CTRLK

Shared components

Manage API keys

|

View as Markdown

Create scoped API keys to control access by application, entity, endpoint, and channel in CPaaS X. For a conceptual overview of why scoped keys matter and how scopes work, see Secure your CPaaS X setup. For general API key concepts and authentication methods, see API authentication. To manage existing keys (view, update, disable), use the API key management page or the Account Management API.


Prerequisites [#prerequisites]

To create scoped API keys, you need:

  • An active Infobip account with CPaaS X enabled.
  • Applications and entities already created if you want to scope a key to them. See Manage applications and entities.


Create a scoped API key [#create-a-scoped-api-key]


  1. In the Infobip web interface, go to Developer tools > API keys.
  2. Select Create API key.
  3. Enter a descriptive Name (for example, customer-a-sms-key).
  4. Optionally, set an Expiration date for automatic key rotation.
  5. Optionally, add Allowed IP addresses to restrict usage to specific IPs.
  6. Under API Scopes, select the required permissions:
    • General: message:send, inbound-message:read.
    • Channels: Select by channel (SMS, Email, WhatsApp, and more) and operation (send, read logs).
    • Platform: sending-strategy:manage, metrics:manage, and more.
  7. Optionally, under Applications and entities, select Add application and entity to link the key to a specific application/entity for CPaaS X isolation.
  8. Select Create.
IMPORTANT

Store the API key securely. It is only shown once during creation. If lost, create a new key.

Learn more

For a full list of available API scopes and how they control access to specific endpoints, see API scopes.



API key restriction [#api-key-restriction]

You can restrict API keys to specific applications or entities, ensuring that access is controlled at the application or entity level.

CPaaS X API key restriction diagram showing how different API keys map to specific entities

For example, if you attempt to use an entity-scoped key with a different entity, you receive an unauthorized access response. However, the primary API key can still be used in both requests as it has access to all public endpoints.

CPaaS X API key restriction example showing unauthorized access when using wrong entity key
Learn more

For best practices on credential storage, IP safelisting, and general API security, see Security recommendations.



Supported endpoints [#supported-endpoints]

Scoped API keys restrict access to specific API endpoints across three categories: Customer engagement (Conversations, People), Channels (SMS, Email, WhatsApp, Voice, and more), and Platform (Metrics, Sending strategy management).



Related pages

Secure your CPaaS X setup
Scope types, dimensions, and when to use each.

Applications and entities
Core concepts and organizational hierarchy.

Webhook subscriptions
Real-time delivery notifications per entity.