About API

Hey, great developers, I stuck badly while finding out for API-Auth generation, I am running rasa run -m models --enable–api --cors “*” --debug below I added what my terminal shown.

Now how can I add auth-key and username to send api POST requests? Please help me out.

Welcome to the community @kiranbeethoju !

There are currently two ways for authentication to the API.

  • specifying an token via --auth_token and adding it as a query parameter to the url http://<your-rasa-host:<port>/...?token=<your token>
  • using a JWT token in your authentication header. You have to obtain one from an existing provider (rasa does currently not generate one for you). You can pass in the public key for the jwt verification via the --jwt-secret parameter

@Tobias_Wochinger What do you mean by to obtain jwt token from an existing provider and how to pass public key for the jwt verification. Can you please explain with example?

rasa run -m models --enable-api --cors “*” --debug --auth-token kiransecret123

Now when I hit URL+?token=kiransecret123 I am getting data it’s working fine …thanks

Hey @tobias how can we jwt bearer key in postman API tester ? Should I add it in body or headers ?

A jwt token is passed in via the Authentication header. See JSON Web Token - Wikipedia

1 Like

I’m trying to do the same thing and here is my docker-compose file that I run:

image: rasa/rasa:latest-full
      - rasa
  - 5005:5005
  - ./:/app
  - run
  - -m
  - models
  - --enable-api
  #- --log-file
  #- out.log
  - --debug
  - --cors
  - "*"
  - --endpoints
  - endpoints.yml
  - --auth-token
  - secrettoken

and I get the response from my chatbot with this URL:


but the problem is I also get it with this URL so it seems I’m getting it without the use of token at all or with a wrong token too…


Why is that happenning @Tobias_Wochinger?

Does anyone know this?

@akelad @Ghostvv

@rasafan I assume you mean a response from the webhook? That auth token doesn’t apply to the channels, it’s for any other API requests to rasa

@akelad What should I use then for authentication?

Ideally your user should be authenticated before they can access the bot. Alternatively, you can build a custom connector that uses e.g. JWT authentication