Looking for API endpoints?
Check out the API Spec for all of the available endpoints as well as their request and response formats.
Enabling the HTTP API
By default, running a Rasa server does not enable the API endpoints. Interactions
with the bot can happen over the exposed
To enable the API for direct interaction with conversation trackers and other
bot endpoints, add the
--enable-api parameter to your run command:
Note that you start the server with an NLU-only model, not all the available endpoints can be called. Some endpoints will return a 409 status code, as a trained dialogue model is needed to process the request.
Make sure to secure your server, either by restricting access to the server (e.g. using firewalls), or by enabling an authentication method. See Security Considerations.
By default, the HTTP server runs as a single process. You can change the number
of worker processes using the
SANIC_WORKERS environment variable. It is
recommended that you set the number of workers to the number of available CPU cores
(check out the
for more details). This will only work in combination with the
RedisLockStore (see Lock Stores.
The SocketIO channel does not support multiple worker processes.
We recommend that you don't expose the Rasa Server to the outside world directly, but rather connect to it via e.g. Nginx.
Nevertheless, there are two authentication methods built in:
Token Based Auth
To use a plaintext token to secure your server, specify the token in the argument
--auth-token thisismysecret when starting
Any clients sending requests to the server must pass the token as a query parameter, or the request will be rejected. For example, to fetch a tracker from the server:
JWT Based Auth
To use JWT based authentication, specify the JWT secret in the argument
on startup of the server:
If you want to sign a JWT token with asymmetric algorithms, you can specify the JWT private key to the
CLI argument. You must pass the public key to the
--jwt-secret argument, and also specify the algorithm to the
Client requests to the server will need to contain a valid JWT token in
Authorization header that is signed using this secret
HS256 algorithm e.g.
The token's payload must contain an object under the
which in turn must contain the
The following is an example payload for a JWT token:
admin, all endpoints are accessible.
user, endpoints with a
sender_id parameter are only accessible
sender_id matches the payload's