Security and authorization

Learn how to properly secure your API communication.

Security is one of the most important segments in API integration so we made sure to provide you with a set of tools that will help you create secure applications.

SSL Encryption

  • SSL
  • Base URL

Authorization methods

The majority of requests to Infobip’s API require authentication. That can be done by setting the Authorization HTTP header. The Authorization header must include a type and the credentials themselves.

Authorization: <type> <credentials>


It is strongly advised to use HTTPS protocol for all API requests that contain Authorization header in order to keep the submitted credentials secret.

There are three different authorization types supported by the Infobip API. While not all API methods support all 3 types, they can be presumed to do so unless specifically stated otherwise on their documentation pages.

type credentials format notes
App Infobip generated API key Recommended authorization method.
Basic Base64 encoded username and password combination Not recommended because the password is included in every request.
IBSSO Infobip generated single sign-on token Useful for accessing API in a time limited session.

API key authorization

This is the most secure authorization type and the one with the most flexibility. 

API keys can be generated by calling the dedicated API method. Furthermore, API keys can have a limited scope and cover only some API methods. Lastly, they can be revoked at any time. This range of possibilities makes API keys well suited for separating the API access rights across multiple applications or use cases. Finally, the loss of an API key is easily manageable.

You can find out more about API key creation and management at the dedicated documentation page.

API key Authorization header example:

Authorization: App 003026bbc133714df1834b8638bb496e-8f4b3d9a-e931-478d-a994-28a725159ab9

Basic authorization

Basic authorization type can be used in situations when the API key is not available. For example, API methods for generating API keys should be authenticated with the Basic type.

In this case, the credentials included in the Authorization header should be a Base64 encoded username and password combination. More formally, basic authentication header can be constructed in three steps:

  1. Username and password are concatenated using the colon (:) as a separator username:password.
  2. The resulting string is encoded using the RFC2045-MIME variant of Base64.
  3. Encoded string is added as credentials after the "Basic " type.


Username: "Aladdin"
Password: "openSesame"

Concatenated string: "Aladdin:openSesame"

Base64 encoded string: "QWxhZGRpbjpvcGVuU2VzYW1l"

Authorization header: "Basic QWxhZGRpbjpvcGVuU2VzYW1l"


Base64 encoding is a standard and many available programming languages and frameworks provide convenient methods for encoding strings.

$username = 'Aladdin';
$password = 'openSesame';

$header = "Basic " . base64_encode($username . ":" . $password);
require "base64"

username = "Aladdin"
password = "openSesame"

header = "Basic #{Base64.encode64("#{username}:#{password}")}"
import base64

username = 'Aladdin'
password = 'openSesame'

header = 'Basic ' + base64.b64encode(username + ':' + password)
import java.util.Base64;

String username = "Aladdin";
String password = "openSesame";

String concatenated = username + ":" + password;
String header = "Basic " + Base64.getEncoder().encodeToString(concatenated.getBytes());
string username = "Aladdin";
string password = "openSesame";

byte[] concatenated = System.Text.ASCIIEncoding.ASCII.GetBytes(username + ":" + password);
string header = System.Convert.ToBase64String(concatenated);
var username = "Aladdin";
var password = "openSesame";

var header = "Basic " + window.btoa(username + ":" + password);

Token authorization

This authorization type is suited for situations when you do not want to store Infobip credentials in your own app. Instead, your users will input their Infobip credentials every time they access your application and the application will use those credentials to create a session. From then on, the session token can be used to authenticate subsequent API requests. Note that the session will expire automatically after a predefined period of inactivity, and can also be manually terminated by making an appropriate API call.

You can find more details on the creation and behavior of the session at the dedicated documentation page.

After obtaining the session token by calling the above-referenced API method you can include it in the Authorization header like this:

Authorization: IBSSO 2f9b4d31-2d0d-49a8-85f0-9b862bdca394