Getting started

Authentication

Every request to the BlueReplies API needs an API key, passed as the x-api-key header. Keys are scoped to one customer and can be in either sandbox or production mode.

The header

curl https://api.bluereplies.com/v1/messages \
-H 'x-api-key: sk_sandbox_…'

We support a few SDK conventions too — see the SDKs page.

Key prefixes

The first segment of every API key tells you (and us) which mode it operates in. Sandbox and production share the same endpoint base URL — the prefix is the signal.

FieldTypeDescription
sk_sandbox_…stringSandbox key. Outbound sends limited to your activated phone + verified contacts. Free, auto-issued on signup activation.
e.g. sk_sandbox_a4f2k9bce7g3…
sk_live_…stringProduction key. Full access to your assigned line(s). Issued after we promote your account from sandbox.
e.g. sk_live_pq3z…

Security best practices

  • Never commit keys to source control. Use environment variables or a secret manager.
  • Never use keys in client-side code (browser JS, mobile apps). All API calls must originate from a server.
  • Use the smallest scope available — sandbox keys for dev, production keys only for live traffic.
  • Rotate immediately if a key leaks. Revoking a key takes effect in < 1s.
  • Restrict by IP on your production account (request via support).

If you suspect a leak

Go to Dashboard → API keys and click Revoke. The key stops working within 1 second. Generate a new one, deploy it, and audit your access logs for unexpected requests.

What happens with a bad key

Missing or invalid keys return 401 Unauthorized:

{
"error": {
"code": "INVALID_API_KEY",
"message": "API key is missing, revoked, or invalid."
}
}

If your account is suspended or pending, you'll see a 403 Forbidden with a more specific code instead.

Initializing the SDK

import { BlueReplies } from 'blueapi';
const client = new BlueReplies({
apiKey: process.env.BLUEREPLIES_KEY,
// Optional:
// timeout: 30_000,
// baseUrl: 'https://api.bluereplies.com/v1', // for self-hosted / staging
});