API Authentication
Learn how to authenticate your requests to the Vobiz API using header-based authentication with Auth ID and Auth Token credentials.
Authentication Method
Vobiz uses custom HTTP headers for authentication. Every API request must include bothX-Auth-ID andX-Auth-Token headers.
Getting Your API Credentials
Follow these steps to obtain your API credentials from the Vobiz console:
- 1
Log in to Vobiz Console
Navigate to console.vobiz.com and sign in
- 2
Navigate to API Settings
Go to Settings → API Keys in the left sidebar
- 3
View or Create API Keys
Your Auth ID is always visible. To create a new Auth Token, click Generate New Token
⚠️ Auth Tokens are only shown once upon creation. Save it securely - you won't be able to see it again.
- 4
Copy Your Credentials
Copy both the Auth ID and Auth Token to use in your application
Understanding Your Credentials
X-Auth-ID (Public Identifier)
Your account's authentication ID. Starts with auth_. This is not secret and identifies your account.
auth_1234567890abcdefX-Auth-Token (Secret Key)
Your secret authentication token. Starts with sk_live_ for production or sk_test_ for test mode. Keep this secure!
sk_live_abcdefghijklmnopqrstuvwxyz123456Making Authenticated Requests
Include both authentication headers in every API request:
curl -X GET https://api.vobiz.com/v1/messaging/channels \
-H "X-Auth-ID: auth_1234567890abcdef" \
-H "X-Auth-Token: sk_live_abcdefghijklmnopqrstuvwxyz123456"Required Headers
| Header | Value | Required |
|---|---|---|
| X-Auth-ID | Your Auth ID | Required |
| X-Auth-Token | Your Auth Token | Required |
| Content-Type | application/json | For POST/PUT |
🚫 Common Authentication Errors
- • 401 Unauthorized - Missing or invalid Auth ID/Token
- • 403 Forbidden - Valid credentials but insufficient permissions
- • Missing headers - Both X-Auth-ID and X-Auth-Token must be present
- • Incorrect header names - Headers are case-sensitive
Code Examples
Examples of authenticated requests in different programming languages:
Python
import requests
# Your API credentials
AUTH_ID = "auth_1234567890abcdef"
AUTH_TOKEN = "sk_live_abcdefghijklmnopqrstuvwxyz123456"
# Make an authenticated request
response = requests.get(
"https://api.vobiz.com/v1/messaging/channels",
headers={
"X-Auth-ID": AUTH_ID,
"X-Auth-Token": AUTH_TOKEN
}
)
if response.status_code == 200:
channels = response.json()
print(f"Found {len(channels['data'])} channels")
else:
print(f"Error: {response.status_code}")
print(response.json())Node.js
const axios = require('axios');
// Your API credentials
const AUTH_ID = 'auth_1234567890abcdef';
const AUTH_TOKEN = 'sk_live_abcdefghijklmnopqrstuvwxyz123456';
// Make an authenticated request
async function getChannels() {
try {
const response = await axios.get(
'https://api.vobiz.com/v1/messaging/channels',
{
headers: {
'X-Auth-ID': AUTH_ID,
'X-Auth-Token': AUTH_TOKEN
}
}
);
console.log(`Found ${response.data.data.length} channels`);
return response.data;
} catch (error) {
console.error('Error:', error.response?.status);
console.error(error.response?.data);
}
}
getChannels();PHP
<?php
// Your API credentials
$authId = 'auth_1234567890abcdef';
$authToken = 'sk_live_abcdefghijklmnopqrstuvwxyz123456';
// Make an authenticated request
$ch = curl_init('https://api.vobiz.com/v1/messaging/channels');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'X-Auth-ID: ' . $authId,
'X-Auth-Token: ' . $authToken
]);
$response = curl_exec($ch);
$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($statusCode === 200) {
$data = json_decode($response, true);
echo "Found " . count($data['data']) . " channels\n";
} else {
echo "Error: $statusCode\n";
echo $response . "\n";
}Security Best Practices
✓ Use Environment Variables
Store your Auth ID and Token in environment variables, never hardcode them in your source code.
export VOBIZ_AUTH_ID="auth_1234567890abcdef"
export VOBIZ_AUTH_TOKEN="sk_live_abc..."✓ Never Commit Credentials
Add credential files to .gitignore to prevent accidentally committing them to version control.
✓ Use Server-Side Only
Never expose your Auth Token in client-side code (browsers, mobile apps). API calls should only be made from your backend servers.
✓ Use HTTPS
Always make API requests over HTTPS. The Vobiz API does not support unencrypted HTTP connections.
✓ Rotate Tokens Regularly
Periodically rotate your Auth Tokens (every 90 days is recommended) to minimize the impact of potential token compromise.
✓ Monitor API Usage
Regularly review API logs in the console to detect any suspicious or unauthorized access patterns.
Rotating Auth Tokens
For security reasons, you should rotate your Auth Tokens periodically:
Token Rotation Process
- 1.Generate a new Auth Token in Settings → API Keys
- 2.Update your application to use the new token (keep the old one active)
- 3.Deploy the updated application and verify it's working
- 4.Once confirmed, revoke the old token in the console
💡 Zero Downtime Rotation
You can have multiple active Auth Tokens simultaneously. This allows you to rotate tokens without any downtime by creating a new token before revoking the old one.