What it is
Allows external systems and scripts to communicate with Symphony models programmatically, via the chat completions endpoint. Use this integration for automations, backends, tests (Postman), or integrations with other tools.Prerequisites
- Active account in AI Symphony.
- An API key and/or JWT token.
- The company ID (
X-Enterprise-Id).
How to get your API key
Open AI Symphony
Go to symphony.fcamara.com.br.
API endpoint
- Endpoint:
POST https://symphony.fcamara.com/api/chat/completions - Authentication:
Authorization: Bearer <token>(token obtained from Symphony).
Required headers
| Header | Description |
|---|---|
Authorization | User’s JWT token (Bearer eyJhbGciOi...). |
X-CSRF-Token | CSRF token for protection (required for POST/PUT/PATCH/DELETE). |
X-Enterprise-Id | Company/tenant ID. |
Content-Type | application/json. |
Request body structure (JSON)
Required fields
| Field | Type | Description |
|---|---|---|
id | string (UUID) | Unique message ID (UUID v4). |
chat_id | string (UUID) | Conversation ID; all messages in the same conversation use the same value. |
session_id | string | User session ID. |
model | string | LLM model ID, in the format provider.model-name (e.g., azure.gpt-5-chat). |
stream | boolean | true = streaming response; false = complete response at once. |
messages | array | Conversation messages; each item has role (user, assistant, or system) and content. |
Recommended fields
| Field | Type | Description |
|---|---|---|
params | object | Model parameters: temperature (0.0–2.0), max_tokens, top_p (0.0–1.0). |
tool_servers | array | Tool servers; empty if not using tools. |
features | object | Enabled features: image_generation, code_interpreter, web_search (true/false). |
variables | object | Context variables (e.g., {{USER_NAME}}, {{CURRENT_DATE}}, {{USER_LANGUAGE}}). |
model_item | object | Model details (id, name, owned_by, info). |
stream_options | object | Streaming options, e.g.: include_usage (include usage statistics). |
Complete example
Success response (200 OK)
Python example
Authentication — getting tokens
JWT token
- Log in to the Symphony platform.
- The token is stored in
localStoragewith the keytoken. - Use it in all authenticated requests (
Authorization: Bearer <token>).
CSRF token
Required for POST/PUT/PATCH/DELETE. There are two ways:- Via endpoint (recommended)
- Via browser DevTools
If making requests via cURL/API, include the
Authorization and X-CSRF-Token headers and use --cookie/withCredentials: true to send cookies.Other useful endpoints
All require theAuthorization: Bearer <key> header.
| Action | Method and endpoint |
|---|---|
| List available models | GET /api/models |
| Server configuration | GET /api/config |
| List user conversations | GET /api/v1/chats (query page, default 1) |
| Create new conversation | POST /api/v1/chats/new |
| Current user data | GET /api/v1/users/me |
| User permissions | GET /api/v1/users/permissions |
| List knowledge bases | GET /api/v1/knowledge |
| Document upload | POST /api/v1/knowledge/upload (multipart/form-data, field file) |
| List tools | GET /api/v1/tools |
| List prompts | GET /api/v1/prompts |
Common errors
| Code | Meaning | Solution |
|---|---|---|
| 400 | Missing required fields | Include id, chat_id, session_id, model, stream, messages. |
| 401 | Token missing/invalid/expired | Check the Authorization header. |
| 403 | No permission for the model | Check user permissions for that model. |
| 404 | Model not found | Confirm the model with GET /api/models. |
| 429 | Request limit exceeded | Wait; implement exponential backoff; reduce frequency. |
| 500 | Server error | Try again and check logs. |
Streaming (Server-Sent Events)
For real-time responses, send"stream": true and read the body in chunks. Lines start with data: and the transmission ends in data: [DONE]; incremental content is in choices[0].delta.content.
Security best practices
Do
- Store the key in environment variables.
- Use HTTPS in all requests.
- Implement retry with exponential backoff and timeouts (~30s).
- Validate responses before processing.
Don't
- Don’t expose the key in source code, URLs, or query parameters.
- Don’t store the key in cookies or
localStorage. - Don’t share the key or reuse the same one in multiple environments.
Limits and quotas
- Rate limit: varies by plan (consult the administrator).
- Timeout: ~30 seconds per request.
- Maximum request size: 10 MB.
- Maximum response size: no fixed limit (depends on the model).
Frequently asked questions
Which model should I use in the model field?
Which model should I use in the model field?
One of the
id values returned by GET /api/models (e.g., azure.gpt-5-chat).I get 401 even with the correct key.
I get 401 even with the correct key.
Confirm the
Bearer prefix and, for POST methods, the X-CSRF-Token header.Do I need X-Enterprise-Id?
Do I need X-Enterprise-Id?
Yes — it identifies the company/tenant of the request.
Known limitations
- Access to each model depends on the account/company permissions.
- JWT/CSRF tokens expire; renew them when necessary.
- The model list changes according to administrator configuration — always check
GET /api/models.