Authentication

All EnableX APIs use HTTP Basic Authentication. Every request to any EnableX API — Video, Voice, SMS, WhatsApp, RCS, or TTS — uses the same credentials and the same pattern.

Your App ID is the username. Your App Key is the password.

How it works

Include an Authorization header with the value Basic <base64(APP_ID:APP_KEY)> in every request.

http
Authorization: Basic base64("APP_ID:APP_KEY")

Most HTTP clients (cURL, axios, requests) handle the base64 encoding automatically when you pass credentials as username:password. You rarely need to encode it yourself.

example header
Authorization: Basic YTFiMmMzZDQ6eDl5OHo3dzY=

Code examples

curl -X GET https://api.enablex.io/video/v2/rooms \
  -u $ENX_APP_ID:$ENX_APP_KEY \
  -H "Content-Type: application/json"

# The -u APP_ID:APP_KEY flag instructs cURL to send Basic auth.
# Use environment variables — never paste credentials into terminal commands.
const axios = require('axios');

const client = axios.create({
  baseURL: 'https://api.enablex.io/video/v2',
  auth: {
    username: process.env.ENX_APP_ID,
    password: process.env.ENX_APP_KEY
  },
  headers: { 'Content-Type': 'application/json' }
});

async function listRooms() {
  try {
    const { data } = await client.get('/rooms');
    console.log('Rooms:', data);
  } catch (err) {
    console.error('Request failed:', err.response?.data || err.message);
  }
}

listRooms();
import os
import requests

APP_ID  = os.environ.get('ENX_APP_ID')
APP_KEY = os.environ.get('ENX_APP_KEY')
BASE_URL = 'https://api.enablex.io/video/v2'

def list_rooms():
    response = requests.get(
        f'{BASE_URL}/rooms',
        auth=(APP_ID, APP_KEY),
        headers={'Content-Type': 'application/json'}
    )
    if response.status_code == 200:
        return response.json()
    else:
        raise Exception(f'API error {response.status_code}: {response.text}')

rooms = list_rooms()
print(rooms)
<?php
$appId  = getenv('ENX_APP_ID');
$appKey = getenv('ENX_APP_KEY');
$baseUrl = 'https://api.enablex.io/video/v2';

$ch = curl_init("{$baseUrl}/rooms");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_USERPWD        => "{$appId}:{$appKey}",
    CURLOPT_HTTPHEADER     => ['Content-Type: application/json'],
]);

$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($httpCode === 200) {
    $data = json_decode($response, true);
    print_r($data);
} else {
    echo "API error {$httpCode}: {$response}";
}

API base URLs

Each EnableX product has its own base URL. Your credentials work across all of them.

⚠️
[VERIFY] Confirm all base URLs with the ENX engineering team before publishing.
ProductBase URL
Videohttps://api.enablex.io/video/v2/
Voicehttps://api.enablex.io/voice/v1/
SMShttps://api.enablex.io/sms/v1/
WhatsApphttps://api.enablex.io/whatsapp/v1/
RCShttps://api.enablex.io/rcs/v1/
Unified Messaginghttps://api.enablex.io/uni-msg/v1/
Text to Speechhttps://api.enablex.io/tts/v1/
Adminhttps://api.enablex.io/admin/v1/

Authentication errors

HTTP StatusErrorCauseResolution
401Invalid credentialsApp ID or App Key is incorrect or the key has been resetRetrieve current credentials from portal.enablex.io
401Missing Authorization headerRequest was sent without an Authorization headerAdd Authorization: Basic <base64> to your request
403Service not enabledYour project does not have the requested service activeEnable the service in your project settings in the portal
403Trial restrictionYour trial account does not have access to this endpointUpgrade your account or use a permitted endpoint

Security best practices

Use environment variables

Never hardcode App ID or App Key in source code.

// Good — reads from environment at runtime
const client = axios.create({
  auth: {
    username: process.env.ENX_APP_ID,
    password: process.env.ENX_APP_KEY
  }
});
// Bad — hardcoded credentials in source code
const client = axios.create({
  auth: {
    username: 'a1b2c3d4e5f6...',   // ❌ Never do this
    password: 'x9y8z7w6v5u4...'    // ❌ Never do this
  }
});

Never use credentials on the client side

API calls that include your App Key must be made from your server. A client-side request exposes your key to anyone who inspects network traffic.

Rotate your App Key if it is compromised

Use the RESET APP KEY button in the portal under Project Credentials. This immediately invalidates the old key — update your application server environment variables immediately after.

Use one project per environment

Keep separate projects for development, staging, and production, each with its own App ID and App Key. This limits the blast radius if a key is exposed.

Do not log credentials

Ensure your logging configuration excludes the Authorization header. Most logging libraries have a built-in header allowlist — use it.

What's next

Frequently Asked Questions

How does EnableX API authentication work?

EnableX REST API calls use HTTP Basic Authentication. Your App ID is the username and your App Key is the password. Encode them as Base64(AppID:AppKey) and send the result in the Authorization header on every request. For Video SDK sessions, a short-lived JWT room token is generated server-side and passed to the client.

Where do I find my App ID and App Key?

Your App ID and App Key are displayed in the EnableX Portal under your project settings. You can also regenerate the App Key from the same page. Note that regenerating immediately invalidates the previous key and any integration using the old key will fail until updated.

Should I use separate credentials for development and production?

Yes. Best practice is to create separate projects in the Portal for development, staging, and production environments. Each project gets its own App ID and App Key, which isolates call logs, usage metrics, and billing between environments.

What should I do if my App Key is compromised?

Reset the App Key immediately from the EnableX Portal. The old key is invalidated instantly. Update your server-side configuration with the new key and check application logs to identify any calls made with the compromised credential.

Are Video room tokens the same as API credentials?

No. Video room tokens are short-lived JWTs generated by your server using your App ID and App Key for a specific room and user role. They expire after the session ends or a configurable time limit. The token is what you share with the client SDK, never the raw App Key.