Skip to main content
Every request to ODAI — whether over WebSocket or REST — must include a valid Firebase ID token. The server validates this token on every request before processing it.

Getting a Firebase ID token

ODAI uses Firebase Authentication. Your client application must sign in through Firebase and retrieve an ID token to use with the API. 
import { getAuth } from "firebase/auth";

const auth = getAuth();
const user = auth.currentUser;

// Get a fresh ID token
const idToken = await user.getIdToken();
Firebase ID tokens expire after one hour. Use getIdToken(true) to force a refresh, or rely on Firebase’s automatic token refresh and call getIdToken() before each request.

Passing the token

WebSocket connections

Pass the token as a query parameter when opening the WebSocket connection: 
const chatId = "your-chat-id";
const token = await user.getIdToken();

const ws = new WebSocket(`wss://api.odai.com/chats/${chatId}?token=${token}`);
The server reads the token query parameter and closes the connection with code 1008 if authentication fails.

REST endpoints

Pass the token in the Authorization header: 
POST /google_access_request HTTP/1.1
Authorization: <firebase-id-token>
Content-Type: application/x-www-form-urlencoded

[email protected]
ODAI uses the raw token string in the Authorization header — not the Bearer <token> format used by some APIs.

Authentication flow

1

Client obtains a Firebase ID token

Your app authenticates the user with Firebase and calls getIdToken() to retrieve a signed JWT.
2

Client passes the token to ODAI

Include the token as ?token= for WebSocket connections or in the Authorization header for REST requests.
3

Server validates the token

ODAI calls Firebase’s verify_id_token() to confirm the token is valid and retrieves the associated user record from Firestore.
4

Request is processed

If validation succeeds, the request proceeds with the authenticated user’s context, including their connected integrations.

Error responses

REST endpoints

StatusMeaning
401No token provided, token is invalid or expired, or the user is anonymous in a context that requires a registered account
If you receive a 401, refresh your Firebase ID token and retry the request.

WebSocket connections

If authentication fails, the server closes the WebSocket with close code 1008 (Policy Violation) and a message describing the reason. Reconnect with a fresh token. 
ws.addEventListener("close", (event) => {
  if (event.code === 1008) {
    // Authentication failed — refresh the token and reconnect
    console.error("Auth failure:", event.reason);
  }
});

Production vs. development

In production, ODAI enforces stricter authentication rules:
  • Anonymous users are rejected. The user must be signed in with a persistent Firebase account.
  • Terms of service must be accepted. Users who have not accepted the terms receive a 401.
In development (non-production) environments, anonymous Firebase users are permitted, which is useful for local testing.
If you are testing locally against a development server, you can sign in anonymously with Firebase and use the resulting token without accepting terms of service.

Build docs developers (and LLMs) love

Get started for freeTalk to us