API Authentication

API Key Header

This is the most secure authorization type and the one with the most flexibility.

  • API keys can be generated by calling the dedicated API method.

  • They have a limited scope and cover only some API methods.

  • They can be revoked at any time. (This makes API keys ideal for separating the API access rights across multiple applications or use cases.)

  • If you lose your API key, it's easily retrievable. 

You can manage your API keys from the web interface or programmatically with dedicated API.

API key Authorization header example:

Authorization: App 003026bbc133714df1834b8638bb496e-8f4b3d9a-e931-478d-a994-28a725159ab9

Security scheme type:


Header parameter name:



Basic authorization type is used in situations when the API key is not available. For example, API methods for generating API keys should be authenticated with the Basic type.

In this case, the credentials included in the Authorization header should be a Base64 encoded username and password combination. The basic authentication header can be constructed in three steps:

  • Username and password are concatenated using the colon (:) as a separator username:password.

  • The resulting string is encoded using the RFC2045-MIME variant of Base64.

  • Encoded string is added as credentials after the <kbd>"Basic"</kbd> type.


Username: "Aladdin"
Password: "openSesame"
Concatenated string: "Aladdin:openSesame"
Base64 encoded string: "QWxhZGRpbjpvcGVuU2VzYW1l"
Authorization header: "Basic QWxhZGRpbjpvcGVuU2VzYW1l"

Base64 encoding is a standard and many available programming languages and frameworks provide convenient methods for encoding strings.

Security scheme type HTTP
HTTP authorization scheme basic

IBSSO Token Header

This authorization type is best for situations when you do not want to store Infobip credentials in your own app. Instead, your end users will input their Infobip credentials every time they access your application and the application will use those credentials to create a session.

From then on, the session token can be used to authenticate subsequent API requests. Note that the session will expire automatically after a predefined period of inactivity, and can also be manually terminated by making an appropriate API call.

Refer to the Create session article on our Infobip API Resource hub.

After obtaining the session token by calling the above-referenced API method, you can include it in the Authorization header like this:

Authorization: IBSSO 2f9b4d31-2d0d-49a8-85f0-9b862bdca394
Security scheme type API Key
Header parameter name Authorization

OAuth 2.0

Similarly to the IBSSO Token authentication you can use OAuth 2.0 bearer token with Infobip, serving both as resource and authorization server.

To obtain the access token, use the client credentials grant from auth/1/oauth2/token endpoint. It will provide you with your access token, and its expiration period. You can use the token to authorize your API calls until it expires. Find out more about the process in the official OAuth 2.0 specification.

Include your access token in the Authorization HTTP request header like this:

Authorization: Bearer <access_token>