Skip to content

Authentication

DialDozer authenticates public developer requests with API keys. Send the plaintext key in the X-Api-Key header.

X-Api-Key: ddz_live_••••••••

The server stores only a SHA-256 key hash, compares it using a timing-safe operation, and records the last use time. Missing, inactive, or unknown keys fail closed.

ScopeGrants access to
leads:readRead one lead
leads:writeCreate or deduplicate a lead through intake
conversations:readRead a merged lead conversation
messages:writeSend SMS, email, and notes
ctiLook up numbers and request agent-bound dials

Request the narrowest scope set. A wrong scope returns 403 with wrong_scope on API v1. Lead intake returns 403 forbidden for an invalid key or missing leads:write scope.

The API also accepts an api_key body field for compatibility, but headers are preferred: they are easier to redact and less likely to appear in request bodies or application logs.

  • Keep keys in environment variables or a managed secret store.
  • Never place keys in browser code, URLs, examples, support tickets, or commits.
  • Use separate keys per environment and integration.
  • Rotate a key immediately if exposed.
  • Bind CTI keys to the intended agent account.
Terminal window
curl -G 'https://app.dialdozer.com/hooks/api_v1.php' \
--data-urlencode 'r=leads/42' \
-H "X-Api-Key: $DIALDOZER_API_KEY"