Authorization header on every request:
Key formats
Every key has the formatrb_<env>_<32-char-token>. The <env> segment tells you at a glance what the key does:
| Prefix | Mode | Behavior |
|---|---|---|
rb_live_* | Live | Real carriers, real money, real delivery receipts. |
rb_test_* | Test | Simulator: magic numbers produce deterministic outcomes. Does not debit your wallet. |
Permission scopes
When you create a key you pick its permission:One of:
full— all endpoints (default). Sends + reads + admin (templates, sender IDs, webhooks, domains).sending—POST /v1/sms,POST /v1/emails,POST /v1/sms/batch,POST /v1/emails/batchonly. Read operations fail withpermission_error.
sending keys for servers that only emit messages — no dashboard, no template management. If that key leaks you minimize the blast radius.Revoking keys
Keys are revoked instantly from the dashboard (API keys → Revoke). Revoked keys return401 authentication_error on the next request.
We hash keys with argon2id + a server-side pepper, so even a database dump doesn’t hand an attacker your secrets. But revocation is still the fastest remediation if you think a key leaked.
Session authentication (dashboard only)
Dashboard endpoints (/dashboard/*) use a session cookie set by /auth/login — not an API key. You rarely need this unless you’re embedding the dashboard somewhere custom.
Idempotency + replay
Auth has nothing to do with idempotency — see Idempotency for how we de-duplicate retries. The two concepts are orthogonal: a retried request with the sameIdempotency-Key still needs a valid API key.