Authentication

Every Public API request uses HTTP Basic authentication with your Splashify Pro API key.

Get your API key

1. Sign in to Splashify Pro.
2. Open Settings → Developer.
3. Click Generate Secret Key.
4. Copy the key — it is shown only once. Store it in your secrets manager.

If you lose the key, click Regenerate Key to mint a new one. The old key is invalidated instantly, so update every integration before you regenerate.

Send the header

Authorization: Basic YOUR_API_KEY
Content-Type: application/json

The value is your raw API key — Splashify accepts it as-is, you do not need to base64-encode it the way “real” HTTP Basic does. The Basic prefix is required.

curl -X POST https://apis.splashifypro.com/api/v1/public/message \
  -H "Authorization: Basic sk_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

Errors

IP allowlisting

Workspaces on enterprise plans can restrict API calls to a list of trusted IPs. When enabled, requests from IPs not on the allowlist return:

{
  "success": false,
  "code": "ip_blocked",
  "ip": "203.0.113.45",
  "message": "Access denied — your IP address is not on this account's allowlist."
}

The block is enforced on the public API surface (sk_live_… Bearer, GraphQL Bearer, SMTP relay) but not on webhook receivers. Account owners get an email alert the first time each new IP is blocked. See Allowed IPs for full setup.

Security checklist

• Never put the API key in client-side code (web, mobile, anywhere a user can open DevTools). Always call from your backend.
• Rotate the key on team turnover or any suspected leak.
• Scope integrations: each integration should call only the endpoints it needs. There is no per-key scoping yet — separation is by which integration holds the key.
• Never log the full key. Truncate to the last 4 characters in logs.