Channels

Every API key has its own scope. One agent per platform, multi-tenancy, OAuth client isolation — channels are how you wire it.

Looking for real-time push events?

You're on the page about the key×platform scope. Real-time push notifications (formerly "Channel Mode") moved to Push Mode.

Mental model — one key, one channel

When you click Generate new key on the dashboard, you're really creating a channel: a named scope that pairs the new chmd_* credential with whichever platform accounts you give it access to. The same is true when you authorize an MCP OAuth client (claude.ai Custom Connector, Cursor, …) — that client gets its own channel too.

A channel can hold:

One or more bearers — chmd_* API keys and/or MCP OAuth clients
N platform accounts (Microsoft Teams connection, Discord bot, SIP DID, …)

An agent authenticated with a bearer in channel X can only see and act on the platform accounts attached to X. Nothing else.

The default channel

Exactly one of your channels carries the Default badge. Its job is to receive any new platform you connect, automatically — so a casual user who connects Teams, Discord, and one API key never has to think about scope.

Created when you mint your first key (or authorize your first MCP OAuth client) — named after whatever you typed in the prompt, with the Default badge attached.
Every newly connected platform auto-joins it. Anything connected before you had a default sits in limbo until the default is created, then gets absorbed in one shot.
Un-deletable, but renameable, and you can move the Default badge to another channel via Set as default.

If you stick with one key + the default, channels are invisible — your account behaves exactly like pre-channels Chamade: that key sees every platform.

When to create multiple channels

Two main use cases:

One agent per platform (or per role)

You run two agents on the same Chamade account — one is your "customer support" agent (Discord + Telegram), the other is your "internal ops" agent (Slack + Teams + SIP). Without scoping, both agents see all four platforms and could cross-reply. Generate two keys, give each its own channel, attach the relevant platforms — each agent only sees and acts on its scope.

Multi-tenancy on the same platform

You connect two Microsoft 365 tenants (work + personal Teams) and want a separate dedicated agent per tenant. Each tenant gets its own channel with its own key.

OAuth clients with selective reach

You let claude.ai access Chamade via the Custom Connector OAuth flow, but you don't want it acting on your work Teams. The consent screen lets you pick which platforms it can reach — that selection becomes the OAuth client's channel.

If none of these apply, stick with the default and ignore this page.

Walkthrough

Go to /dashboard/keys. You'll see one card per channel — initially just your default.
Click + Generate new key, name it after the agent or use case (e.g. "Support agent"). Chamade mints the key and creates a fresh channel with it. The secret is shown once; copy it now.
On the new channel's card, click + Add platform and pick the platforms that agent should reach. (The default channel still holds them too, until you remove them from there if you want strict isolation.)
If you want strict isolation, remove the relevant platform(s) from the default channel by clicking × next to them. The new channel is now the only one that reaches those platforms.
Optional: + Add key on an existing channel mints an extra key inside the same scope — handy for key rotation or for letting two agents share one set of platforms.

A channel can also hold multiple bearers: chmd_* keys and OAuth clients can sit side by side. Inbound events on a platform are pushed to every bearer in any channel that holds that platform.

The no-orphan rule

Every bearer and every platform account must belong to at least one channel. The dashboard enforces this so you never end up with a credential that silently sees nothing or a platform whose inbound events get dropped. Specifically:

You can't delete a channel if any of its members would be left with zero channels — move them to another channel (or back to default) first.
The default channel itself is un-deletable, so there's always a safe fallback.
Revoking a key or OAuth client leaves its channel in place (with the other members) so you can attach a new credential later.

What agents see

An agent authenticated with bearer K (chmd_* key or OAuth bearer) can only see and act on platform accounts that share a channel with K. Concretely:

chamade_inbox returns only conversations whose platform account sits in one of K's channels.
chamade_dm_chat / chamade_call_chat / chamade_call_say / chamade_call_typing return HTTP 403 "This bearer has no channel for the account that owns this conversation" if the agent tries to act on an account outside its scope.
For default-only users (one channel, default badge), nothing changes — the default holds everything and the scope check always passes.

REST API

Endpoint reference lives with the rest of the dashboard / agent API surface: see REST API → Channels. All channel-shaping endpoints are session-authenticated only — agents cannot reshape the topology; only the human user (or their dashboard session) can.