Developers
A typed REST client, signed outgoing webhooks, an event-kind catalogue, and personal API tokens for scripted access. Everything you need to wire AICrewKit into your own bots, dashboards, and internal tooling — without leaving the EU data plane.
Four pillars
@aicrewkit/client wraps every public REST surface with Zod-validated DTOs. Works in browser + Node 22+; same package powers our own web app. Error responses are mapped to a typed AICrewKitError with code + status + per-field issues.
Read the SDK READMEMint a long-lived bearer token from /settings/tokens. SHA-256 hashed at rest; plaintext shown once at creation. Bound to a single (workspace, user) — cross-tenant abuse is impossible. Five coarse scopes.
Mint a tokenSubscribe an external system to any domain event. HMAC-SHA256 signed deliveries (Stripe-compatible scheme), retries with exponential backoff capped at 8 attempts, replay button on every failed delivery. RFC1918-blocked, no redirect-following.
Configure webhooksEvery event you can subscribe to, with a representative payload shape and a permalink anchor. A drift-detection panel warns when the canonical list grows without docs.
Browse the catalogueQuickstart
Mint a token, paste a curl, ship a bot. The same client powers our own web app — anything you can do in the UI you can do over HTTP.
# 1. Mint a PAT from /settings/tokens (UI), copy the plaintext once.
# 2. Use it from any HTTP client. Bound to your workspace; no
# X-Workspace-Id header needed.
$ curl https://api.aicrewkit.eu/v1/people?limit=5 \
-H "Authorization: Bearer aickit_pat_…"
# 3. Or via the typed client (Node / browser):
import { createClient } from '@aicrewkit/client';
const api = createClient({ bearerToken: 'aickit_pat_…' });
const { items } = await api.people.list({ limit: 25 });Events
A taste of what your webhook receiver can subscribe to. 15 total kinds; the full catalogue with example payloads lives at /settings/webhooks/events.
deal.createddeal.stage_changedmeeting.transcribeddocument.extractedtask.completed+ 10 moreReference
REST conventions
OpenAPI spec at /v1/openapi.json (basic-auth gated in production). Error responses are RFC 7807 problem-details with a stable `code` field for programmatic dispatch.
Auth modes
Cookie-based for the web app (better-auth, 2FA-capable); bearer-token for CLI + bots (PATs). Same routes; the middleware picks the right one from the Authorization header.
Rate limits
Per-route fine-grained limits on auth (5/min/IP), PAT creation (10/hour/workspace), workspace creation (5/hour/user). Public endpoints get the global 100/min/IP fallback.
Idempotency
Mutating endpoints accept an Idempotency-Key header (UUID) and dedup at the workspace level. Agent template triggers use this natively.
Webhook signatures
X-AICrewKit-Signature header carries HMAC-SHA256(payload). Verify with the secret from the rotate-secret endpoint and compare in constant time.
GDPR + audit
Article 20 export + Article 17 erasure are first-class endpoints. The audit log has a weekly tamper-evidence hash chain — your compliance team can verify integrity on demand.
Public client package is currently consumed in-repo via workspace:*. The public npm cut lands alongside Phase 6 SaaS readiness. The README is already public — pin to a commit hash to use it today.