Authentication
Every request carries your API token as a Bearer token:
Authorization: Bearer YOUR_API_TOKENThat’s it — the same scheme for SMS, Voice, and VAS. Email uses scoped keys, which are the same idea with one addition (see below).
Get your token
Section titled “Get your token”In the dashboard, go to Settings → Security.
Using it
Section titled “Using it”curl https://api.9bits.net/ng/v1/sendsms \ -H "Authorization: Bearer $NINEBITS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "from": "9bits", "to": ["2348020000000"], "content": "Hi" }'const headers = { Authorization: `Bearer ${process.env.NINEBITS_TOKEN}`, 'Content-Type': 'application/json',};headers = {"Authorization": f"Bearer {os.environ['NINEBITS_TOKEN']}"}req.Header.Set("Authorization", "Bearer "+os.Getenv("NINEBITS_TOKEN"))When it fails
Section titled “When it fails”A bad token returns 401:
{ "error": { "type": "authentication_error", "code": "unauthorized", "message": "invalid or missing API token" }}Common causes, in rough order of how often they bite people:
- The word
Beareris missing before the token. - A trailing newline or space got copied along with the token.
- The token was rotated in the dashboard and the old one is still in your env.
- The account is suspended — that returns
account_disabled, notunauthorized.
Email uses scoped keys
Section titled “Email uses scoped keys”The Email API uses keys prefixed 9bk_, sent the same way:
Authorization: Bearer 9bk_xxxThe difference is that email keys carry scopes, so you can hand out a key that can read stats but cannot send:
| Scope | Grants |
|---|---|
email:read | Read-only endpoints — messages, stats, contacts, domains. |
email:send | POST /messages. |
email:webhooks | Manage webhook endpoints. |
Mint and revoke them under Email → API Keys. Calling an endpoint without the
required scope returns insufficient_scope.
Give each integration the narrowest scope that lets it do its job. Your analytics
dashboard almost certainly does not need email:send.
Testing from the browser
Section titled “Testing from the browser”Every API reference page has a Try it console. Paste your token into the auth box and run real requests against your account.