Authentication
All EnableX APIs use HTTP Basic Authentication. Every request to any EnableX API — Video, Voice, SMS, WhatsApp, RCS, or TTS — uses the same credentials and the same pattern.
Your App ID is the username. Your App Key is the password.
How it works
Include an Authorization header with the value Basic <base64(APP_ID:APP_KEY)> in every request.
Authorization: Basic base64("APP_ID:APP_KEY")
Most HTTP clients (cURL, axios, requests) handle the base64 encoding automatically when you pass credentials as username:password. You rarely need to encode it yourself.
Authorization: Basic YTFiMmMzZDQ6eDl5OHo3dzY=
Code examples
curl -X GET https://api.enablex.io/video/v2/rooms \
-u $ENX_APP_ID:$ENX_APP_KEY \
-H "Content-Type: application/json"
# The -u APP_ID:APP_KEY flag instructs cURL to send Basic auth.
# Use environment variables — never paste credentials into terminal commands.const axios = require('axios');
const client = axios.create({
baseURL: 'https://api.enablex.io/video/v2',
auth: {
username: process.env.ENX_APP_ID,
password: process.env.ENX_APP_KEY
},
headers: { 'Content-Type': 'application/json' }
});
async function listRooms() {
try {
const { data } = await client.get('/rooms');
console.log('Rooms:', data);
} catch (err) {
console.error('Request failed:', err.response?.data || err.message);
}
}
listRooms();import os
import requests
APP_ID = os.environ.get('ENX_APP_ID')
APP_KEY = os.environ.get('ENX_APP_KEY')
BASE_URL = 'https://api.enablex.io/video/v2'
def list_rooms():
response = requests.get(
f'{BASE_URL}/rooms',
auth=(APP_ID, APP_KEY),
headers={'Content-Type': 'application/json'}
)
if response.status_code == 200:
return response.json()
else:
raise Exception(f'API error {response.status_code}: {response.text}')
rooms = list_rooms()
print(rooms)<?php
$appId = getenv('ENX_APP_ID');
$appKey = getenv('ENX_APP_KEY');
$baseUrl = 'https://api.enablex.io/video/v2';
$ch = curl_init("{$baseUrl}/rooms");
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_USERPWD => "{$appId}:{$appKey}",
CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($httpCode === 200) {
$data = json_decode($response, true);
print_r($data);
} else {
echo "API error {$httpCode}: {$response}";
}API base URLs
Each EnableX product has its own base URL. Your credentials work across all of them.
| Product | Base URL |
|---|---|
| Video | https://api.enablex.io/video/v2/ |
| Voice | https://api.enablex.io/voice/v1/ |
| SMS | https://api.enablex.io/sms/v1/ |
https://api.enablex.io/whatsapp/v1/ | |
| RCS | https://api.enablex.io/rcs/v1/ |
| Unified Messaging | https://api.enablex.io/uni-msg/v1/ |
| Text to Speech | https://api.enablex.io/tts/v1/ |
| Admin | https://api.enablex.io/admin/v1/ |
Authentication errors
| HTTP Status | Error | Cause | Resolution |
|---|---|---|---|
401 | Invalid credentials | App ID or App Key is incorrect or the key has been reset | Retrieve current credentials from portal.enablex.io |
401 | Missing Authorization header | Request was sent without an Authorization header | Add Authorization: Basic <base64> to your request |
403 | Service not enabled | Your project does not have the requested service active | Enable the service in your project settings in the portal |
403 | Trial restriction | Your trial account does not have access to this endpoint | Upgrade your account or use a permitted endpoint |
Security best practices
Use environment variables
Never hardcode App ID or App Key in source code.
// Good — reads from environment at runtime
const client = axios.create({
auth: {
username: process.env.ENX_APP_ID,
password: process.env.ENX_APP_KEY
}
});// Bad — hardcoded credentials in source code
const client = axios.create({
auth: {
username: 'a1b2c3d4e5f6...', // ❌ Never do this
password: 'x9y8z7w6v5u4...' // ❌ Never do this
}
});Never use credentials on the client side
API calls that include your App Key must be made from your server. A client-side request exposes your key to anyone who inspects network traffic.
Rotate your App Key if it is compromised
Use the RESET APP KEY button in the portal under Project Credentials. This immediately invalidates the old key — update your application server environment variables immediately after.
Use one project per environment
Keep separate projects for development, staging, and production, each with its own App ID and App Key. This limits the blast radius if a key is exposed.
Do not log credentials
Ensure your logging configuration excludes the Authorization header. Most logging libraries have a built-in header allowlist — use it.
What's next
Frequently Asked Questions
How does EnableX API authentication work?
EnableX REST API calls use HTTP Basic Authentication. Your App ID is the username and your App Key is the password. Encode them as Base64(AppID:AppKey) and send the result in the Authorization header on every request. For Video SDK sessions, a short-lived JWT room token is generated server-side and passed to the client.
Where do I find my App ID and App Key?
Your App ID and App Key are displayed in the EnableX Portal under your project settings. You can also regenerate the App Key from the same page. Note that regenerating immediately invalidates the previous key and any integration using the old key will fail until updated.
Should I use separate credentials for development and production?
Yes. Best practice is to create separate projects in the Portal for development, staging, and production environments. Each project gets its own App ID and App Key, which isolates call logs, usage metrics, and billing between environments.
What should I do if my App Key is compromised?
Reset the App Key immediately from the EnableX Portal. The old key is invalidated instantly. Update your server-side configuration with the new key and check application logs to identify any calls made with the compromised credential.
Are Video room tokens the same as API credentials?
No. Video room tokens are short-lived JWTs generated by your server using your App ID and App Key for a specific room and user role. They expire after the session ends or a configurable time limit. The token is what you share with the client SDK, never the raw App Key.