HHolaOraMap API workflow
API documentation

Give your night shift a clean API surface.

HolaOra exposes three v1 REST endpoints for teams that need chat, usage, and document visibility outside the dashboard. Keys are workspace-scoped, Scale-gated, and designed for safe customer-ops automations.

Workspace-scoped keys

Each ho_live_* key is bound to one workspace at creation time. Use separate keys for separate workspaces.

Public docs, gated access

The documentation is public. API key creation remains inside the app and requires the Scale plan.

No hidden write promise

v1 covers chat, usage, and read-only document listing. Upload/update/delete endpoints are not promised here.

Quick start

Authenticate once, then test with usage.

Start with the side-effect-free usage endpoint before you send customer messages into the chat endpoint.

1. Authenticate

Every request includes a Bearer token in the Authorization header:

Authorization: Bearer ho_live_xxxxxxxxxxxxxxxxxxxxxxxx
Treat keys like passwords. Never paste them into chat (with us, ChatGPT, anyone), email, public repos, or browser DevTools while screen-sharing. Revoke and regenerate immediately if exposed.

2. Test it works

Hit /v1/usage first — it has no side effects, no LLM cost, and confirms the key works:

curl -s https://holaora.com/api/v1/usage \
  -H "Authorization: Bearer ho_live_YOUR_KEY"

You should get JSON back with your user_id, organization_id, plan, limits and today's quota.

3. The three endpoints

  • POST /api/v1/chat — send a message, get the assistant's reply
  • GET /api/v1/usage — read your plan, limits, today's message count
  • GET /api/v1/documents — list documents in this key's workspace

4. Workspace scoping

Each key is bound to one workspace at creation. Calls only see documents and quota counts from that workspace. To act on a different workspace, generate a separate key from the dropdown in the create form.

5. Plan & rate limits

  • API access requires the Scale plan (€79/mo). See pricing or sign up to mint a key.
  • Scale has unlimited daily messages — no per-key rate limit beyond that.
  • If we ever return 429, back off and retry with exponential backoff.
Chat

Chat POST /api/v1/chat

Send a stateless chat message. RAG retrieval against the workspace knowledge base is automatic.

Send a message

POST /api/v1/chat
Authorization: Bearer ho_live_YOUR_KEY
Content-Type: application/json

Body:

{
  "messages": [
    { "role": "user", "content": "How do I cancel my subscription?" }
  ],
  "model": "openai/gpt-4o-mini"   // optional; defaults to your account model
}

Curl:

curl -X POST https://holaora.com/api/v1/chat \
  -H "Authorization: Bearer ho_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"role":"user","content":"What does HolaOra do?"}]}'

Response

Plain text — the assistant's reply, end to end. Currently buffered, not server-sent-events streaming. Status 200 on success.

HolaOra is an AI customer-support assistant that answers questions
from your knowledge base across chat, embed widget, WhatsApp, and API.

Errors

  • 401 — missing, malformed, revoked, or expired key
  • 429 — daily message cap (Scale doesn't hit this)
  • 502 — upstream LLM error; retry once with backoff

Notes

  • Each call counts as one message in your daily quota.
  • Conversation history is your responsibility — pass full messages[] on every call. The endpoint is stateless.
  • RAG retrieval against your knowledge base happens automatically. No need to pass document context.
Usage

Usage GET /api/v1/usage

Read the caller workspace plan, plan limits, and today's message count. Side-effect free.

Read your plan + today's quota

GET /api/v1/usage
Authorization: Bearer ho_live_YOUR_KEY

Curl:

curl -s https://holaora.com/api/v1/usage \
  -H "Authorization: Bearer ho_live_YOUR_KEY"

Response shape

{
  "user_id": "afa1a41a-fbd3-...",
  "organization_id": "6570d2cc-6380-...",
  "plan": "scale",
  "limits": {
    "maxKnowledgeBases": null,
    "dailyMessages": null,
    "maxTeamMembers": 10,
    "storageBytes": null
  },
  "usage": {
    "dailyMessagesUsed": 6,
    "dailyMessagesRemaining": null
  }
}

null in limits means unlimited. dailyMessagesUsed is scoped to the key's bound workspace, not all your activity.

Use cases

  • Pre-flight before a batch job — check remaining quota.
  • Build your own usage dashboard.
  • Detect when a customer's plan changed (poll the plan field).
Documents

Documents GET /api/v1/documents

List documents in the workspace this API key is bound to. Read-only in v1.

List your documents

GET /api/v1/documents?limit=50&offset=0
Authorization: Bearer ho_live_YOUR_KEY

Query parameters:

  • limit — default 50, max 200
  • offset — default 0, for pagination

Curl:

curl -s "https://holaora.com/api/v1/documents?limit=10" \
  -H "Authorization: Bearer ho_live_YOUR_KEY"

Response shape

{
  "documents": [
    {
      "id": "uuid",
      "filename": "support-guide.pdf",
      "source": "upload",
      "created_at": "2026-04-29T08:34:12Z",
      "organization_id": "6570d2cc-..."
    }
  ],
  "pagination": {
    "limit": 10,
    "offset": 0,
    "total": 42
  }
}

Workspace scoping

Only documents in the workspace this key is bound to are returned. Documents in your other workspaces are invisible to this key. To list those, mint a key against the other workspace from the API keys page.

Notes

  • Read-only for v1 — no upload, update, or delete via API yet.
  • Use the in-product UI or the embed widget admin to manage documents.
Workspace scoping

Keys stay inside the workspace they were minted for.

Every ho_live_* key is bound to exactly one workspace at creation time. The binding is permanent for the life of the key — rotating a key creates a new binding; rebinding an existing key isn't supported. Calls only see documents, quota counts, and conversations from the bound workspace, so a leaked key cannot pivot to other workspaces in the same account.

To act on a different workspace, mint a separate key for it. There is no per-account cap on the number of active keys.

Errors & rate limits

Predictable failures, safe retries.

  • 401 Unauthorized — missing, malformed, revoked, or expired key. Confirm the header is Authorization: Bearer *** and the key still appears as active under /api-keys.
  • 403 Forbidden — plan downgrade revoked API access. Re-upgrade to Scale or stop calling.
  • 429 Too Many Requests — daily message cap. Scale is unlimited, so this normally only fires if infrastructure is rate-limiting an upstream LLM. Retry with exponential backoff.
  • 502 Bad Gateway — upstream LLM provider error. Safe to retry once.
  • 5xx generally — transient. Retry with exponential backoff; alert us if it persists past a minute.
Availability posture

Public docs, controlled access.

Scale-plan API access only — public docs, gated key minting.
Bearer keys are scoped to one workspace and can be rotated from /api-keys.
JSON in / JSON out. No SDK claim, webhook claim, or write API promise on this page.

Ready to integrate

Map the API path before you wire it into customer ops.

API access ships with Scale. If you need to connect a custom workflow, start with the jobs, handoff rules, and workspace boundaries you want the key to respect.