Building an AI Assistant with GigaChat (Sber) in a Mobile Application
GigaChat is Sber's language model with an API specifically oriented toward B2B applications with data processing in Russia's secure perimeter. For financial, medical, and government applications where storing data abroad is legally impossible, GigaChat becomes the primary option alongside YandexGPT.
Authentication: OAuth 2.0 with Client Credentials
GigaChat API requires OAuth 2.0. Flow: obtain access_token via POST https://ngw.devices.sberbank.ru:9443/api/v2/oauth with Authorization: Basic {base64(client_id:client_secret)} and scope (GIGACHAT_API_PERS for individuals, GIGACHAT_API_CORP for organizations).
Token lives for 30 minutes. You cannot store it on the mobile client or obtain it directly—client_id and client_secret must only be on the server. Server proxy for GigaChat is a mandatory component, not optional.
# Server side (Python) — obtaining token
import httpx, base64, time
class GigaChatAuth:
def __init__(self, client_id: str, client_secret: str):
self._credentials = base64.b64encode(
f"{client_id}:{client_secret}".encode()
).decode()
self._token = None
self._expires_at = 0
async def get_token(self) -> str:
if time.time() < self._expires_at - 60:
return self._token
async with httpx.AsyncClient(verify=False) as client: # Sber uses custom CA
resp = await client.post(
"https://ngw.devices.sberbank.ru:9443/api/v2/oauth",
headers={"Authorization": f"Basic {self._credentials}"},
data={"scope": "GIGACHAT_API_CORP"}
)
data = resp.json()
self._token = data["access_token"]
self._expires_at = data["expires_at"] / 1000 # ms -> s
return self._token
Note: verify=False in Python httpx—Sber uses root certificates from the Russian state registry that are not in the system trusted store of most OSes. For production, add Russian root CAs explicitly.
GigaChat API: Chat Completions
After obtaining the token—standard POST /api/v1/chat/completions:
{
"model": "GigaChat",
"messages": [
{"role": "system", "content": "You are a financial analyst assistant."},
{"role": "user", "content": "Explain the P/E ratio"}
],
"stream": true,
"temperature": 0.7,
"max_tokens": 1024
}
Available models: GigaChat (base), GigaChat-Plus, GigaChat-Pro. Differences are in response quality and speed, similar to Lite/Pro in Yandex.
Streaming is via SSE, format compatible with OpenAI: data: {...} with delta.content. This is convenient: if you already have an OpenAI-compatible SSE parser, it works with GigaChat without changes.
Function Calling
GigaChat supports function calling via the functions parameter in the request. The syntax differs from OpenAI: the field is called functions (not tools), and the call comes in function_call (not tool_calls). When migrating from OpenAI, this is the first place where code breaks.
{
"functions": [{
"name": "get_account_balance",
"description": "Get customer account balance",
"parameters": {
"type": "object",
"properties": {
"account_id": {"type": "string"}
},
"required": ["account_id"]
}
}],
"function_call": "auto"
}
Working with Images
GigaChat Pro supports passing images via file_id. Upload the file first via POST /api/v1/files with purpose: general, receive id, then use in message:
{
"role": "user",
"content": [
{"type": "text", "text": "What is in this document?"},
{"type": "image_url", "image_url": {"url": "https://gigachat.ru/files/{file_id}/content"}}
]
}
File is deleted automatically after 24 hours.
Timeline Estimates
Server proxy with OAuth + basic text assistant—1.5–2 weeks (accounting for root certificate setup and OAuth testing). With function calling and images—3–4 weeks.