> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wavix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate your API requests using Bearer token authentication with Wavix API keys.

Wavix uses API keys for authentication. An API key is a unique identifier that you include in your API requests to verify your identity and authorize access. You authenticate your requests using the `Authorization` header with a Bearer token.

## Get your API key

1. [Sign in](https://app.wavix.com/) to your Wavix account.
2. Go to **Administration** → **API Keys**.
3. Click **Create new**.
4. Fill in the form:
   * **API key name** (required): Enter a descriptive name, for example: "Mobile App Production".
   * **Key type**: Choose **Unrestricted** for full access to all API resources, or **Restricted** to configure per-resource permissions.
   * **Restrict access to authorized IPs only** (optional): Toggle to limit the key to specific IP addresses.
5. Click **Create**.

After clicking **Create**, a confirmation screen displays your API key. Copy it now. Once you dismiss the screen, the key is masked in the table.

### Restricted keys and scopes

When you select the **Restricted** key type, you assign one of three permission levels to each resource:

| Permission | Description                                                                       |
| ---------- | --------------------------------------------------------------------------------- |
| No access  | Requests using this key cannot interact with this resource.                       |
| Read       | Read-only access. The key can retrieve data but cannot create, update, or delete. |
| Write      | Full access. The key can read, create, update, and delete.                        |

The following resources are available:

| Resource    | API field     | Controls                                                        |
| ----------- | ------------- | --------------------------------------------------------------- |
| Numbers     | `numbers`     | Phone number inventory, settings, and purchasing                |
| Trunks      | `trunks`      | SIP trunk configuration and management                          |
| Calls       | `calls`       | Call records, active calls, transcriptions, and call control    |
| Messages    | `messages`    | Sending and receiving messages, Sender IDs, and opt-outs        |
| Recordings  | `recordings`  | Listing, downloading, and deleting call recordings              |
| Campaigns   | `campaigns`   | Bulk voice/SMS campaigns, Brands, short links, and analytics    |
| 2FA         | `two_fa`      | Two-factor authentication services, OTPs, and verification logs |
| Validator   | `validator`   | Single and bulk phone number validation and HLR lookups         |
| Webhooks    | `webhooks`    | Webhook endpoint configuration                                  |
| Embeddable  | `embeddable`  | Widget tokens and embeddable component configurations           |
| Billing     | `billing`     | Invoices, balance, payment methods, and usage reports           |
| Account     | `account`     | Account profile and settings                                    |
| Subaccounts | `subaccounts` | Subaccount management and suspension                            |

### IP address restriction

Enabling **Restrict access to authorized IPs only** adds an extra layer of security. Even if your API key is compromised, it can only be used from your authorized servers. This is useful for backend services on fixed IPs, production environments, and compliance requirements.

<Tip>
  IP address restriction and key type are independent — you can combine a Restricted key with IP allowlisting for the strongest security posture.
</Tip>

<Tip>
  Store your API key securely. Don't share it publicly or commit it to version control. If your API key is compromised, revoke it immediately and generate a new one.
</Tip>

## Authenticate your requests

Include your API key in the `Authorization` header using Bearer token format:

```bash theme={null}
Authorization: Bearer <your_api_key>
```

Replace `<your_api_key>` with your actual API key.

### Code examples

Here are examples showing how to authenticate requests:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.wavix.com/v3/messages?type=outbound" \
    -H "Authorization: Bearer your_api_key"
  ```

  ```http HTTP theme={null}
  GET https://api.wavix.com/v3/messages?type=outbound
  Authorization: Bearer your_api_key
  ```

  ```javascript JavaScript theme={null}
  const axios = require('axios');

  const response = await axios.get('https://api.wavix.com/v3/messages', {
    params: {
      type: 'outbound'
    },
    headers: {
      'Authorization': 'Bearer your_api_key'
    }
  });

  console.log(response.data);
  ```

  ```python Python theme={null}
  import requests

  headers = {
      'Authorization': 'Bearer your_api_key'
  }

  params = {
      'type': 'outbound'
  }

  response = requests.get('https://api.wavix.com/v3/messages', headers=headers, params=params)
  print(response.json())
  ```
</CodeGroup>

<Tip>
  Keep your API key confidential. Don't share it or expose it in public repositories, client-side code, or unsecured environments.
</Tip>

## Manage API keys programmatically

You can create, list, and manage API keys using the API endpoints. For details, see the [API Keys endpoint reference](/api-reference/authentication).

## Deprecated method

<Warning>
  Query parameter authentication using the `appid` parameter is deprecated and will be removed in a future version. Use Bearer token authentication instead.
</Warning>

Previously, you could authenticate requests by including your API key as the `appid` query parameter:

```http theme={null}
GET https://api.wavix.com/v3/messages?appid=your_api_key
```

This method is still supported for backward compatibility, but we recommend migrating to Bearer token authentication as soon as possible.
