Authentication
Authenticate API requests using API keys or JWT tokens.
API Keys
For server-to-server integrations, use an API key in the X-API-Key header:
X-API-Key: vk_your_api_key_hereAPI keys (prefixed vk_) are created in the dashboard and can be used to send SMS and access the API without a user session.
JWT Authentication
For browser-based or session-based access, use PocketBase's built-in JWT authentication:
Authorization: Bearer YOUR_JWT_TOKENObtain a JWT token by authenticating via the PocketBase auth endpoints (/api/collections/users/auth-with-password).
Creating API keys
- Log in to the Dashboard
- Go to Settings → API Keys
- Click "Create API Key"
- Copy the key immediately (it's only shown once on creation)
Key types
| Prefix | Type | Use for |
|---|---|---|
vk_ | Integration key | Server-to-server API calls (send SMS, etc.) |
dk_ | Device key | Auto-generated for registered devices |
Revoking keys
To revoke an API key:
- Go to Settings → API Keys
- Click the trash icon next to the key
- Confirm deletion
Security: Never expose API keys in client-side code or public repositories. Device keys (dk_) are auto-generated and only shown once when the device is first registered.
Rate limits
Vendel uses PocketBase's built-in rate limiter. The SMS send endpoint is limited to 30 requests per minute per user.
| Endpoint | Limit |
|---|---|
| POST /api/sms/send | 30 req/min |
| Other endpoints | PocketBase defaults |