Workspaces and API keys

The platform is organized around workspaces. A workspace is the container for everything: channels, contacts, messages, campaigns, and balance. Your API key is tied to exactly one workspace — it cannot access resources from another. A user (the person logged into the dashboard) can be a member of multiple workspaces and switch between them. API automation uses keys, not user sessions — they are separate credentials for separate purposes.

Bearer tokens

Every /v1 REST request carries: 
Authorization: Bearer <api_key>
  • Keys are scoped to a workspace — not a user.
  • Keys are created and revoked in the dashboard under Workspace settings.
  • Rate limits apply per key.
The gateway resolves the workspace context, balance, and access scope from the key.

Do not mix credentials

Use only API keys for /v1 REST calls. Do not substitute user session tokens or dashboard secrets — they are not interchangeable and will return 401.

Security checklist

1

Store secrets properly

Use a secrets manager or environment variables—never commit keys to git.
2

Rotate on events

Rotate keys after role changes, leaks, or offboarding.
3

Separate environments

Prefer distinct keys for staging and production when policy allows.

API reference

Header format and error behavior are summarized in API overview.