mlc / developers / v1

Build with REST, ship with webhooks.

Token-authenticated REST API. HMAC-signed outbound events with retry queue. JavaScript Visitor SDK for identify / update / track. Built for the engineer who wants to see headers, response shapes, and rate limits before signing anything.

Get an API token Read the v1 docs cat quickstart.sh
curl-quickstart.sh 
# Identify a visitor + track an event in 2 calls
curl -X POST "$API/v1/api.ashx?resource=visitors" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"key":"u_42","email":"[email protected]","name":"Jay"}'

curl -X POST "$API/v1/api.ashx?resource=track" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"key":"u_42","name":"viewed_pricing"}'
Quickstart

Go from token to first API call in 60 seconds.

Same shape across languages. Pick your stack.

bash list-tags.sh 
# 1. Generate a token at /dashboard/config_api_tokens.ascx
# 2. Export it as $TOKEN, then:

curl "https://www.mylivechat.com/v1/api.ashx?resource=tags" \
  -H "Authorization: Bearer $TOKEN"

# Response:
# {
#   "ok": true,
#   "data": [{ "id": 1, "name": "billing", "color": "#2563eb" }, ...],
#   "request_id": "a3f...c91"
# }
node list-tags.js 
const API   = "https://www.mylivechat.com/v1/api.ashx";
const TOKEN = process.env.MLC_TOKEN;

const r = await fetch(`${API}?resource=tags`, {
  headers: { "Authorization": `Bearer ${TOKEN}` }
});
const { ok, data, request_id } = await r.json();

if (!ok) throw new Error(`API error (req ${request_id})`);
console.log(`Got ${data.length} tags`);
python list_tags.py 
import os, requests

API   = "https://www.mylivechat.com/v1/api.ashx"
TOKEN = os.environ["MLC_TOKEN"]

r = requests.get(API, params={"resource": "tags"},
                 headers={"Authorization": f"Bearer {TOKEN}"})
body = r.json()

if not body["ok"]:
    raise RuntimeError(f"API error: {body['error']['message']}")

print(f"Got {len(body['data'])} tags")
REST API v1

Every resource. Read + write.

Token auth, scope-gated writes, rate-limited per token. Every response carries X-MLC-Request-Id for support correlation.

GET /v1/api.ashx?resource=tags

List conversation tags for the calling site. POST/PATCH/DELETE for write scope.

GET /v1/api.ashx?resource=conversation_starters

List configured AI conversation starter prompts.

GET /v1/api.ashx?resource=handoffs&since=&limit=

AI-to-human handoff log. Filter by date, paginate.

GET /v1/api.ashx?resource=transcripts&sessionId=

Full chat transcript for a single session. Includes AI + human messages.

GET /v1/api.ashx?resource=usage

AI replies served + bot tokens consumed this billing cycle.

GET /v1/api.ashx?resource=feedback

Visitor satisfaction ratings + comments from post-chat surveys.

GETPOSTDEL /v1/api.ashx?resource=visitors

Upsert visitor identity by stable key. Cross-references to event log + segments.

POST /v1/api.ashx?resource=track

Record a tracked event for a visitor. Powers segment evaluation.

GETPOSTPATCHDEL /v1/api.ashx?resource=webhook_subscriptions

Full CRUD over your webhook subscriptions, plus secret rotation.

GET /v1/api.ashx?resource=whoami

Token introspection: site_id, scopes, request_count. No auth probing required.

Need an endpoint we don't have? Open a ticket — the API is actively expanding.

Outbound webhooks

HMAC-signed events. Retry queue. Delivery log.

Subscribe per-event. Failed deliveries auto-retry with exponential backoff (30s → 2m → 10m → 1h → 6h, 5 attempts then dead-letter).

handoff EVENT

Fires when the AI bot hands off a chat to a human agent.

  • session_id · string
  • visitor · { name, email, ... }
  • handoff_reason · string
  • summary · string (AI-generated)
  • created_utc · ISO-8601

feedback EVENT

Fires when a visitor submits a post-chat satisfaction survey.

  • session_id · string
  • visitor · { name, email }
  • rating · 1..5
  • comment · string?
  • created_utc · ISO-8601

Verify the HMAC signature

node verify-webhook.js 
const crypto = require("crypto");

// MyLiveChat sends X-MLC-Signature: sha256=<hex digest>
// Compute HMAC of raw body using your subscription's secret.
function verify(rawBody, headerSig, secret) {
  const expected = "sha256=" +
    crypto.createHmac("sha256", secret)
          .update(rawBody)
          .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(headerSig),
    Buffer.from(expected)
  );
}
Visitor SDK

Identify, track, and segment from the browser.

9 KB minified. Drop-in script tag. Same shape as Intercom / Drift / Crisp identify calls so your existing instrumentation ports directly.

html install-sdk.html 
<!-- Load the SDK once in your global page template -->
<script src="https://www.mylivechat.com/assets/js/mlc-visitor-sdk.js"></script>

<script>
  // Boot once; SDK auto-buffers calls before MyLiveChat widget loads
  mylivechat("boot", {
    apiToken: "mlc_...",        // optional — enables backend bridge
    apiUrl:   "https://www.mylivechat.com/v1/api.ashx"
  });

  // Identify the logged-in user (debounced 800ms)
  mylivechat("identify", {
    user_id: currentUser.id,
    email:   currentUser.email,
    plan:    currentUser.plan
  });

  // Fire a tracked event (immediate)
  mylivechat("track", "viewed_pricing", { tier: "growth" });
</script>
boot()One-time init. Configures backend bridge if apiToken supplied.
identify()Set / merge visitor attributes. Debounced.
update()Alias of identify() — same partial-merge semantics.
track()Record an event. Fires immediately, fire-and-forget.
show() / hide()Toggle widget visibility on the page.
open() / close()Programmatically expand or collapse the chat panel.
reset()Wipe identity + attrs (for logout flows).
q queueCalls before SDK loads buffer to window.mylivechat.q.
localStorageIdentity + last 50 events persisted client-side.
The fine print

Auth, limits, and error handling.

Boring but necessary. Predictable behaviour you can plan around.

Auth

Bearer token in the Authorization header, OR ?token= query param. Tokens are SHA-256 hashed at rest; raw token shown once at creation.

  • Per-token scopes: read / read,write
  • Per-token request counter + daily-rollup
  • Revoke or rotate from dashboard

Rate limits

Per-token leaky-bucket: 60 / 200 / 600 req/min on Free / Starter / Growth. Exceeding returns 429 with a Retry-After header.

  • Buckets reset every 60 sec
  • Token-keyed (not IP-keyed)
  • Webhook deliveries don't count

Errors

JSON envelope: { ok:false, error: { code, message, request_id } }. The request_id matches a server log line for support escalation.

  • 400 = bad input, 401 = auth, 403 = scope
  • 404 = unknown resource, 429 = rate-limited
  • 500 = log line written under matching request_id
All in one platform

The API powers the same products.

Live Chat Platform

Real-time messaging, agent console, smart triggers.

Learn more →

AI Chatbot

Grounded in YOUR knowledge base. Smart handoff to humans.

Learn more →

Knowledge Base

Public help center + AI training data, in one editor.

Learn more →

Get an API token. Start building.

$ curl -X POST $API/v1/api.ashx -H "Authorization: Bearer mlc_..."

Chat with your visitors, Increase sales and conversions, make your customers happy!

Get started for free!