For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Log inSign up
Support
  • Core
    • Overview
    • Authorization
    • Base URL
    • Data formats
    • Paging
    • Error codes
    • Permissions
  • Calling
  • Datasphere
  • Logs
  • Messaging
  • Phone Number Management
  • Platform
  • Resource Management
LogoLogoSignalWire Docs
Log inSign up
Support
On this page
  • Basic authentication
  • How it works
  • Example
  • Finding your credentials
  • API token scopes
  • cURL examples
  • Bearer authentication
  • How it works
  • Token types
  • Subscriber Access Token (SAT)
  • Guest Token
  • Token lifecycle
  • cURL example
  • Security best practices
Core

Authorization

|View as Markdown|Open in Claude|
Was this page helpful?
Edit this page
Previous

Base URL

Next
Built with

SignalWire REST APIs support two authentication methods: Basic Authentication and Bearer Authentication. Each endpoint specifies which method it accepts.

Basic authentication

Basic Authentication is the standard method for authenticating with SignalWire REST APIs, using your Project ID and API Token.

How it works

Include an Authorization header with each request:

Authorization: Basic <credentials>

To build the credentials string:

  1. Join your Project ID and API Token with a colon: ProjectID:APIToken
  2. Base64 encode the result

Example

Given the Project ID a1b2c3d4-e5f6-7890-abcd-ef1234567890 and API Token 4tjCGnmAeQ0hwFmFDhwfgww880X2lsnuR60VMyasGR3hFpSyvu:

$# In the format username:password
$a1b2c3d4-e5f6-7890-abcd-ef1234567890:4tjCGnmAeQ0hwFmFDhwfgww880X2lsnuR60VMyasGR3hFpSyvu
$
$# Base64 encoded:
$YTFiMmMzZDQtZTVmNi03ODkwLWFiY2QtZWYxMjM0NTY3ODkwOjR0akNHbm1BZVEwaHdGbUZEaHdmZ3d3ODgwWDJsc251UjYwVk15YXNHUjNoRnBTeXZ1
$
$# Full header:
$Authorization: Basic YTFiMmMzZDQtZTVmNi03ODkwLWFiY2QtZWYxMjM0NTY3ODkwOjR0akNHbm1BZVEwaHdGbUZEaHdmZ3d3ODgwWDJsc251UjYwVk15YXNHUjNoRnBTeXZ1

Finding your credentials

Your Project ID and API Tokens are available in the SignalWire Dashboard.

API credentials in the Dashboard.

API token scopes

Tokens can be scoped to limit API access. Select scopes when creating or editing a token in the Dashboard.

Getting a 401 Unauthorized? Check that your token has the required scope. Manage scopes in the SignalWire Dashboard.

cURL examples

cURL
$# With base64-encoded credentials
$curl https://{Your_Space_Name}.signalwire.com/api/laml/2010-04-01/Accounts/{YourProjectId}/Calls \
>     -H 'Authorization: Basic YTFiMmMzZDQtZTVmNi03ODkwLWFiY2QtZWYxMjM0NTY3ODkwOlBUOWE4YjdjNmQ1ZTRmM2EyYjFj'
$
$# Encoded inline using the Bash pipe operator
$curl https://{Your_Space_Name}.signalwire.com/api/laml/2010-04-01/Accounts/{YourProjectId}/Calls \
>    -H "Authorization: Basic $(echo -n "YourProjectId:YourApiToken" | base64)"
$
$# Encoded inline with cURL's -u flag
>curl https://{Your_Space_Name}.signalwire.com/api/laml/2010-04-01/Accounts/{YourProjectId}/Calls \
>    -u YourProjectId:YourApiToken

Bearer authentication

Bearer Authentication passes a token in the Authorization header. Use this for client-side calls where you can’t safely expose your API credentials.

How it works

Include the token in an Authorization header:

Authorization: Bearer <token>

Bearer tokens are short-lived and scoped to specific permissions, unlike API credentials which don’t expire.

Token types

Subscriber Access Token (SAT)

SATs authenticate end users in Fabric applications, letting client apps make API calls on behalf of a subscriber.

How to obtain: Call the Create Subscriber Token endpoint using Basic Auth.

$curl -X POST https://your-space.signalwire.com/api/fabric/subscribers/tokens \
>     -H 'Authorization: Basic <Base64(YourProjectID:YourAPIToken)>' \
>     -H 'Content-Type: application/json' \
>     -d '{
>       "reference": "user@example.com",
>       "expire_at": 1725513600
>     }'

Use case: Client apps connecting to Fabric services, such as listing resource addresses.

Guest Token

Guest Tokens grant limited, temporary access without full subscriber privileges. They’re created from an existing SAT and restricted to specific Fabric addresses.

How to obtain: Call the Create Guest Embed Token endpoint using a SAT.

$curl -X POST https://your-space.signalwire.com/api/fabric/guests/tokens \
>     -H 'Authorization: Bearer <subscriber_access_token>' \
>     -H 'Content-Type: application/json' \
>     -d '{
>       "allowed_addresses": ["c22d24f6-5a26-4f53-8008-b29530339efa"]
>     }'

Use case: Click-to-call widgets, guest access, or anywhere you need temporary access.

Token lifecycle

Bearer tokens expire. Once they do, requests return 401 Unauthorized and you’ll need a fresh token.

To keep a session alive without re-authenticating, call the Refresh Subscriber Token endpoint before expiration.

cURL example

cURL
$curl https://your-space.signalwire.com/api/fabric/addresses \
>     -H 'Authorization: Bearer <token>'

With a SAT token:

cURL
$curl https://your-space.signalwire.com/api/fabric/addresses \
>     -H 'Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiY2giOiJwdWMuc2lnbmFsd2lyZS5jb20iLCJ0eXAiOiJTQVQifQ...'

Security best practices

  1. Keep API credentials server-side. Use Bearer tokens for client applications.
  2. Set short token lifetimes to reduce risk if a token leaks.
  3. Scope tokens narrowly—only grant what’s needed.
  4. Always use HTTPS. Plain HTTP requests will fail.
  5. Rotate API tokens periodically from your Dashboard.