API Management

The API Management plugin gives you a centralized console to control programmatic access to the Booga Enterprise platform. You can create and manage API keys with fine-grained scopes, monitor request volume and performance in real time, explore every available endpoint with an interactive API Explorer, generate ready-to-use client SDKs, and configure webhook templates for event-driven integrations — all from a single page.

Getting Started

Open API Management from the sidebar. The plugin requires the api_management capability on your subscription and the API_MANAGEMENT_READ or API_MANAGEMENT_WRITE permission on your account.

When the page loads, the Overview tab displays summary cards and a request-volume chart so you can assess the health of your API usage at a glance. Four tabs organize all functionality:

Tab	Purpose
Overview	Dashboard with key metrics, system health, and a 24-hour request trend chart
API Keys	Create, edit, revoke, and monitor API keys
Analytics	Detailed usage analytics with configurable time ranges and breakdowns
API Explorer	Browse endpoints, test them live, generate SDKs, and download OpenAPI schemas

Interface Overview

The page header shows the plugin title, a scope indicator (Tenant), and a Refresh button that reloads all dashboard data. Below the header, a scrollable tab bar lets you switch between the four sections. On smaller screens the tab bar scrolls horizontally and cards stack vertically for a mobile-friendly layout.

Overview Tab

The Overview tab provides a quick snapshot of your API ecosystem.

Summary Cards

Card	Metrics
API Keys	Total keys, active keys, and requests recorded today
Endpoints	Total unique endpoints available and the count of deprecated endpoints

System Health

A health panel shows the operational status of all API endpoints along with three key metrics for the past seven days:

Total API Requests — aggregate request count
Success Rate — percentage of requests that returned a successful response
Avg Response Time — mean latency in milliseconds

Request Volume Chart

A line chart displays hourly request volume for the last 24 hours (UTC). A chip in the chart header shows the total request count for the period.

API Keys

The API Keys tab is where you manage the credentials that external applications use to authenticate with the platform.

Creating an API Key

Click Create API Key
Enter a descriptive name for the key
Select the scopes the key should have — scopes map to RBAC permissions and control which endpoints the key can access (e.g., FILES_READ, CHAT_WRITE, AGENTS_EXECUTE)
Configure rate limits:
- Per minute — maximum requests per 60-second window (default 60)
- Per hour — maximum requests per 3600-second window (default 3600)
Optionally restrict access to specific IP addresses by adding allowed or blocked IPs
Click Create

After creation, the full API key is displayed exactly once. Copy it immediately and store it securely — the platform stores only a hashed version and cannot recover the original key.

Important: Treat API keys like passwords. Never commit them to source control or share them in plain text.

Scopes

Scopes control what an API key can do. They align with the platform's RBAC permission system and cover all major plugins:

Scope Group	Permissions	Grants Access To
Files	`FILES_READ`, `FILES_WRITE`, `FILES_DELETE`, `FILES_UPLOAD`, `FILES_DOWNLOAD`, `FILES_EMBED`, `FILES_FOLDER_MANAGE`	File browsing, upload, download, embedding, and folder management
Chat	`CHAT_READ`, `CHAT_WRITE`, `CHAT_DELETE`	Chat sessions and messages
Agents	`AGENTS_READ`, `AGENTS_WRITE`, `AGENTS_EXECUTE`, `AGENTS_MANAGE`	Agent configuration and execution
Knowledge	`KNOWLEDGE_READ`, `KNOWLEDGE_WRITE`	Knowledge base search and management
Reports	`REPORTS_READ`, `REPORTS_WRITE`	Report generation and retrieval
Organizations	`ORGANIZATIONS_READ`, `ORGANIZATIONS_WRITE`	Organization data access
Integrations	`INTEGRATIONS_READ`, `INTEGRATIONS_WRITE`	Integration connector access
Analytics	`ANALYTICS_READ`, `ANALYTICS_WRITE`	Analytics data access
Scheduler	`SCHEDULER_READ`, `SCHEDULER_WRITE`, `SCHEDULER_EXECUTE`, `SCHEDULER_MANAGE`	Scheduled task management
Bots	`BOTS_CREATE`, `BOTS_MANAGE`	Bot creation and management
Collections	`COLLECTIONS_ASSIGN`, `COLLECTIONS_MANAGE`	File and knowledge collection operations

You can only assign scopes that match your own RBAC permissions. Admin-level scopes (ADMIN_ACCESS, SUPERUSER_ACCESS, API_MANAGEMENT_READ/WRITE) cannot be assigned to API keys.

Key Statuses

Status	Meaning
Active	Key is valid and accepting requests
Expired	Key has passed its expiration date and is no longer accepted
Revoked	Key has been manually revoked and is permanently disabled

Managing Keys

From the API Keys tab you can:

Edit — update scopes, rate limits, and IP restrictions on an active key
Revoke — permanently disable a key. This action cannot be undone and any application using the key will lose access immediately
Toggle revoked keys — use the switch to show or hide revoked keys in the list
View details — the data grid shows each key's name, total requests, rate limits, scopes, IP restrictions, last-used date, status, and recent activity

Security Features

API keys are protected by multiple security layers:

PBKDF2-HMAC hashing with per-key salt — keys are never stored in plain text
Rate limiting — configurable per-minute and per-hour limits prevent abuse
IP allowlisting and blocklisting — restrict which networks can use a key
Scope enforcement — each request is checked against the key's scopes and the endpoint's permission requirements
Expiration tracking — the platform sends warnings at 7 days and 1 day before expiration

Analytics

The Analytics tab provides deep visibility into how your API is being used.

Key Metrics

Four summary cards display headline numbers for the selected time range:

Metric	Description
Total Requests	Aggregate API request count
Success Rate	Percentage of requests returning a 2xx status
Avg Response Time	Mean response latency in milliseconds
Error Requests	Count of requests that returned an error status

Filtering

Use the controls at the top of the tab to adjust the view:

Period — switch between daily and hourly granularity
Time Range — select 7, 30, or 90 days
Refresh — reload analytics data

Your filter selections persist across sessions in local storage.

Charts

Request Volume — an area chart showing request counts per period (day or hour) over the selected time range
Plugin Usage Distribution — a pie chart breaking down request volume by plugin (Files, Chat, Agents, etc.)

Top Endpoints

A table lists the most-used API endpoints sorted by request count. Each row shows:

Endpoint path and HTTP method
Plugin name
Total request count
Average response time
Error rate (color-coded: green for under 1 %, amber for 1–5 %, red for over 5 %)

Fallback View

If advanced analytics are unavailable, the tab falls back to a basic view showing a top-endpoints table and a success/error pie chart.

API Explorer

The API Explorer tab lets you browse, search, filter, test, and generate code for every registered API endpoint.

Browsing Endpoints

The explorer loads a paginated list of all API endpoints available to your tenant. Use the filter controls to narrow the list:

Filter	Options
Search	Free-text search across endpoint paths and descriptions
Functionality	Filter by plugin (Files, Chat, Agents, Knowledge, etc.)
Method	Filter by HTTP method (GET, POST, PUT, PATCH, DELETE)
Global Status	Active or Inactive (superuser only)

Each endpoint entry shows:

Path (with path parameters displayed as {id}, {slug}, etc.)
Supported HTTP methods as color-coded chips
Plugin name
Description
Deprecation status

Testing Endpoints

Click the Test button on any endpoint to open the endpoint testing panel. You can:

Select the HTTP method
Fill in path parameters (e.g., replace {id} with an actual resource ID)
Add query parameters
Provide a JSON request body for POST/PUT/PATCH requests
Execute the request and inspect the response status, headers, and body

Tip: Use endpoint testing to verify behavior before writing integration code. Results come from your actual tenant data.

Role-Based Access

The API Explorer respects your role:

Regular users see endpoints available to their tenant
Tenant admins can enable or disable endpoints for their tenant
Superusers can manage global endpoint activation and see all endpoints, including inactive ones

SDK Generation

Generate ready-to-use client libraries from the SDK Generation section:

Language	Output
Python	Type-safe Python SDK with classes for each endpoint
TypeScript	TypeScript SDK with full type definitions
JavaScript	JavaScript SDK for Node.js and browser environments
cURL	cURL command examples for every endpoint

Click a language button to download a ZIP file containing the generated SDK. The SDK covers all endpoints registered in the API endpoint registry and respects API key scope enforcement.

OpenAPI Schema Download

Download the full OpenAPI (Swagger) schema for your tenant's registered endpoints. The schema is compatible with any tool that supports the OpenAPI specification — import it into Postman, Insomnia, or other API testing tools.

Webhook Management

Webhooks let the platform notify external systems when events occur. The API Management plugin provides tools for managing webhook templates and monitoring delivery.

Webhook Templates

Webhook templates define how event payloads are transformed before delivery to external systems. Supported transformer types:

Type	Use Case
Default	Standard JSON payload passthrough
Slack	Format payloads as Slack message blocks
Teams	Format payloads for Microsoft Teams incoming webhooks
Discord	Format payloads for Discord webhook channels
Custom	User-defined template with custom transformation logic

You can create templates, test them with sample data, and apply them to webhook subscriptions.

Delivery Monitoring

The platform tracks every webhook delivery with detailed logs:

Webhook URL and event type
Status code from the receiving server
Delivery attempts and retry count
Payload sent and response received
Timestamp of delivery

Delivery statistics (total deliveries, success rate, average delivery time) are available for configurable time ranges.

Retry Logic

Failed webhook deliveries are automatically retried with exponential backoff. Each delivery log records the number of attempts so you can identify persistent failures.

Best Practices

Create separate API keys for each integration — if one key is compromised, revoke it without affecting other integrations
Use the narrowest scopes possible — grant only the permissions each integration actually needs. A reporting dashboard only needs REPORTS_READ and ANALYTICS_READ, not full write access
Set rate limits based on expected usage — start conservative and increase if legitimate traffic is being throttled
Enable IP restrictions for production keys — lock production API keys to known server IP addresses
Monitor analytics weekly — watch for unusual spikes in error rates or response times that may indicate integration issues
Rotate keys periodically — create a new key, update your integration, then revoke the old key. The expiration warning system helps you plan rotations
Test endpoints in the API Explorer before coding — use the built-in endpoint tester to understand request and response formats
Download SDKs for faster integration — generated SDKs handle authentication, error handling, and type safety out of the box

Troubleshooting

Cannot access API Management

Problem: You see an "Access Denied" message when opening API Management. Solution: Your subscription needs the api_management capability and your account needs the API_MANAGEMENT_READ permission. Contact your administrator to enable access.

API key not working

Problem: Requests with an API key return 401 Unauthorized. Solution: Verify that the key status is Active (not Expired or Revoked). Check that the key has the required scopes for the endpoint you are calling. If IP restrictions are configured, ensure your request comes from an allowed IP address.

Rate limit exceeded

Problem: Requests return 429 Too Many Requests. Solution: Check your key's rate limits in the API Keys tab. Either reduce your request frequency or edit the key to increase the per-minute and per-hour limits. Consider spreading requests across multiple keys for high-volume workloads.

Analytics show no data

Problem: The Analytics tab displays "No analytics data available." Solution: Usage data is collected when API requests are made through API keys. If no keys have been used recently, the analytics tab will be empty. Make a few test requests using an API key and refresh the analytics.

SDK generation fails

Problem: Clicking a language button does not download a file or shows an error. Solution: Ensure your browser allows file downloads from the platform. If the error message references an API issue, verify that the endpoint registry is populated. Try refreshing the API Explorer tab and generating again.

Webhook deliveries failing

Problem: Webhook delivery logs show repeated failures. Solution: Check that the receiving server is accessible and returns a 2xx status code. Verify the webhook URL is correct and the receiving endpoint accepts the payload format. Review the response body in the delivery log for error details from the remote server.

⏱️ Read time: 14 minutes | 📊 Difficulty: intermediate | 🔄 Last updated: 2026-03-30

Getting Started​

Interface Overview​

Overview Tab​

Summary Cards​

System Health​

Request Volume Chart​

API Keys​

Creating an API Key​

Scopes​

Key Statuses​

Managing Keys​

Security Features​

Analytics​

Key Metrics​

Filtering​

Charts​

Top Endpoints​

Fallback View​

API Explorer​

Browsing Endpoints​

Testing Endpoints​

Role-Based Access​

SDK Generation​

OpenAPI Schema Download​

Webhook Management​

Webhook Templates​

Delivery Monitoring​

Retry Logic​

Best Practices​

Troubleshooting​

Cannot access API Management​

API key not working​

Rate limit exceeded​

Analytics show no data​

SDK generation fails​

Webhook deliveries failing​

Related Topics​