Authentication
All Sent API requests require authentication using API key and sender ID headers.
Required Headers
Every API request must include these authentication headers:
x-sender-id: YOUR_SENDER_ID
x-api-key: YOUR_API_KEYHeader Details
| Header | Type | Description |
|---|---|---|
x-sender-id | UUID | Your unique sender/customer identifier |
x-api-key | String | Your API key for authentication |
Authentication Flow
- Include Headers: Add both headers to every API request
- Validation: The system validates the sender ID and API key combination
- Customer Isolation: Data is automatically filtered by your customer ID
- Request Processing: Authenticated requests proceed to the endpoint
Example Request
curl -X GET https://api.sent.dm/v1/contacts \
-H "x-sender-id: 550e8400-e29b-41d4-a716-446655440000" \
-H "x-api-key: sample-api-key-abcdef123456..."Authentication Errors
Common authentication error responses:
Missing Headers
{
"status": 401,
"title": "Unauthorized",
"detail": "Header x-api-key not found"
}Invalid Sender ID
{
"status": 401,
"title": "Unauthorized",
"detail": "Invalid x-sender-id"
}Invalid Credentials
{
"status": 401,
"title": "Unauthorized",
"detail": "Invalid API credentials!"
}Security Best Practices
API Key Management
- Store API keys securely in environment variables
- Never commit API keys to version control
- Rotate API keys regularly
- Use different keys for development and production
Request Security
- Always use HTTPS for API requests
- Implement request retry logic with exponential backoff
- Monitor for unusual API usage patterns
- Set up IP allowlisting if available
Example: Secure Implementation
- Good: Store credentials in environment variables
- Bad: Hardcode credentials directly in source code
CORS Policy
The API supports CORS with the following configuration:
- Allowed Origins: Any origin (
*) - Allowed Methods: All HTTP methods
- Allowed Headers: All headers
This applies to all /v1/ endpoints.