Connect REST APIs
This guide creates a Business Tool that calls your HTTPS API so the assistant can run Business Actions during chat.
Outcome
- A REST tool bound to one workspace
- Credentials stored encrypted (not in the browser)
- A successful console test
- Awareness of SSRF limits and logging
Prerequisites
- Owner/Admin access
- An HTTPS endpoint you control (or vendor API with a scoped key)
- Decision: which workspace may use this tool (Support vs HR, etc.)
Concepts
| Term | Meaning |
|---|---|
| Business Tool | Connector definition |
| Business Action | One runtime invocation |
Read: What are Business Actions?, Business Tools.
Architecture
Step 1 — Pick a safe first endpoint
Prefer read-only GET (order status, ticket status). Avoid refunds, deletes, or bulk exports on day one.
Step 2 — Create the tool in the workspace
In Admin Console → workspace → Business Tools / integrations:
- Choose REST.
- Set method + URL template.
- Add encrypted auth (Bearer, header API key, etc.).
- Describe parameters the model may fill.
Step 3 — Test
Use the console test action or:
POST
/api/v1/tools/:id/testExecute a dry-run / test invocation for a Business Tool.
curl -sS -X POST \
-H "Authorization: Bearer $USER_JWT" \
-H "Content-Type: application/json" \
https://api.qefro.com/api/v1/tools/$TOOL_ID/test \
-d '{"arguments":{"order_id":"123"}}'
Step 4 — Review logs
curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/tools/$TOOL_ID/logs
See Audit Logs.
Step 5 — Enable for chat carefully
- Customer AI: add
identify()if your API authorizes end users - Employee AI: ensure only internal workspaces have internal tools
Workflow checklist
REST tool launch
- Choose read-only HTTPS API — Scoped vendor key.
- Create tool in one workspace — Encrypt credentials.
- Test + fix errors — Do not enable chat yet.
- Enable for assistants — Monitor logs for a week.
- Consider writes later — Idempotency + human approval.
FAQ
REST vs OpenAPI import?
Use this guide for one-off endpoints. Use Import OpenAPI when you have a spec with many operations to preview/apply.
Where do secrets live?
Encrypted in Qefro tool config — never in widget JavaScript. See Secrets.