API Authentication
SendSquared offers two types of API authentication methods, each designed for different use cases and security requirements.
API Key Types
Basic API Key (x-api-key)
Basic API keys are designed for client-side applications where the token might be exposed. This includes:
- Web applications
- Native mobile apps
- Any public-facing site
These tokens have limited access and require additional authentication:
- Header:
x-api-key
- Security: Less secure, requires domain validation
- Origin Header: Must include an
Origin
orReferer
header matching the domain the key is locked to- Automatically included in web browser requests
- Must be manually added when using CURL or server-side requests
API Token (x-api-token)
API Tokens are similar to GitHub authentication tokens and provide full access with the permissions of the associated user.
- Header:
x-api-token
- Security: Highly secure - never store in client-side code or insecure locations
- Access: Full API access with user permissions
- Use Cases: Server-to-server communication, backend services, secure environments
Never share your API Token via email or store it in version control. Treat it like a password - it provides full access to your account.
Example Usage
Using API Token with CURL
curl -X GET https://app-api.sendsquared.com/v1/reservations \
-H 'x-api-token: your-api-token-here'
Using Basic API Key with Origin Header
curl -X GET https://app-api.sendsquared.com/v1/public-endpoint \
-H 'x-api-key: your-api-key-here' \
-H 'Origin: https://yourdomain.com'
Choosing the Right Key Type
Use Case | Recommended Key Type | Reason |
---|---|---|
Frontend web app | Basic API Key | Token may be visible in browser |
Mobile application | Basic API Key | Token stored on device |
Backend service | API Token | Secure server environment |
Automation scripts | API Token | Full access needed |
Public API integration | Basic API Key | Limited access for security |
Best Practices
- Never expose API Tokens in client-side code or public repositories
- Rotate keys regularly for enhanced security
- Use environment variables to store keys in your applications
- Monitor API usage to detect any unauthorized access
- Limit key permissions to only what's necessary for your use case
Need Help?
If you're unsure which key type is appropriate for your use case, consider:
- Where the key will be stored
- What level of access is needed
- Whether the environment is secure
Contact support with details about your intended use case for personalized guidance on the most appropriate authentication method.