Authentication
All Sendexa API requests use HTTP Basic Authentication with a pre-computed Base64 token you copy directly from your dashboard — no manual encoding needed.
Pre-computed Token
Copy your ready-made Base64 token directly from the dashboard — no manual encoding required
Basic Auth Standard
Industry-standard HTTP Basic Authentication supported by every HTTP client and framework
Applies to All APIs
One credential set authenticates every Sendexa API — SMS, OTP, WhatsApp, SMPP, and Webhooks
Instant Activation
New API keys are active immediately — no waiting period or verification email needed
Sendexa uses HTTP Basic Authentication. Your API key and secret are combined and Base64-encoded to form a token. You add this token to every request's Authorization header.
Your credentials
Every Sendexa account has an API key and an API secret.
API Key: exa_1a2b3c4d5e6fAPI Secret: sk_7g8h9i0j1k2l3m4n5o6p
The token is pre-built for you
The dashboard Base64-encodes API_KEY:API_SECRET automatically. Just copy it.
ZXhhXzFhMmIzYzRkNWU2Zjpza183ZzhoOWkwajFrMmwzbTRuNW82cA==
Add it to every request header
Set the Authorization header on every API call.
Authorization: Basic ZXhhXzFhMmIzYzRkNWU2Zjpza183ZzhoOWkwajFrMmwzbTRuNW82cA==
Copy Your Token from the Dashboard
Replace YOUR_DASHBOARD_BASE64_TOKEN with the token copied from your dashboard.
curl -X POST 'https://api.sendexa.co/v1/sms/send' \-H 'Content-Type: application/json' \-H 'Authorization: Basic YOUR_DASHBOARD_BASE64_TOKEN' \-d '{"to": "0244123456","from": "MyBrand","message": "Hello from Sendexa!"}'
Never hardcode your token in source code. Use environment variables and load them at runtime.
# .env — add this file to .gitignore immediatelySENDEXA_API_TOKEN=ZXhhXzFhMmIzYzRkNWU2Zjpza183ZzhoOWkwajFrMmwzbTRuNW82cA==
When creating an API key in the dashboard, you choose which scopes (permissions) it has. Follow the principle of least privilege — only grant the scopes your application actually needs.
| Scope | Permission |
|---|---|
sms:send | Send single and bulk SMS messages |
sms:read | Check SMS delivery status |
otp:send | Request and resend OTP codes |
otp:verify | Verify OTP codes |
whatsapp:send | Send WhatsApp messages |
whatsapp:read | Read WhatsApp message status |
whatsapp:templates | Manage message templates |
webhooks:manage | Configure webhook endpoints |
numbers:read | Look up and verify phone numbers |
account:read | Read account and credit balance |
Use separate API keys for development, staging, and production. This isolates failures, limits blast radius on a key compromise, and lets you rotate keys independently.
- Limited scopes only
- Low credit top-ups
- Shared with the team
- Mirrors production scopes
- Used in CI/CD pipelines
- Rotated on each deploy
- Restricted access
- Stored in secrets manager
- Rotated every 90 days
Cause: Missing or malformed Authorization header
Fix: Ensure the header is exactly: Authorization: Basic <token>
Cause: Wrong API key, secret, or corrupted Base64 token
Fix: Re-copy the token from your dashboard — do not modify it
Cause: Key exists but lacks permission for this endpoint
Fix: Check the key's scopes in the dashboard and add the required scope
Cause: Account suspended due to policy violation or unpaid balance
Fix: Contact [email protected] to resolve the account status
Use the health endpoint to confirm your token is valid before making real API calls:
curl -I 'https://api.sendexa.co/v1/health' \-H 'Authorization: Basic YOUR_DASHBOARD_BASE64_TOKEN'# HTTP/2 200 → credentials are valid# HTTP/2 401 → check your token
Security Best Practices
- Never commit API tokens to version control — add
.envto.gitignore - Use a secrets manager (AWS Secrets Manager, HashiCorp Vault) in production
- Rotate API keys every 90 days or immediately after a suspected leak
- Create separate keys per service — revoke a single key without disrupting others
- Grant only the scopes each key actually needs
- Always use HTTPS — never send credentials over plain HTTP
- Monitor API usage in the dashboard and alert on unexpected spikes