Skip to content
Hyponema Hyponema Docs

API overview

Hyponema’s public API lets trusted backends use the same workspace surfaces available in the dashboard frontend. Use these docs to understand the supported surface and security boundaries, then rely on generated client types or the API reference supplied to your workspace for exact request and response contracts.

What the API is for

Section titled “What the API is for”

Use the API when your backend needs to:

  • Create or coordinate sessions.
  • Send text chat messages and consume streamed assistant output.
  • Prepare signed values for browser or voice clients.
  • Connect a custom product workflow to a Hyponema agent.
  • Review operational records when your application needs them outside the dashboard.
  • Manage frontend-parity workspace resources from your backend, including agents, knowledge, integrations, tests, phone numbers, schedules, User profile fields, memory, Users, conversations, observability, audit logs, webhooks, voice bookmarks and provider discovery, and workspace settings.

What should stay in the dashboard

Section titled “What should stay in the dashboard”

Some operator setup remains dashboard-only:

  • Workspace creation.
  • Member and invite management.
  • API key creation, rotation, revocation, and listing.
  • Billing wallet controls, credit top-ups, saved payment methods, and BYO provider controls.
  • Provider credentials, SSO, privacy controls, compliance exports, User erasure, recording retrieval, workspace image upload, and WhatsApp account or number administration.

Routes outside the frontend-parity API surface are treated as dashboard-only unless the current workspace reference says otherwise.

Browser safety

Section titled “Browser safety”

Workspace API keys are server-side credentials. A browser, widget, or mobile client should receive only short-lived or channel-safe values produced by your backend or copied from the relevant dashboard channel.

API conventions

Section titled “API conventions”

Expect common API conventions such as bearer authentication, JSON payloads, pagination for lists, retry guidance for transient failures, rate limits, idempotency for safe retries, and signed webhook verification. Exact header names, payload fields, status codes, and endpoint paths should be taken from current source-of-truth material, not inferred from these docs.