Partner API
Authentication
The Partner API supports two authentication mechanisms. Header-based authentication is recommended for all programmatic integrations. JWT login is available for interactive sessions.
Overview
Every Partner API request requires your Partner credentials, obtained from the Vobiz Partner Console. There are two ways to authenticate:
Pass X-Auth-ID and X-Auth-Token on every request. Best for server-to-server integrations, automation scripts, and production systems. Credentials never expire.
Exchange email + password for a temporary JWT access token. Expires after a set period. Suitable for dashboard UIs or short-lived sessions.
Header-Based Authentication
Include the following headers on every request. These credentials are permanent and do not expire (rotate them manually if compromised).
X-Auth-IDRequiredpartner-882abc...Your permanent Partner ID. Retrieved from the Partner Console under Settings → API Keys. Never changes unless you request a new one.
X-Auth-TokenRequiredsk_live_abc123...Your secret API token. Rotate this immediately if you suspect it has been compromised. A new token is issued from the Partner Console.
AcceptRequiredapplication/jsonRequired on all GET and POST requests. Tells the API to return JSON responses.
Content-TypeConditionalapplication/jsonRequired on all POST and PUT requests that include a request body.
curl -X GET \
"https://api.vobiz.ai/api/v1/partner/me" \
-H "X-Auth-ID: {your_partner_id}" \
-H "X-Auth-Token: {your_auth_token}" \
-H "Accept: application/json"curl -X POST \
"https://api.vobiz.ai/api/v1/partner/accounts" \
-H "X-Auth-ID: {your_partner_id}" \
-H "X-Auth-Token: {your_auth_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{ "name": "Acme Corp", "email": "admin@acme.com", "password": "Secure@123", "country": "IN" }'Partner Login (JWT)
Exchanges your email and password for a temporary JWT access token. The Postman collection automatically captures the token into partner_access_token after a successful login.
https://api.vobiz.ai/api/v1/partner/loginExchanges your partner email and password for a temporary JWT access token. The Postman collection automatically captures the token into partner_access_token after a successful login. Use this for interactive sessions; use X-Auth headers for automation.
Authentication Required:
- • X-Auth-ID: Your Partner ID
- • X-Auth-Token: Your secret API token
- • Content-Type: application/json
Request
| Field | Type | Required | Description |
|---|---|---|---|
| string | Required | Your partner account email address | |
| password | string | Required | Your partner account password |
curl -X POST \
"https://api.vobiz.ai/api/v1/partner/login" \
-H "X-Auth-ID: {your_partner_id}" \
-H "X-Auth-Token: {your_auth_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"email": "partner@example.com",
"password": "YourPassword123!"
}'Response
{
"tokens": {
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
}{
"error": "invalid_credentials",
"message": "The email or password you provided is incorrect."
}Security Best Practices
Your X-Auth-Token is a server-side secret. Never include it in browser JavaScript, mobile app binaries, or any code that end-users can access. Always call the Partner API from your backend server.
If you suspect your X-Auth-Token has been exposed — leaked in a git commit, shared in a chat, or logged in plain text — rotate it immediately from the Partner Console. The old token is invalidated instantly.
Store credentials in environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, .env files excluded from git). Never hardcode credentials in source files.
Add .env files to .gitignore. Audit your git history if you suspect credentials were ever committed. Use tools like git-secrets or truffleHog to scan for accidental credential commits.