VAR Deployment Guide
From API Key to Live Client.
The Complete Flow.
Everything a VAR or MSP needs to go from a fresh API key to a fully operational, white-label AI platform running on a real client's data. Nine steps. No hand-waving. Real code at every stage.
Base URL: rgxsystems.com/api/v1
Auth: X-Api-Key header
Format: JSON
Rate limit: 1,000 req/hr
Sandbox: 500 req/mo free
Mental Model
How the Whole Thing Fits Together
Your API key unlocks a VAR node — an isolated instance of the RGX platform assigned to your company. Every client you onboard becomes a client workspace on your node, identified by a client_ref you choose. All data, credentials, and AI context is scoped to that ref. Client A's inbox never appears in Client B's context — enforced at the infrastructure level, not application logic.
Your front-end calls the RGX API. Your clients see your product. RGX runs everything underneath.
Your Node
One API key. One invoice.
Your node is your isolated environment. All clients, usage, and billing roll up to it. You get one master key that authenticates everything.
Client Workspaces
One API call per client.
Each client is a
client_ref — a short ID you assign. Their tools, data, and AI config live under that ref. Completely isolated from all other clients.Your Front-End
Your brand. Always.
You build the UI. Your logo, your domain, your product name. Your clients never see RGX anywhere — not in URLs, emails, or documentation.
Authentication
Your API Key
Your key was sent to your email on signup. It looks like
rgx_live_xxxxxxxxxxxx for production nodes or rgx_sandbox_xxxxxxxxxxxx for sandbox. Pass it on every request as the X-Api-Key header — or as a Bearer token in the Authorization header.Keep your master key server-side only. Never expose it in client-side JavaScript or a mobile app. If a client needs direct API access, create a scoped sub-key for them (Step 8). You can rotate your key instantly from the VAR Portal — the old key is revoked the moment a new one issues.
# Option A — X-Api-Key header (recommended)
curl https://rgxsystems.com/api/v1/health \
-H "X-Api-Key: rgx_live_your_key_here"
# Option B — Bearer token
curl https://rgxsystems.com/api/v1/health \
-H "Authorization: Bearer rgx_live_your_key_here"
Step 1
Verify Your Key Works
Always start here. The health endpoint confirms your key is active, your node is in good standing, and the API is reachable. It also returns your node name so you can confirm you're on the right account.
curl https://rgxsystems.com/api/v1/health \
-H "X-Api-Key: YOUR_KEY"
{
"status": "ok",
"var_node": "Acme IT Solutions",
"plan": "production",
"api_version": "v1"
}
If you get a 401, the key is wrong or hasn't been issued yet. Check your signup email or contact support@rgxsystems.com. If you get a 403, your node may be suspended — contact support.
Step 2
Create a Client Workspace
Every client you serve gets their own isolated workspace. You provision it with one API call and assign a
client_ref — a short, URL-safe ID you choose. This ref is used in every subsequent call for that client. Pick something meaningful and permanent: sterling-law, riverside-dental, acme-hvac-chicago.| Field | Type | Description |
|---|---|---|
| client_refrequired | string | Unique ID for this client. URL-safe, lowercase, hyphens ok. Permanent — choose carefully. |
| namerequired | string | Client's company or display name. |
| emailoptional | string | Primary contact email. |
| phoneoptional | string | Primary contact phone. |
| metadataoptional | object | Any key-value pairs you want to store with this client record. |
curl -X POST https://rgxsystems.com/api/v1/clients \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"client_ref": "sterling-law",
"name": "Sterling & Associates",
"email": "ops@sterlinglaw.com",
"metadata": { "industry": "legal", "seats": 12 }
}'
{
"ok": true,
"client": {
"id": "vc_01j9x...",
"client_ref": "sterling-law",
"name": "Sterling & Associates",
"status": "active",
"created_at": "2026-06-11T14:22:00Z"
}
}
Step 3
Connect the Client's Tools
This is where the client's existing tools get wired in. One call per integration type. Once connected, every downstream endpoint for that client — inbox, CRM, Slack, calendar — starts working immediately. RGX stores all credentials encrypted, handles OAuth token refresh, and manages every provider's API quirks so you never have to.
OAuth flows: For Gmail and Outlook, use the OAuth start endpoints to generate an authorization URL, redirect the client through Google/Microsoft's consent screen, and RGX handles the token exchange automatically. For API-key based integrations (HubSpot, Salesforce, Twilio), pass credentials directly in the config object.
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/connect \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "gmail",
"config": {
"access_token": "ya29...",
"refresh_token": "1//0g...",
"email": "partner@sterlinglaw.com"
}
}'
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/connect \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "hubspot",
"config": {
"access_token": "pat-na1-..."
}
}'
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/connect \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "slack",
"config": {
"bot_token": "xoxb-...",
"team_id": "T0123ABC"
}
}'
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/connect \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "twilio",
"config": {
"account_sid": "ACxxx",
"auth_token": "xxx",
"from_number": "+18005551234"
}
}'
All supported integration types
Email
Gmail
type: "gmail"
Email
Outlook
type: "outlook"
CRM
HubSpot
type: "hubspot"
CRM
Salesforce
type: "salesforce"
CRM
Pipedrive
type: "pipedrive"
Collaboration
Slack
type: "slack"
Collaboration
Microsoft Teams
type: "teams"
SMS / Voice
Twilio
type: "twilio"
Calendar
Google Calendar
type: "google_calendar"
Calendar
Outlook Calendar
type: "outlook_calendar"
Files
Google Drive
type: "google_drive"
Files
OneDrive
type: "onedrive"
Step 4
Read the Client's Data
Once tools are connected, every data endpoint for that client works immediately. Pass the
client_ref in the URL path — that's what scopes the response to that client's data.
curl https://rgxsystems.com/api/v1/clients/sterling-law/email/inbox?limit=20 \
-H "X-Api-Key: YOUR_KEY"
// Returns the 20 most recent threads from their connected Gmail/Outlook
curl https://rgxsystems.com/api/v1/clients/sterling-law/crm/deals \
-H "X-Api-Key: YOUR_KEY"
// Returns open deals from their HubSpot/Salesforce/Pipedrive
curl "https://rgxsystems.com/api/v1/clients/sterling-law/calendar/events?start=2026-06-11&end=2026-06-18" \
-H "X-Api-Key: YOUR_KEY"
curl https://rgxsystems.com/api/v1/clients/sterling-law/slack/general/messages?limit=50 \
-H "X-Api-Key: YOUR_KEY"
Step 5
Send Messages on Their Behalf
Your platform can send email, SMS, Slack messages, and calendar invites on behalf of each client — all through their own connected accounts, from their own addresses and numbers.
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/email/send \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"to": "client@example.com",
"subject": "Your case update — June 11",
"body": "Hi Sarah, here is the current status of your matter...",
"reply_to_thread": "thread_id_optional"
}'
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/sms/send \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"to": "+12125551234",
"message": "Reminder: your consultation is tomorrow at 2pm. Reply CONFIRM or CANCEL."
}'
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/calendar/events \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"title": "Initial Consultation — Sarah Johnson",
"start": "2026-06-12T14:00:00Z",
"end": "2026-06-12T15:00:00Z",
"attendees": ["sarah@johnson.com"],
"description": "New client intake — estate planning matter"
}'
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/slack/ops-team/message \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"text": "New intake submitted: Sarah Johnson — estate planning. Assigned to partner review queue."
}'
Step 6
Route AI Requests Through the Gateway
The
POST /api/v1/process endpoint is your AI gateway. Pass the input, a system prompt, and a config object specifying the client's industry and your preferred routing profile. RGX handles compliance preprocessing (PHI scrubbing for healthcare, output validation for legal), routes to the right model, and returns a structured response with the processed output and full token metadata.| config field | Type | Description |
|---|---|---|
| industryoptional | string | Activates compliance layer. See industry values below. |
| routing_profileoptional | string | deep-reasoning → Claude Sonnet 4.6. ultra-low-latency → GPT-4o-mini. Defaults to deep-reasoning. |
| tenant_idoptional | string | Used to tag usage logs for seat-level billing. Pass the client_ref here. |
curl -X POST https://rgxsystems.com/api/v1/process \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"input": "Review this NDA non-compete clause for potential issues: ...",
"system_prompt": "You are a contract review assistant. Identify risks and flag ambiguous language.",
"session_id": "session_sarah_johnson_intake",
"config": {
"industry": "legal",
"routing_profile": "deep-reasoning",
"tenant_id": "sterling-law"
}
}'
{
"ok": true,
"response": "The non-compete clause on page 3 contains three areas of concern...\n\n---\nIMPORTANT NOTICE: This output was generated by an AI system and does not constitute legal advice...",
"model": "claude-sonnet-4-6",
"provider": "anthropic",
"industry": "legal",
"routing_profile": "deep-reasoning",
"tenant_id": "sterling-law",
"tokens": { "input": 412, "output": 318, "total": 730 },
"legal_warnings": [],
"processing_ms": 2140
}
curl -X POST https://rgxsystems.com/api/v1/process \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"input": "Patient DOB 04/12/1985, MRN 00291847, presenting with persistent headaches...",
"system_prompt": "Summarise this clinical note in plain language for the patient record.",
"config": {
"industry": "healthcare",
"routing_profile": "deep-reasoning",
"tenant_id": "riverside-dental"
}
}'
// PHI is scrubbed BEFORE reaching the LLM. Response includes:
// "phi_redactions": 2 ← DOB and MRN were redacted in-flight
curl -X POST https://rgxsystems.com/api/v1/process \
-H "X-Api-Key: YOUR_KEY" \
-H "X-Industry: finance" \
-H "X-Routing-Profile: ultra-low-latency" \
-H "X-Tenant-Id: acme-capital" \
-H "Content-Type: application/json" \
-d '{ "input": "What is the current risk exposure on the Q3 bond portfolio?" }'
// Routed to GPT-4o-mini. Full audit trail logged to tenant acme-capital.
All industry config values
| industry value | Compliance layer activated | Recommended routing_profile |
|---|---|---|
| "healthcare" | PHI/PII scrubbing before LLM (SSN, MRN, DOB, insurance IDs, addresses) | deep-reasoning |
| "legal" | Output validation + mandatory legal disclaimer appended | deep-reasoning |
| "finance" | Full audit trail logging (tenant_id, model, tokens, timestamps) | either |
| "insurance" | Full audit trail logging (same as finance) | either |
| "real_estate" | Standard — no additional layer | ultra-low-latency |
| "field_service" | Standard — no additional layer | ultra-low-latency |
| "professional_services" | Standard — no additional layer | deep-reasoning |
| "construction" | Standard — no additional layer | ultra-low-latency |
| "hospitality" | Standard — no additional layer | ultra-low-latency |
| "education" | Standard — no additional layer | deep-reasoning |
| "nonprofit" | Standard — no additional layer | deep-reasoning |
| "generic" | None — full platform, no overhead (default) | either |
Step 7
Accept Inbound Events from External Systems
Clients often have external tools — web forms, Stripe, Zoho, custom CRMs — that need to push data into their workspace. Each client gets an inbound key that external systems use to POST directly into their workspace. Your master API key is never exposed to external systems.
curl https://rgxsystems.com/api/v1/clients/sterling-law/inbound-key \
-H "X-Api-Key: YOUR_KEY"
// → { "inbound_key": "inb_0x9f...", "inbound_url": "https://rgxsystems.com/api/v1/clients/sterling-law/inbound" }
Give the
inbound_key to the external system. It POSTs to the inbound URL with the key as a query param or X-Inbound-Key header — no VAR API key required or exposed:
# This is called by the external system (e.g. Zapier, your web form, Stripe webhook)
curl -X POST "https://rgxsystems.com/api/v1/clients/sterling-law/inbound?key=inb_0x9f..." \
-H "Content-Type: application/json" \
-d '{
"channel": "web-form",
"event": "new_inquiry",
"from": "sarah.johnson@email.com",
"payload": {
"name": "Sarah Johnson",
"matter_type": "estate_planning",
"message": "I need help updating my will after a recent property purchase."
}
}'
// Event stored in client workspace + any registered webhooks fired
Step 8
Create Client-Scoped Sub-Keys
If a client needs to call the API directly from their own systems — rather than routing everything through your back-end — create a sub-key scoped exclusively to their workspace. A sub-key can only access data for the client it was issued for. Using it to access any other client's data returns a 403 immediately.
curl -X POST https://rgxsystems.com/api/v1/clients/sterling-law/keys \
-H "X-Api-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{ "label": "Sterling internal integration" }'
// → { "key": "rgx_sub_...", "client_ref": "sterling-law", "label": "Sterling internal integration" }
// This key only works for sterling-law. Any other client_ref = 403.
curl -X DELETE https://rgxsystems.com/api/v1/clients/sterling-law/keys/key_01j9... \
-H "X-Api-Key: YOUR_KEY"
// Key is immediately revoked. Any in-flight requests using it will 401.
Step 9
Monitor Usage and Build Your Invoice
Every API call on your node is tracked — endpoint, client_ref, tokens consumed, estimated cost, and response time. Use these endpoints to see your current billing position, build your own invoices to your clients, and identify which clients are using the platform most.
curl https://rgxsystems.com/api/v1/usage \
-H "X-Api-Key: YOUR_KEY"
{
"period": "2026-06",
"requests_this_month": 4821,
"active_seats": 47,
"base_fee_usd": 2000,
"seat_fee_usd": 30,
"seat_charges_usd": 1410,
"estimated_invoice_usd": 3410,
"ai_tokens_used": 1284000
}
curl https://rgxsystems.com/api/v1/billing/summary \
-H "X-Api-Key: YOUR_KEY"
// Returns each active client with their client_ref, name, and active-since date.
// Use this to build your own invoices to your clients at whatever rate you charge.
End-to-End Reference
Complete Integration — New Client Onboard to First AI Response
This is the full sequence for onboarding a new law firm client and processing their first AI request. Copy, adapt, and use as the foundation of your onboarding flow.
const BASE = 'https://rgxsystems.com/api/v1';
const KEY = 'rgx_live_your_key_here';
const hdrs = { 'X-Api-Key': KEY, 'Content-Type': 'application/json' };
// 1. Create the client workspace
const client = await fetch(`${BASE}/clients`, {
method: 'POST', headers: hdrs,
body: JSON.stringify({
client_ref: 'sterling-law',
name: 'Sterling & Associates',
email: 'ops@sterlinglaw.com'
})
}).then(r => r.json());
// 2. Connect Gmail (after collecting OAuth tokens from the client)
await fetch(`${BASE}/clients/sterling-law/connect`, {
method: 'POST', headers: hdrs,
body: JSON.stringify({
type: 'gmail',
config: { access_token: gmailToken, refresh_token: gmailRefresh, email: partnerEmail }
})
});
// 3. Connect HubSpot CRM
await fetch(`${BASE}/clients/sterling-law/connect`, {
method: 'POST', headers: hdrs,
body: JSON.stringify({ type: 'hubspot', config: { access_token: hubspotToken } })
});
// 4. Read the inbox
const inbox = await fetch(`${BASE}/clients/sterling-law/email/inbox?limit=10`, {
headers: hdrs
}).then(r => r.json());
// 5. Run a new intake email through the AI gateway
const aiResult = await fetch(`${BASE}/process`, {
method: 'POST', headers: hdrs,
body: JSON.stringify({
input: inbox.messages[0].body,
system_prompt: 'Extract the client name, matter type, and urgency. Draft a professional acknowledgment.',
config: {
industry: 'legal',
routing_profile: 'deep-reasoning',
tenant_id: 'sterling-law'
}
})
}).then(r => r.json());
// 6. Log the interaction to CRM
await fetch(`${BASE}/clients/sterling-law/crm/activity`, {
method: 'POST', headers: hdrs,
body: JSON.stringify({
contact_email: inbox.messages[0].from,
type: 'email_intake',
note: aiResult.response,
timestamp: new Date().toISOString()
})
});
// 7. Send the AI-drafted reply
await fetch(`${BASE}/clients/sterling-law/email/send`, {
method: 'POST', headers: hdrs,
body: JSON.stringify({
to: inbox.messages[0].from,
subject: `Re: ${inbox.messages[0].subject}`,
body: aiResult.response
})
});
console.log('Done. Intake processed, CRM updated, acknowledgment sent.');
Questions or stuck?
Email support@rgxsystems.com with your node name and we'll get back to you same business day. For the full endpoint reference including request/response schemas for every endpoint, see the API Reference →