If you're building an AI agent, OpenAI's ChatKit probably caught your eye. It's a pre-built chat UI that's supposed to save you a ton of frontend work. And on the surface, it looks great.
The catch? Getting it to work securely involves a whole lot of backend wrangling with the ChatKit Session API.
In this guide, we'll pull back the curtain on what ChatKit is, how its session API actually works, and dig into the hidden complexities you should know about before you commit. We'll also look at why a more integrated platform might be a better fit for businesses, especially for things like customer support.
What is OpenAI's ChatKit and the ChatKit Session API?
So, what exactly is ChatKit? Think of it as the friendly face of your AI agent. It’s a JavaScript library from OpenAI that gives you a customizable chat window you can drop right into your app.
Instead of building a chat interface from the ground up (and dealing with all the headaches of message history, streaming responses, and file uploads), you can just use their web component. It's designed to hook into an AI workflow you build in OpenAI's Agent Builder.
The whole point is to let you focus on your agent's brain (the logic) instead of its face (the UI). It’s handy for all sorts of things, from internal help bots to customer-facing support. But, as you'll see, connecting that pretty UI to your app securely is where the real work begins, and that's all handled by the ChatKit Session API.
How the ChatKit Session API works
Alright, let's get into the nitty-gritty. The ChatKit Session API is basically the security guard for your chat widget. You obviously can't just paste your secret OpenAI API key into your frontend code, that would be a disaster waiting to happen. Instead, ChatKit forces you to use a server-side authentication flow to create temporary tokens. This makes sure that only real, authorized users on your website can talk to your AI agent.
The ChatKit Session API authentication flow explained
Before that chat bubble can even appear on the screen, a little dance has to happen between the user's browser, your server, and OpenAI's servers. Here's a step-by-step breakdown:
-
Browser asks for permission: Your website’s frontend pings your backend server and says, "Hey, I need a token to start a chat."
-
Your server talks to OpenAI: Your backend gets the request. It then makes a secure, server-to-server call to the OpenAI API, using your secret API key, to create a new ChatKit session.
-
OpenAI passes back a temporary key: OpenAI's API generates a short-lived "client_secret" and sends it back to your server.
-
The key goes to the browser: Your backend then passes this temporary key to the user's browser. The browser uses it to fire up the ChatKit component, and voilà, the chat window appears.
This whole process is designed to keep your main OpenAI API key safe and sound on your server.
Key components you need to build for the ChatKit Session API
To pull this off, you can't just copy-paste a snippet. You have to build and manage three separate pieces of infrastructure:
-
An Agent Workflow: First, you need an actual agent. You have to design and publish a workflow in OpenAI's Agent Builder. This will give you a unique ID (it looks like "wf_...") that you'll need later.
-
A Backend Endpoint: This is the big one. You are on the hook for building and hosting your own backend API endpoint (something like "/api/chatkit/session"). This server is where you'll securely store your OpenAI API key and write the logic to handle the token exchange.
-
A Frontend Implementation: Finally, you have to add the ChatKit JavaScript to your site, write the code that calls your new backend endpoint, and then use the token it sends back to actually display the chat widget.
This setup means that even for a "simple" chat widget, you're now a full-stack developer, managing and deploying both frontend and backend code. It adds a layer of complexity that all-in-one solutions just don't have.
The challenges and limitations of the ChatKit Session API
ChatKit might save you from writing frontend code, but it introduces a whole new set of headaches, especially if you're trying to build a reliable AI support agent for a business. Its flexibility is a double-edged sword; it's a component, not a complete solution.
A lot of work to set up and maintain
As we just saw, this isn't a simple copy-paste job. You have to:
-
Build and host a server just for creating and refreshing session tokens.
-
Wrestle with security settings like the domain allowlist. This is a common tripwire where the widget just won't load, often without a helpful error message.
-
Write integration code for both your frontend and your new backend.
All of this takes up developer time and creates another system you have to maintain. Compare that to a platform like eesel AI, which is built to be self-serve. You can get live with a one-click helpdesk integration in a few minutes, with zero custom backend development needed.
Your knowledge is stuck in OpenAI's world
ChatKit is built to work with agents from OpenAI's Agent Builder. That’s fine if your agent only needs knowledge that lives within OpenAI. But that's not how most companies work, right?
Your knowledge is probably all over the place:
-
Your help articles are in Zendesk.
-
Your internal docs are in Confluence or Google Docs.
-
Your team answers questions in Slack.
-
Your support agents have years of context in Intercom conversations.
ChatKit and Agent Builder don't really give you a clean way to pull all of that together. A truly helpful AI agent needs access to all your company knowledge, wherever it is. This is why eesel AI connects to over 100 sources right out of the box. You can unify your knowledge instantly without needing a massive data migration project.
It’s missing the features support teams actually need
At the end of the day, ChatKit is just a chat window. It's not a full-blown customer support platform. It's missing a bunch of things that support teams rely on to use AI effectively and safely:
-
No way to test it: There's no simulation mode to see how your agent would have handled past conversations. You're essentially flying blind, with no real way to predict its accuracy before you unleash it on customers.
-
No help for your human agents: It's all or nothing. There's no copilot feature to help your human agents write replies faster when a conversation needs to be escalated.
-
No backend automation: It can't do things like automatically tag tickets, route conversations to the right team, or handle other behind-the-scenes tasks that save a ton of time.
eesel AI was built specifically for support teams. You can use its powerful simulation mode to test your AI on thousands of your real past tickets, get clear reports on its performance, and then roll out automation with confidence.
Pricing for OpenAI agent workflows
So, how much does all this cost? The ChatKit library is free, but running the actual agent isn't. Your costs will come from the API calls to the models and tools your agent uses. This can make your monthly bill pretty unpredictable.
For most business uses, you'll need a ChatGPT Business or Enterprise plan to get the security and admin features you need. Here’s a quick look at their standard plans.
| Feature | ChatGPT Business | ChatGPT Enterprise |
|---|---|---|
| Pricing | $25/user/month (billed annually) | Contact Sales |
| Model Access | Unlimited GPT-5 messages (with generous access to GPT-5 thinking and GPT-5 pro) | Everything in Business, plus expanded context windows |
| Security | Secure workspace, SAML SSO, data excluded from training by default | Enterprise-grade security, SCIM, user analytics, custom data retention |
| Integrations | Connectors for Google Drive, SharePoint, Notion, etc. | Everything in Business |
| Key Features | Data analysis, shared projects, custom workspace GPTs | 24/7 priority support, SLAs, AI advisor access |
This information is based on public pricing and is subject to change. For the latest details, it's always best to check the official ChatGPT pricing page.
A simpler path for support teams: eesel AI
For any business, but especially for support teams, ChatKit is just one piece of a much larger puzzle. It gives you the chat window, but you still have to build the backend, figure out the integrations, and tack on all the features that actually make a difference.
eesel AI is an all-in-one platform that handles all of that for you, letting you launch a genuinely useful AI agent in minutes. Here's how it's different:
-
Go live in minutes, not months: Instead of building a backend to manage tokens, you just connect your helpdesk (like Zendesk or Freshdesk) with one click. The platform is truly self-serve, meaning you can get started without talking to a salesperson.
-
Connect all your knowledge: Don't fence your AI in. eesel AI pulls information from your help desk, internal wikis like Confluence and Google Docs, and even collaboration tools like Slack. It can also learn from your past support tickets to nail your brand's tone of voice from day one.
-
A complete toolkit for support automation: eesel AI is much more than a chatbot. The platform gives you an AI Agent for full automation, an AI Copilot to help your human team, and AI Triage to automatically organize your support queue.
-
Test with confidence and get real insights: Use the simulation mode to see exactly how the AI would have performed on your past tickets before you ever turn it on. The reports don't just throw vanity metrics at you; they show you where your knowledge gaps are and give you a clear path to improve.
Should you use the ChatKit Session API?
OpenAI's ChatKit is a solid tool if you're a developer who wants a customizable chat UI and you're ready to roll up your sleeves and build the backend to support it. The ChatKit Session API offers a secure way to handle authentication, but it’s a real development project, not a quick-win.
For businesses looking for a fast, powerful, and complete AI support solution, a dedicated platform is almost always the better choice. Instead of piecing everything together yourself, you get an integrated system that handles everything from knowledge management to deployment, with predictable pricing and a clear focus on results.
Ready to see what a fully integrated AI support platform can do? Get started with eesel AI for free.
Frequently asked questions
The ChatKit Session API's primary purpose is to securely manage authentication for your ChatKit widget. It ensures that your sensitive OpenAI API keys are never exposed in the client-side code, creating temporary tokens for user sessions instead.
The ChatKit Session API uses a server-side authentication flow. Your backend server, holding your secret API key, communicates directly with OpenAI to generate a short-lived "client_secret", which is then passed to the user's browser.
To properly implement the ChatKit Session API, developers need to build and host a dedicated backend API endpoint. This endpoint securely handles the token exchange process, requiring custom server-side logic and frontend integration code.
Maintaining a solution built with the ChatKit Session API involves ongoing server management and security updates for your custom backend. You'll also need to manage domain allowlists and continuously integrate frontend changes.
The ChatKit Session API itself doesn't offer direct integrations with external knowledge bases. Its primary function is authentication for agents built within OpenAI's Agent Builder, which may limit how easily it accesses diverse enterprise data sources.
While the ChatKit Session API library itself is free, the underlying API calls made by the agent it authenticates will incur costs from OpenAI. These costs depend on the models and tools your agent utilizes during conversations.
For support teams, relying solely on the ChatKit Session API and Agent Builder means missing features like a simulation mode for testing, AI copilot capabilities for human agents, and backend automation for ticket routing or tagging. It provides a chat window, not a complete support platform.
