Authentication
DialDozer authenticates public developer requests with API keys. Send the plaintext key in the X-Api-Key header.
X-Api-Key: ddz_live_••••••••The server stores only a SHA-256 key hash, compares it using a timing-safe operation, and records the last use time. Missing, inactive, or unknown keys fail closed.
Scopes
Section titled “Scopes”| Scope | Grants access to |
|---|---|
leads:read | Read one lead |
leads:write | Create or deduplicate a lead through intake |
conversations:read | Read a merged lead conversation |
messages:write | Send SMS, email, and notes |
cti | Look up numbers and request agent-bound dials |
Request the narrowest scope set. A wrong scope returns 403 with wrong_scope on API v1. Lead intake returns 403 forbidden for an invalid key or missing leads:write scope.
Key placement
Section titled “Key placement”The API also accepts an api_key body field for compatibility, but headers are preferred: they are easier to redact and less likely to appear in request bodies or application logs.
Secret handling
Section titled “Secret handling”- Keep keys in environment variables or a managed secret store.
- Never place keys in browser code, URLs, examples, support tickets, or commits.
- Use separate keys per environment and integration.
- Rotate a key immediately if exposed.
- Bind CTI keys to the intended agent account.
curl -G 'https://app.dialdozer.com/hooks/api_v1.php' \ --data-urlencode 'r=leads/42' \ -H "X-Api-Key: $DIALDOZER_API_KEY"