Dual-Key Authentication

API Authentication

SMSLY uses a dual-key system for enhanced security. Both keys are required for all API requests.

Two Keys Required

API Key

Permanent

Primary authentication key that identifies your account.

Authenticates all API requests

Tied to your account permanently

Cannot be rotated - contact support if compromised

X-Smsly-Key-Id: sk_live_xxx

SDK Key

Rotatable

Secondary validation key for SDK integrity verification.

Validates SDK requests

Can be rotated anytime from console

Rotate if suspected of compromise

X-SMSLY-SDK-KEY: sdk_live_xxx

Getting Your Key Pair

1
Go to Console Settings
Navigate to Console → Settings → API Keys
2
Generate New Key Pair
Click "Generate New Key Pair" to create both API + SDK keys together
3
Copy Both Keys
Setup keys expire in 24 hours. They activate on first API call.
4
Use Environment Variables
Store as SMSLY_API_KEY and SMSLY_SDK_KEY

Go to Console Settings

One-Time Activation

How It Works

1You receive setup_api_xxx + setup_sdk_xxx keys
2On first API call, both keys are automatically activated
3Setup keys become permanently invalid after activation
4You receive live keys: sk_live_xxx + sdk_live_xxx

Security benefit: Even if setup keys are intercepted, they're useless after first use.

Using Your Keys

Authentication Example

# Dual-key authentication
curl -X POST https://api.smsly.cloud/v1/sms/otp \
  -H "X-Smsly-Key-Id: sk_live_abc123xxx" \
  -H "X-SMSLY-SDK-KEY: sdk_live_xyz789xxx" \
  -H "Content-Type: application/json" \
  -d '{"to": "+1234567890", "code": "123456"}'

Security Best Practices

•Never expose keys in client-side code - use server-side only
•Use environment variables - never hardcode keys
•Rotate SDK key immediately if you suspect it's compromised
•API Key compromised? Contact support for a new account