abTestBot REST API
Programmatic access to your A/B testing workflows — manage sites, generate test ideas, create experiments, and receive event webhooks. The REST API is designed for traditional server-to-server integrations (cron jobs, internal tooling, webhooks out of your systems into ours).
For AI agents and LLM assistants, see the Agent Gateway docs (MCP + A2A protocols).
Base URL
https://api.abtestbot.com
All endpoints are under /v1/.
Authentication
All requests require a bearer token:
Authorization: Bearer sk_live_...
Keys are issued from Settings → API in the dashboard. Each key is scoped to one workspace. The raw key is shown once at creation — we only store a SHA-256 hash, so copy it into a password manager or server-side secret store immediately. See Security below before you put the key anywhere.
Access requirement: Your workspace must be on the Enterprise plan to use /v1/ endpoints. The agent gateway (MCP + A2A) is available on any plan via pay-as-you-go credits — see the agent gateway docs.
Your first call
curl https://api.abtestbot.com/v1/sites \
-H "Authorization: Bearer sk_live_YOUR_KEY"
Response:
{
"data": [
{
"id": "e0e3f741-3314-4e88-925f-327b08ecf9d2",
"name": "mystore",
"url": "https://mystore.com",
"platform": "shopify",
"crawl_status": "ok",
"created_at": "2026-04-15T11:40:06.712852+00:00",
"updated_at": "2026-04-15T11:40:06.712852+00:00"
}
],
"meta": {
"workspace_id": "c6fc0b67-e01b-4b91-8fcc-de419b2ba044"
}
}
Response shape
Success (2xx):
{
"data": <resource or array>,
"meta": {
"workspace_id": "uuid"
}
}
Error (non-2xx):
{
"error": {
"code": "validation_error",
"message": "site_id is required"
}
}
See errors.md for the full list of error codes and recovery guidance.
Rate limits
60 requests per minute per API key (sliding window).
Every response includes rate-limit headers:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1714147200
When exceeded, you receive 429 Too Many Requests with a Retry-After header (seconds until reset). Back off and retry after that interval.
Pagination
List endpoints (/v1/ideas, /v1/experiments, etc.) support limit and offset query parameters:
GET /v1/ideas?site_id=<uuid>&limit=50&offset=100
limit— max results per request (default 20, cap 100)offset— number of records to skip (default 0)
Results are always ordered created_at DESC.
Security
Your sk_live_ key is a bearer token — anyone with it can read/write all resources in your workspace (sites, ideas, experiments, webhooks) until you revoke it. Treat it like a password.
Safe placements
- Server-side environment variables, CI/CD secret stores (AWS Secrets Manager, Vault, Doppler, etc.)
- A password manager
- Local
.envfiles that are gitignored
Never
- Frontend JavaScript or browser-exposed code (CORS is
*— a leaked key works from any origin) - Git repositories, even private ones (git history is forever; bots scan public pushes within minutes)
- Public blog posts, tweets, Stack Overflow, YouTube screenshots — use the placeholder
sk_live_YOUR_KEY_HEREin examples - Plain-text chat / email
If a key leaks: Settings → API → revoke it, then generate a new one. Revocation propagates within 60 seconds (our auth-cache TTL). Deactivated keys cannot be reactivated — you'll need to generate a replacement.
Building a public app on top of this API? Route all calls through your own backend so the key never reaches end users' browsers. If you ship a desktop/CLI tool, have each end user generate their own key in their own workspace — don't bundle a single key into distributed binaries.
Server-side, we only store the SHA-256 hash of each key — so even if our database leaked, the raw keys can't be recovered. But if the raw key leaks from your code or repo, it is fully usable by anyone who finds it until revoked.
Next steps
- Full endpoint reference
- Errors, rate limits, pagination
- Webhook events — subscribe to
ideas.generated,idea.status_changed,experiment.launched,experiment.completed