Authorization header.
Get your API key
Sign in
Sign in to your Reply.io dashboard.
Authenticate a request
Include your API key as a Bearer token:curl example
Verify your setup
Call/v3/whoami to verify that your API key works. A successful response returns information about the authenticated user:
Unauthorized response
If theAuthorization header is missing, invalid, or contains a revoked API key, the API returns 401 Unauthorized with an empty response body.
The response includes a WWW-Authenticate header:
Special API keys
In addition to user API keys, Reply supports two centralized authentication methods:- Master API keys for a single workspace
- Organization API keys for all workspaces in an organization
Master API key — team level
A Master API key provides workspace-wide access. Unlike a user API key, which always acts as a single user, a Master API key can make requests as any user in the workspace. Common use cases include:- Team-wide automation
- Cross-user reporting
- Bulk operations
Availability
- Available only within the workspace where it was created
- One Master API key per workspace
- Generated manually by the workspace owner
Permissions and access control
- Only the workspace owner can generate and view the Master API key.
- The key must be created manually.
- A Master API key is unique to its workspace.
Acting on behalf of a user
Use one of the following headers:X-User-IdX-User-Email
You only need one header.
Behavior and permission model
Master API keys use the same permission model as user API keys.| Request | Behavior |
|---|---|
| Master key only | Acts as the workspace owner |
Master key + X-User-Id | Acts as the specified user (by ID) |
Master key + X-User-Email | Acts as the specified user (by email) |
Important notes
- If an impersonation header is provided, the request runs with that user’s permissions.
- If no impersonation header is provided, the request runs with the workspace owner’s permissions.
- A Master API key does not grant permissions beyond those of the resolved user.
Organization API key — organization level (beta)
An Organization API key provides centralized access across every workspace in an organization. Unlike a Master API key, which is limited to a single workspace, an Organization API key can act on behalf of users across all workspaces owned by the organization.Availability
- Organization-scoped
- Works across all workspaces in the organization
- Multiple keys can be created
- Keys can be named, revoked, and rotated independently
Permissions and access control
By default, Organization Owners can create, view, and revoke organization API keys. Other organization roles can be granted permission to manage organization API keys. Keys are managed in: Org Settings → Organization API KeysActing on behalf of a user
Organization API keys always require impersonation. Use one of the following:X-USER-IDX-User-Emailtogether withX-TEAM-ID
X-User-Email is provided without X-TEAM-ID, the request is rejected.
Example:
Behavior and permission model
| Request | Behavior |
|---|---|
Organization key + X-USER-ID | Acts as the user with that ID |
Organization key + X-User-Email + X-TEAM-ID | Acts as the user with that email in the given workspace |
| Organization key without impersonation | Request is rejected |
| User belongs to a different organization | Request is rejected |
Important notes
- Every request runs with the permissions of the resolved user.
- The resolved user must belong to the same organization that issued the key.
- An Organization API key does not grant permissions beyond those of the resolved user.
Keep your API key safe
- Never commit API keys to source control.
- Never share API keys in public chats or screenshots.
- Rotate your API key from Settings → API Key if you think it has been exposed.