Authentication
Authenticate every request with an API key in the Authorization header:
Authorization: Bearer ru_live_<id>.<secret>
Create and manage keys in the dashboard under Settings → Developer / API.
Keys & secrets
- The full key (
ru_live_<id>.<secret>) is shown once at creation. Store it securely — you can't retrieve the secret again, only rotate or revoke it. - Each key has a set of scopes that gate which endpoints it can call.
- Keys can optionally be restricted to an IP allowlist (plain IPs or CIDR).
Modes
ru_live_…— live keys, act on real channels.ru_test_…— test keys.
Scopes
Grant a key only the scopes it needs:
| Scope | Allows |
|---|---|
messages:read | read messages |
messages:write | send messages |
conversations:read | read conversations |
conversations:write | assign / change status / tag |
customers:read | read contacts |
customers:write | create / update / merge contacts |
channels:read | read channels |
webhooks:read / webhooks:manage | read / manage webhooks |
A request missing the required scope returns 403 with required_scope.
Rate limits
Requests are throttled per API key (~60 req/s). Exceeding the limit returns
429 Too Many Requests with a Retry-After header.
Errors
{ "error": "Insufficient scope", "required_scope": "messages:write" }
| Status | Meaning |
|---|---|
401 | Missing, malformed, revoked, or expired key |
403 | Missing scope, or client IP not allowlisted |
429 | Rate limited |