System guide
API keys
From Integration Settings → API keys, issue scoped credentials to integrate our API. If you are working on an API integration, refer to our API documentation.
Key list
Each row is one API key. The list shows the key's name, its prefix (the first part of the key, such as sflo_live_… — for security, the full key is never shown again after creation), the scopes it grants, its status (ACTIVE or REVOKED), and Last used (the most recent time the key made a call). A key that also requires a signature carries an HMAC badge next to its scopes.
Creating a key
Click Create API key at the top right to open the dialog. The following information is required to create a key:
Name and scopes
- Key name — a label to recognize the key later, up to 64 characters (for example
CRM Sync). Required. - Scopes — the permissions this key grants. Select at least one;
messages:sendis selected by default. If you clear every scope, the form shows Select at least one scope. and the submit button is disabled.
The available scopes:
| Scope | Grants |
|---|---|
messages:send | Send messages |
templates:read | Read templates |
templates:write | Create and edit templates |
contacts:read | Read contacts |
contacts:write | Create, edit and delete contacts |
blacklist:read | Read the blacklist |
blacklist:write | Create, edit and delete blacklist entries |
library_assets:read | Read media library assets |
library_assets:write | Upload media library assets |
Requiring an HMAC signature
Under Security you can turn on Require HMAC signature on every request. When enabled, a separate signing secret is generated alongside the key, and every API call must carry an X-SigFollow-Signature and an X-SigFollow-Timestamp header computed from that secret; requests without a valid signature are rejected.
Advanced settings
The Advanced settings section provides additional security configuration. All fields are optional — leaving one empty means it has no effect.
- Rate limit (req/s) — an integer from 1 to 1000 capping how many requests per second this key may make. Leave empty to use the platform default of 80 per second.
- Expiry — set an expiry time for the key; it cannot be used after this date. Leave empty for a key that never expires.
- IP allowlist — one entry per line; supports a single IPv4 address, an IPv4 CIDR range (such as
10.0.0.0/8), or an exact IPv6 address. A request from any other address is rejected. Empty means no IP restriction. - Phone number allowlist — restrict which of your registered phone numbers this key may send from. This only affects
messages:send; empty means the whole organization. If no numbers are registered yet, the section shows No phone numbers registered for this organization.
Fill in what you need and click Create. If a value is invalid the dialog explains why — for example Rate limit must be an integer between 1 and 1000 or Expiry must be in the future. Fix the errors and the key can then be created.
Saving the secret
After the key is created, the full plaintext key is displayed. If you turned on HMAC signing, the HMAC signing secret is shown below it.
Once you have saved everything, click Done to close the dialog. The new key appears at the top of the list with an ACTIVE status, showing only its prefix from now on.
Revoking a key
When a key is no longer needed — a system is decommissioned, or you suspect the secret has leaked — revoke it. Click Revoke on the key's row, then confirm in the dialog with Revoke key (or Cancel to back out).
401 Unauthorizedresponses, and the action cannot be undone. A revoked key can never be reactivated — if you need access again, create a new key. After revocation the row's status becomes Using an API key
With a key in hand, your system authenticates by sending it as a bearer token in the Authorizationheader. Each request is checked against the key's status, its scopes, and any HMAC, IP, phone number or rate-limit restrictions you set. The full request format, endpoints and signing details are described in the API reference documentation.