Skip to content

Authentication

Every request carries your API token as a Bearer token:

Authorization: Bearer YOUR_API_TOKEN

That’s it — the same scheme for SMS, Voice, and VAS. Email uses scoped keys, which are the same idea with one addition (see below).

In the dashboard, go to Settings → Security.

Terminal window
curl https://api.9bits.net/ng/v1/sendsms \
-H "Authorization: Bearer $NINEBITS_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "from": "9bits", "to": ["2348020000000"], "content": "Hi" }'

A bad token returns 401:

{
"error": {
"type": "authentication_error",
"code": "unauthorized",
"message": "invalid or missing API token"
}
}

Common causes, in rough order of how often they bite people:

  • The word Bearer is missing before the token.
  • A trailing newline or space got copied along with the token.
  • The token was rotated in the dashboard and the old one is still in your env.
  • The account is suspended — that returns account_disabled, not unauthorized.

The Email API uses keys prefixed 9bk_, sent the same way:

Authorization: Bearer 9bk_xxx

The difference is that email keys carry scopes, so you can hand out a key that can read stats but cannot send:

ScopeGrants
email:readRead-only endpoints — messages, stats, contacts, domains.
email:sendPOST /messages.
email:webhooksManage webhook endpoints.

Mint and revoke them under Email → API Keys. Calling an endpoint without the required scope returns insufficient_scope.

Give each integration the narrowest scope that lets it do its job. Your analytics dashboard almost certainly does not need email:send.

Every API reference page has a Try it console. Paste your token into the auth box and run real requests against your account.