Authentication
The Bahasha public API uses standard HTTP Bearer tokens. Pass your API key in the Authorization header:
Authorization: Bearer bh_live_xxxxxxxxxxxxKeys are scoped to your organization and work with any HTTP client.
Key types
| Type | Prefix | Behaviour |
|---|---|---|
| Production | bh_live_ | Sends real WhatsApp messages via Bahasha and Meta. Use in production. |
| Sandbox | bh_test_ | Returns simulated responses — no real messages sent. Use for development and testing. |
Both key types are managed from Settings → API Keys in your organization dashboard .
API keys are shown only once when created. Store them in environment variables or a secrets manager. Rotate keys regularly and revoke any key that may have been compromised.
Security best practices
- Never hardcode API keys in client-side code or commit them to version control
- Use separate keys for each environment (production, staging, development)
- Rotate keys periodically
- Immediately revoke keys that may be compromised — create a replacement from the dashboard