Last updated: January 6, 2026
API Tokens
API tokens allow external applications to authenticate with FoundersBoxx. Use them for custom integrations, automation, and third-party tools.
Accessing API Tokens
Go to Account Settings → API Tokens to view and manage your tokens. Only account admins can create and manage API tokens.
Creating a Token
- Click New API Token
- Enter a descriptive name (e.g., “Zapier Integration”, “Dashboard Widget”)
- Click Create Token
- Copy the token immediately — it won’t be shown again
The token is a long, random string that acts as a password for API access.
Token Security
Treat tokens like passwords:
- Never commit tokens to source control
- Don’t share tokens in public channels
- Use environment variables in your code
- Create separate tokens for different integrations
If a token is compromised:
- Go to API Tokens
- Delete the compromised token
- Create a new token
- Update your integration with the new token
Managing Tokens
Viewing Tokens
The API Tokens page shows:
- Token name
- Creation date
- Last used date
- Partial token preview (for identification)
Editing Tokens
Click a token to update its name. You cannot view or change the token value after creation.
Deleting Tokens
- Click the token
- Click Delete
- Confirm deletion
Deleted tokens immediately stop working. Any integrations using that token will fail.
Using Tokens
Authentication
Include your API token in requests using the Authorization header:
Authorization: Bearer YOUR_TOKEN_HEREExample Request
curl -H "Authorization: Bearer abc123..." \
https://app.foundersboxx.com/api/endpointAvailable APIs
Widget Chat API
The Widget Chat API powers the Eli chat widget for external integrations.
Endpoint: POST /api/cofo/widget_chat
Parameters:
message— The user’s questionconversation_id— (Optional) Continue an existing conversation
Response:
{
"conversation_id": "abc123",
"ai_response": "Based on your financials...",
"message_count": 3
}This API requires:
- Valid authentication
- AI provider configured for the account
- AI agent permissions
Rate Limiting
API requests are rate limited to prevent abuse. If you exceed limits, you’ll receive a 429 Too Many Requests response. Wait and retry.
Error Responses
Common error codes:
| Code | Meaning |
|---|---|
| 401 | Invalid or missing token |
| 403 | Token lacks required permissions |
| 404 | Resource not found |
| 412 | Precondition failed (e.g., AI not configured) |
| 429 | Rate limit exceeded |
| 500 | Server error |
Error responses include a JSON body with details:
{
"error": "Message cannot be empty"
}Token Expiration
Tokens don’t expire automatically. Delete tokens you no longer need.
For temporary access, note when you created the token and set a reminder to delete it.
Best Practices
Name tokens descriptively — Use names that identify the integration or purpose (e.g., “Slack Bot”, “Analytics Dashboard”).
One token per integration — Create separate tokens for each integration. If one is compromised, you only need to rotate that one.
Monitor usage — Check “Last Used” dates periodically. Tokens that haven’t been used in months may be obsolete.
Rotate periodically — For security-sensitive integrations, rotate tokens periodically (create new, update integration, delete old).
Webhooks
FoundersBoxx also supports inbound webhooks for receiving data from external services. Webhook endpoints are configured per integration:
- Stripe — Payment and subscription webhooks
- QuickBooks/Xero — Accounting data updates
See Integrations for webhook setup.