# Authentication

The Legacy API authenticates each request with a bearer token issued in the dashboard. Send it in the Authorization header.

Every request to the Legacy API carries a bearer token. Tokens are created in the dashboard and passed in the `Authorization` header.

## Getting a token

Sign in to the [Instasent dashboard](https://dashboard.instasent.com), open **API tokens** and create one for the account that will send the traffic. Copy the value right away — it is shown once.

> **Warning**: Treat tokens as production secrets. Keep them in an environment variable or a secrets manager; never commit them to the repo or embed them in client-side code.

## Sending the token

```bash
curl https://api.instasent.com/sms \
  -H "Authorization: Bearer $INSTASENT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "from": "Instasent", "to": "+34600000000", "text": "Hello" }'
```

A missing, malformed or revoked token returns `401 Unauthorized`.

## Rotating a token

Tokens do not expire. Rotate them whenever a member of the team leaves, whenever a secret might have been exposed, and at least once a year as a hygiene measure.

#### 1. Issue the replacement

Create a new token in the dashboard **before** revoking the old one so traffic keeps flowing while you redeploy.

#### 2. Roll it out

Update your secrets store and redeploy the workers that call the API.

#### 3. Revoke the old token

Once the replacement is live everywhere, delete the old token in the dashboard. Any request still using it will fail with `401 Unauthorized`.

## What's next

- **[API Reference](/legacy-api/reference)** — every endpoint and response code.
- **[Transactional API](/transactional-api/overview)** — the modern alternative for new integrations.