Skip to main content

Bearer token

Every request includes:
Store the secret as an environment variable on your server:
Never put Messages API keys in browser code, mobile apps, CI logs, or public git history. Treat them like production database passwords.

Mint a key

1

Open Messages API

Sign in and go to Messages API keys.
2

Create key

Name the key after the service that will hold it (Production worker, Staging).
3

Pick scopes

Defaults (send + read) cover most backends. Add webhooks only if that process registers endpoints.
4

Copy once

The full secret is shown a single time. If you lose it, rotate.

Scopes

Missing scope response:
HTTP 403.

What this key is for

AI model calls from your code will use this same key style later — still use the platform, not administer the platform.

Rotate and revoke

From the Messages API page:
  • Rotate — issues a new secret; update env vars, then drop the old value.
  • Revoke — immediate kill switch. Type the key name to confirm.

Rate limits

Authenticated callers share per-org buckets. See Errors & rate limits.