Rules for using the Incito API and embedded widget bundle on your own domain. Builds on the Terms of Service; in case of conflict, these prevail for API access. Last updated April 2026.
API keys are issued from the dashboard at app.useincito.com and tied to a single tenant. You are responsible for keeping keys confidential, rotating them when staff leaves, and revoking compromised keys via the dashboard.
The widget bundle and the websocket session endpoint enforce a tenant-scoped allowlist of HTTP origins. Calls from unlisted origins return 403 origin not allowed. Configure your allowlist on the Domain page in the dashboard before going live.
POST /api/v1/public/*).Consistent abuse triggers automatic backoff. We will email support@useincito.com contact-of-record before any sustained throttle.
You will not (a) probe for security weaknesses without prior written consent, (b) attempt to extract other tenants' content via the API, (c) use the API to train competing models against scraped buyer questions, (d) circumvent token budgets via key rotation, or (e) embed the widget on domains the tenant does not own or operate.
Incito sends webhook payloads to URLs you register for events such as session.completed, lead.qualified, crm.push_failed. Webhooks are signed with HMAC-SHA-256; you are responsible for validating signatures before trusting payloads. Retry policy: 5 attempts with exponential backoff, then dropped.
The current major API version is v1. We commit to non-breaking additive changes within a major version and a minimum 90 days' notice before any breaking change. Deprecation notices are emailed to the tenant's contact-of-record and posted on the dashboard's release notes.
You can stream your tenant's audit log via the dashboard or pull it programmatically. We retain operational logs of API calls (caller key prefix, route, status, duration) for 90 days for security and abuse monitoring.
Termination of your underlying subscription terminates API access at the end of the billing period. Catastrophic breaches of section 4 (Acceptable use) or section 1 (key confidentiality) may trigger immediate revocation with written notice.
API issues: support@useincito.com. Volume / enterprise terms: sales@useincito.com.