If you'd prefer a video overview, check out our SignalWire in Seconds video on SignalWire credentials.
SignalWire has its own set of unique credentials that are used for authentication and authorization when using its APIs and SDKs. In this post, we'll discuss what SignalWire credentials are, where to find them, how to use them, and some best practices to keep them secure.
Once you create your SignalWire Space and log in, you have effectively authenticated yourself, and this is the only authentication step. You can add more users with different roles to your account so they can authenticate themselves, but with limited capabilities. Each user can either be a regular user or an administrator.
Users cannot access any space-wide settings or join any projects they have not been added to. They only have access to projects you select.
Administrators can manage payment methods and billing settings, manage users, see all projects, and create new projects within a space.
You can read our user Management guide if you'd like to learn more about managing users in your SignalWire space.
Once a user has logged in, they will only be able to see the projects they were given access to, and if they have access to a particular project, they can generate authorization tokens. At SignalWire we call them API Tokens because they can be used to interface with SignalWire's APIs and SDKs.
SignalWire Credentials Overview
SignalWire credentials include three pieces of information that you'll always need to have in hand when connecting to our APIs. They are:
Your Space URL
Your Project ID
Your API Token
The easiest way to find your credentials is to log into your Space and navigate to the API tab in the navigation menu.
On this page, should you already have a token, you will find your Project ID, Space URL, and your API Tokens. If you need to create your first API Token, simply click on the Create a Token button, and + New when you want to create more.
SignalWire will ask you which name and permissions you would like to give to the token in question.
In order to keep your account safe, give the token the least amount of privileges as possible by limiting the number of scopes selected. This way, if any of your tokens are compromised, the impact will be lessened. For example, if you are developing a Video API project, you may want to reduce the scope of your API token to just Video.
Depending on which SignalWire product you are using, the way you use your credentials will vary. For example, to make a request to SignalWire’s Message Logs API, you would need all three components of your credentials. For detailed instructions for each API and SDK, you can reference individual documentation:
Your SignalWire credentials should never be shared, otherwise, nothing stands between bad actors and your account. To ensure your credentials are kept safe, always make use of dedicated features to store environment variables.
When using your credentials in code, you can use .env, JSON, or YAML configuration files to store them. This way, you can reference your Project ID, Space URL and API Token from code indirectly, instead of having them hard-coded and exposing them in your version control system.
Even if you follow these recommendations, there is still a chance your API Tokens will be compromised at some point. Should this happen, you can cycle any API Token by deleting it and generating a new one. One thing you may notice about the API page is that you can see the last time an API Token was used. API Tokens should always be kept confidential, and if you notice a token has been used at an unusual time, or suspect that a token may be compromised, you can delete the Auth Token and create a new one.