API Reference
Complete API reference for HeySummon v4.
Consumer API (v1)
These endpoints are used by AI agents to submit help requests and exchange encrypted messages.
Submit Help Request
POST /api/v1/help| Field | Type | Required | Description |
|---|---|---|---|
apiKey | string | ✅ | API key (hs_ for consumers) |
consumerSignPubKey | string | ✅ | Ed25519 signing public key (PEM) |
consumerEncryptPubKey | string | ✅ | X25519 encryption public key (PEM) |
messages | array | ✅ | Conversation messages (last 10) |
question | string | ❌ | Specific question for expert |
plaintext | string | ❌ | Plaintext version of the message (for simple reply flows) |
Response: 201 Created
{
"requestId": "clxyz...",
"refCode": "HS-AB12",
"status": "pending",
"expiresAt": "2026-02-23T00:00:00.000Z"
}Side effect: Publishes new_request event to Mercure topic /hitlaas/providers/{userId}.
Lookup by Reference Code
GET /api/v1/requests/by-ref/{refCode}Headers: x-api-key: hs_...
Look up a request by its human-readable reference code (e.g., HS-AB12). Returns request details including responseCount.
Key Exchange (Provider → Consumer)
POST /api/v1/key-exchange/:requestIdHeaders: x-api-key: hs_prov_...
| Field | Type | Required | Description |
|---|---|---|---|
providerSignPubKey | string | ✅ | Provider’s Ed25519 signing public key (PEM) |
providerEncryptPubKey | string | ✅ | Provider’s X25519 encryption public key (PEM) |
After key exchange, both parties can compute the shared DH secret independently.
Send Message
POST /api/v1/message/:requestIdHeaders: x-api-key: hs_... or hs_prov_...
Encrypted message:
| Field | Type | Required | Description |
|---|---|---|---|
role | string | ✅ | consumer or provider |
encrypted | object | ✅* | { iv, ciphertext, tag, ephemeralPublicKey } (all base64) |
signature | string | ✅* | Ed25519 signature (base64) |
messageId | string | ❌ | UUID (auto-generated if omitted) |
Plaintext message:
| Field | Type | Required | Description |
|---|---|---|---|
role | string | ✅ | consumer or provider |
plaintext | string | ✅* | Plain text message content |
* Either encrypted + signature OR plaintext must be provided.
Side effect: Publishes new_message event to Mercure topic /hitlaas/requests/{requestId}.
Providers can send multiple messages per request. Each triggers a new Mercure event.
Get Messages
GET /api/v1/messages/:requestIdHeaders: x-api-key: hs_...
Returns all messages for the conversation (encrypted blobs and/or plaintext + metadata). Includes responseCount.
Close Conversation
POST /api/v1/close/:requestIdHeaders: x-api-key: hs_...
Closes the conversation. Requests auto-expire after 72 hours.
Side effect: Publishes request_closed event to Mercure.
Poll for Status (Legacy)
GET /api/v1/help/:requestIdReturns request status. Prefer Mercure SSE for realtime updates.
Realtime Events (Mercure)
HeySummon publishes events via Mercure Hub using Server-Sent Events (SSE).
Subscribe to Provider Events
curl -sN "http://localhost:3100/.well-known/mercure?topic=/hitlaas/providers/{userId}"Subscribe to Request Events
curl -sN "http://localhost:3100/.well-known/mercure?topic=/hitlaas/requests/{requestId}"Event Types
| Type | Topic | Payload |
|---|---|---|
new_request | /hitlaas/providers/{id} | { type, refCode, question } |
new_message | /hitlaas/requests/{id} | { type, role, messageId } |
key_exchange | /hitlaas/requests/{id} | { type, refCode } |
request_closed | /hitlaas/requests/{id} | { type, refCode } |
Key Validation
| Key type | Prefix | Used by |
|---|---|---|
| Consumer API key | hs_ | AI agents submitting requests |
| Provider API key | hs_prov_ | Human experts responding to requests |
Keys are validated on every API call. Invalid prefixes return 401 Unauthorized.
Provider API
These endpoints require an authenticated session (OAuth).
List Requests
GET /api/requestsReturns requests with response counts.
View Request
GET /api/requests/:idList API Keys
GET /api/keysCreate API Key
POST /api/keysHealth Check
GET /api/health{
"status": "ok",
"version": "0.1.0",
"timestamp": "2026-02-20T00:00:00.000Z"
}Summary Table
| Method | Endpoint | Auth | Description |
|---|---|---|---|
POST | /api/v1/help | API key (hs_) | Submit help request |
GET | /api/v1/requests/by-ref/{refCode} | API key | Lookup request by reference code |
POST | /api/v1/key-exchange/:id | API key (hs_prov_) | Exchange DH public keys |
POST | /api/v1/message/:id | API key | Send message (encrypted or plaintext) |
GET | /api/v1/messages/:id | API key | Get conversation messages |
POST | /api/v1/close/:id | API key | Close conversation |
GET | /api/v1/help/:id | None* | Poll status (legacy) |
GET | /api/requests | Session | List requests (provider) |
GET | /api/requests/:id | Session | View request (provider) |
GET | /api/keys | Session | List API keys |
POST | /api/keys | Session | Create API key |
GET | /api/health | None | Health check |
* Polling without x-api-key header logs a warning.
Rate Limits
| Scope | Limit |
|---|---|
| General | 60 req/min per IP |
| API v1 | 30 req/min per IP |
| Polling (legacy) | 20 req/min per IP |
Exceeded: 429 Too Many Requests with Retry-After: 60.