Dailybot API and webhooks: overview, authentication and limits
Dailybot exposes a programmatic API and supports outbound webhooks so you can:
- Pull check-in responses, kudos, and member data into your own systems.
- React in real time when something happens (check-in submitted, blocker flagged, kudo given).
- Build internal integrations or dashboards on top of Dailybot data.
This page is the entry point. Detailed reference (endpoints, schemas, examples) lives in the developer docs portal. Ask support for the current link if you do not see it in your dashboard.
Authentication
| What | Where it comes from |
|---|---|
| API key | Generated in Settings -> Developer (or Account -> API, exact label depends on plan). |
| Per-org key | Each Dailybot organization has its own keys. You cannot use a key from org A to read org B. |
| Header | Authorization: Bearer <your_api_key> |
| Webhook signing secret | Generated when you create a webhook subscription. See Webhook keys. |
Keep API keys secret. Treat them like passwords. If a key leaks, rotate it from the same screen immediately. There is no automatic detection of leaked keys today.
What you can do via the API
Common use cases customers cover today:
- Read check-in responses and compiled reports for a date range.
- Read kudos given and received per user / team.
- List members, teams, and roles in an org.
- Create kudos or trigger automations from external events (subject to plan).
- Subscribe to webhooks for selected events.
What the API is not for:
- Replacing the chat experience (members still answer in Slack/Teams/Discord/Google Chat).
- Bypassing role checks. The API enforces the same permissions a user has in the web app.
- Bulk export under compliance flow. Use the DSAR / data export workflow instead, which is auditable.
Webhooks
Webhooks are HTTP POST callbacks Dailybot sends to a URL you control when an event happens. Typical events:
- Check-in submitted / compiled.
- Kudo given.
- Blocker flagged.
- Member added / removed.
- Automation triggered.
Setting up a webhook
- Go to the Webhooks screen in your Dailybot account (under Developer / Integrations).
- Add a new subscription with:
- URL to receive the POST (must be HTTPS and publicly reachable).
- Events you want to listen to.
- Signing secret Dailybot will return. Store it server-side.
- Verify the test delivery from the UI.
- On every real call, verify the request signature server-side using the secret (recommended; otherwise anyone who guesses your URL can spoof events).
If a webhook fails (non-2xx response), Dailybot retries with backoff for a limited number of attempts, then disables it and notifies the org admin. To debug delivery problems see Webhooks not firing.
Rate limits
The API enforces per-org and per-IP rate limits to keep the platform stable. If you hit a limit, you receive an HTTP 429 Too Many Requests with a Retry-After header.
| Common pattern | What we recommend |
|---|---|
| Bulk pulls for analytics | Schedule off-peak; use date-range pagination, not unbounded loops. |
| Long-running integrations | Cache identifiers (member, team, check-in); they rarely change. |
| Webhooks consumer down | Respond 5xx fast so we back off; we will retry. Do not hold connections open. |
Exact numbers vary by plan and may change. For a custom limit on enterprise plans, contact sales.
Troubleshooting
| Symptom | Where to look |
|---|---|
401 / 403 |
API auth errors |
| Webhooks not delivered | Webhooks not firing |
| Unexpected fields / breaking change | Unexpected responses |
| Need to revoke a leaked key | Webhook keys (same flow for API keys) |