New

Developer Platform & CHeKT Apps are now live — read the May release notes.

CHeKTDevelopers
Get started
Get started

Create your first CHeKT App.

A complete, visual walkthrough — from clicking 'New app' in the dealer portal to your first authenticated API call. Plan on about 10 minutes.

Open dealer.chekt.comConcepts first

Before you start

Four things to have on hand. None are blockers — you can grab any you're missing as you go.

The full flow at a glance

Six steps from the admin's first click to your app making its first call.

Dealer admindealer.chekt.com
CHeKT
Your appthird-party service
  1. 01
    Dealer adminCHeKT
    Open Settings → CHeKT Apps
  2. 02
    Dealer adminCHeKT
    Click New app, set name & description
  3. 03
    Dealer adminCHeKT
    Pick permission scopesStart small: devices:read, events:read
  4. 04
    Dealer adminCHeKT
    Set webhook URL & event subscriptionsOptional — skip if API-only
  5. 05
    CHeKTYour app
    Issue API key + signing secretShown once — copy to secret manager
  6. 06
    Your appCHeKT
    Verify with first authenticated callGET /v1/devices
Figure 1. App creation, configuration, and first verified call.

1 Open the apps page

Sign into dealer.chekt.com with an admin account. Open Settings → CHeKT Apps from the left sidebar, then click New app in the top-right.

dealer.chekt.com
Settings/CHeKT Apps
JS

CHeKT Apps

3 installed
ai-verifier-prodCreated Apr 14 · 4 scopes · webhooks on
Active
nightly-reportsCreated Mar 02 · 3 scopes · read-only
Active
panel-bridge-stagingCreated Feb 22 · 2 scopes · webhooks on
Paused
Figure 2. The CHeKT Apps page lists installed apps. New app sits top-right.

2 Name your app

The name shows up in audit logs, webhook delivery history, and the dealer's installed-apps list. Pick something specific so operators reading the log six months from now still know what the app does.

Good names
  • ai-verifier-prod
  • nightly-reports
  • panel-bridge-staging
  • acme-dispatch-v2
Avoid
  • test — which test?
  • my-app — whose?
  • integration — with what?
  • app-1 — what does it do?

3 Pick permissions

Grant only what the app needs. You can expand permissions later — the dealer admin re-approves the new set — and you can tighten permissions silently any time. The principle of least privilege keeps your blast radius small if the key ever leaks.

The picker

The dealer portal lays out scopes by resource family. Click each one to toggle it on.

dealer.chekt.com
Settings/CHeKT Apps/ai-verifier-prod/Permissions
JS

Permissions

Devices
devices:readread
devices:writewrite
Events & Alarms
events:readread
snapshots:readread
events:writewrite
alarms:writewrite
Sites
sites:readread
Figure 3. A typical read-only AI verifier picks four scopes.

Quick recipes

Common app shapes and the scopes they typically need. Pick the closest match and trim.

Read-only dashboard

Reports, monitoring, analytics.

  • devices:read
  • events:read
  • sites:read

AI verification app

Reads alarms + snapshots, writes verdicts back.

  • events:read
  • snapshots:read
  • events:write

Auto-dispatcher

Sends responders for high-confidence alarms.

  • events:read
  • alarms:write

Schedule automation

Arms / disarms partitions on a calendar.

  • sites:read
  • sites:write

4 Subscribe to webhook events

If your app needs real-time push from CHeKT, register a webhook URL and pick events to subscribe to. Skip this step if your app only reads via the REST API — you can add webhooks later from the same settings page.

Webhook URL

A public HTTPS endpoint you control. CHeKT POSTs each event here with a signed header. For local development, use a tunnel like ngrok or cloudflared.

local dev tunnel
ngrok http 3000
# → forwarding https://abc123.ngrok.app → http://localhost:3000

# Paste the https://… URL into the webhook field in the portal.

Selecting events

The fewer events you subscribe to, the cleaner your delivery log. Start with the two or three event types driving your core workflow.

dealer.chekt.com
ai-verifier-prod/Webhooks
JS

Webhook subscriptions

3 selected
https://api.example.com/hooks/chekt
Alarms
alarm.created
alarm.resolved
alarm.dispatched
Snapshots
snapshot.created
Figure 4. An AI verifier subscribes to alarms + snapshots only.

See the event catalog for every event type with its payload shape and required permission scope.

5 Save the API key & signing secret

When you click Create, CHeKT shows your API key and webhook signing secret on screen. Copy them now.

dealer.chekt.com
CHeKT Apps/ai-verifier-prod
JS

App created

New

Your app is ready. The values below are shown only once — copy them into your secret manager before continuing.

API key
chekt_live_8h2j3kfm2918sndlj4kxq…
Webhook signing secret
whsec_4d2c9b8jx2klmp29fnskl…
⚠ These values won't be shown again. Rotating later will issue new ones.
Figure 5. The one-time reveal screen. Copy both values before clicking Done.

Where to store them

Local dev
A .env file in .gitignore. Never commit. Use a library like dotenv to load.
Production servers
Your platform's secrets manager — AWS Secrets Manager, GCP Secret Manager, Vault, Doppler.
CI/CD pipelines
Encrypted secrets store — GitHub Actions secrets, GitLab variables, Vercel env vars.
Anywhere else
A dedicated secrets manager that audit-logs reads. 1Password Teams, Bitwarden Business, Doppler.

6 Verify with your first API call

List the devices on your dealer. A successful response confirms auth, permissions, and connectivity all work end-to-end. Pick your language:

terminal
export CHEKT_API_KEY='chekt_live_8h2j3kfm…'

curl https://api.chekt.com/v1/devices \
  -H "Authorization: Bearer ${CHEKT_API_KEY}" \
  -H "Accept: application/json"

A successful response looks like this:

response
{
  "data": [
    {
      "id": "dev_8h2j3kfm",
      "type": "camera",
      "name": "Main Entrance",
      "site_id": "site_29snd",
      "status": "online",
      "firmware": "2.14.1"
    }
  ],
  "has_more": false,
  "next_cursor": null
}

If you see an error

Most first-call errors fall into one of four buckets:

401invalid_api_key

Double-check the key is set in CHEKT_API_KEY and you're sending it as a Bearer token. Re-run echo $CHEKT_API_KEY in the same shell.

403permission_denied

The app is missing the required scope. Go back to Settings → CHeKT Apps → [your app] → Permissions and grant the scope your call needs.

404Wrong base URL

All endpoints live under https://api.chekt.com/v1. Don't forget /v1 in the path.

429Rate limited

Free-tier limit is 60 req/min. If you're testing in a tight loop, slow down or upgrade.

Bonus — set up the webhook handler

If you subscribed to webhooks in step 4, here's the minimal receiver. Always verify the HMAC signature against the raw bytes (not the parsed JSON) and respond with 200 within 30 seconds.

server.ts
import express from "express";
import crypto from "crypto";

const app = express();

app.post(
  "/webhooks/chekt",
  express.raw({ type: "application/json" }),
  (req, res) => {
    const sig = req.headers["x-chekt-signature"] as string;
    const ts  = req.headers["x-chekt-timestamp"] as string;
    const signed = `${ts}.${req.body.toString("utf8")}`;

    const expected = crypto
      .createHmac("sha256", process.env.CHEKT_WEBHOOK_SECRET!)
      .update(signed)
      .digest("hex");

    if (!crypto.timingSafeEqual(
      Buffer.from(sig, "hex"),
      Buffer.from(expected, "hex"),
    )) return res.status(401).end();

    const event = JSON.parse(req.body.toString("utf8"));
    console.log(`Got ${event.type}`);
    res.sendStatus(200);
  },
);

app.listen(3000);

You're done.

You have a working CHeKT App with an API key, scoped permissions, and (optionally) webhook delivery. From here: