The API uses Json Web Tokens (JWT) to securely authenticate and authorize each request while maintaining low overhead and the ability to be used across different domains.
Each developer is assigned a pair of JWT tokens, which also include in their payload the plan the developer is subscribed to. This means that if you switch plans at some stage, the tokens will change.
You can see your developer token (dev key) and the client token (client key) on the Settings page for the bot:
The developer token is used by the bot developer to make API calls related to the bot or to make changes to the bot itself. This key should not be made public, nor should it be embedded into websites or shared with third parties.
The client token has greatly reduced access rights over the bot. If you want to hand out read-only chat access to your bot or embed a chat script into a website this is the key that should be used.
The token is passed to the API through the Authorization header.
Authorization: Bearer <token></token> Sample curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsImNhbGciOiJERUYifQ.eNqqVgry93FVgJT8W5Brq5KOkrFpUlAEQtLYwY0NDXQMzSzNdExNLY12LZAszXQNjC8ukZBPz1CQTU6VaAAAAAP__.5h2Snhxo6n1kkS-9wNhfYlIfKJ8tQj6TlKpkboyGaDU" ...
|401||Unauthorized||Missing or invalid authorization header.|
|401||Forbidden||Access to the resource has been forbidden, or the JWT token may contain an invalid payload.|