Authentication
Galatext uses two authentication methods depending on the API endpoint.
API Key Authentication
All messaging API endpoints require API key authentication. Your API key must be included in every request via the x-api-key HTTP header.
bash
curl -X POST https://api.galatext.com/api/sms/send \
-H "Content-Type: application/json" \
-H "x-api-key: gal_abc123_def456_xyz789"Getting Your API Key
- Log in to the Galatext Dashboard
- Navigate to Settings → API Keys
- Click Create New Key
- Optionally, give it a label (e.g., "Production", "Staging")
- Copy the key — it is shown only once
⚠️ Store your API key securely. Treat it like a password.
Environments
| Environment | Description |
|---|---|
gal_live_* | Production API key for live traffic |
gal_test_* | Sandbox key for testing (no real messages sent) |
Bearer JWT Authentication
Dashboard API endpoints (billing, account management, key management) use Bearer JWT tokens.
bash
curl -X GET https://api.galatext.com/api/account/balance \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."Getting a JWT Token
- Call the authentication endpoint with your credentials:
bash
curl -X POST https://api.galatext.com/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "your_password"
}'- The response includes an
accessToken(expires in 1 hour) and arefreshToken:
json
{
"success": true,
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"expiresIn": 3600
}
}Key Management Best Practices
Create Multiple Keys
Maintain separate API keys for different environments and applications:
bash
# Production key — limited permissions
gal_live_prod_app_abc123
# Staging key — full permissions
gal_live_staging_def456
# CI/CD key — send-only
gal_live_ci_build_ghi789Rotate Keys Regularly
- Create a new key from the dashboard
- Update your application with the new key
- Verify the new key works
- Delete the old key
Revoke Compromised Keys
If you suspect a key is exposed:
- Go to Settings → API Keys
- Find the compromised key
- Click Revoke
- Create a new key
- Deploy the new key to your application
Security Best Practices
- Never hardcode keys — Use environment variables or a secrets manager
- Restrict by IP — Configure IP whitelisting in dashboard settings
- Use separate keys — Different keys for dev, staging, and production
- Monitor usage — Review API key usage logs regularly
- Rotate quarterly — Rotate keys at least every 90 days
- Least privilege — Use keys with only the permissions needed
Example: Environment Variables
bash
# .env file
GALATEXT_API_KEY=gal_live_prod_app_abc123
GALATEXT_API_URL=https://api.galatext.compython
# Python
import os
import requests
api_key = os.environ.get("GALATEXT_API_KEY")
headers = {"x-api-key": api_key}js
// Node.js
const apiKey = process.env.GALATEXT_API_KEY;Supported Authentication Methods
| Method | Header | Used For |
|---|---|---|
| API Key | x-api-key | All messaging APIs |
| Bearer JWT | Authorization: Bearer <token> | Dashboard & account APIs |
| Sandbox Key | x-api-key (test_ prefix) | Sandbox testing |
Rate Limits per Key
- Free: 5 requests/second
- Starter: 20 requests/second
- Business: 100 requests/second
- Enterprise: Custom limits
Rate limits are enforced per API key. If you need higher limits, contact support.