store Keys Securely: Never commit API keys to version control
- Use Environment Variables: Store keys in environment variables
- Rotate Keys Regularly: Create new keys and revoke old ones
- Use Least Privilege: Only grant necessary scopes
- Monitor Key Usage: Review API key usage regularly
- Implement Rate Limiting: Rate limit API requests
- Verify Signatures: Always verify webhook signatures
API Key Security
- Never Expose in Frontend: API keys should only be used server-side
- Use Scoped Keys: Create keys with minimal required permissions
- Set Expiration: Set expiration dates for temporary keys
- Revoke Immediately: Revoke compromised keys immediately
- Monitor Usage: Watch for unusual API key usage
Rate Limits
API requests are rate-limited to prevent abuse:
- Free Plan: 100 requests per minute
- Starter Plan: 500 requests per minute
- Business Plan: 2,000 requests per minute
- Pro Plan: 10,000 requests per minute
Rate limit headers are included in responses:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000
Error Responses
Authentication Errors
401 Unauthorized:
{
"error": "Unauthorized",
"message": "Invalid or expired token"
}
{
"error": "Forbidden",
"message": "Insufficient permissions"
}
{
"error": "Rate limit exceeded",
"message": "Too many requests. Please try again later."
}
Session Management
Concurrent Sessions
Users can have up to 5 concurrent sessions. When the limit is reached, the oldest session is terminated.
Session Expiration
- Access Tokens: 15 minutes
- Refresh Tokens: 7 days
- Sessions: 24 hours of inactivity
Troubleshooting
Login Issues
- Email Not Verified: Check your email for verification link
- Invalid Credentials: Verify email and password are correct
- Account Locked: Contact support if account is locked
API Key Issues
- Invalid Key: Verify the key is correct and not revoked
- Expired Key: Create a new API key
- Insufficient Permissions: Check key scopes
- Rate Limited: Wait before making more requests
Token Issues
- Expired Token: Use refresh token to get new access token
- Invalid Token: Re-authenticate to get new tokens
- Token Not Accepted: Verify token format and expiration
Next Steps
