API Authentication
API Authentication
Every JustCall API request must be authenticated using your API Key and API Secret. This guide walks you through generating credentials, making your first authenticated request, and keeping your integration secure.
Generate Your API Credentials
- Log in to your JustCall account as an Admin.
- Navigate to Settings → API & Webhooks.
- Click Generate API Key.
- Copy both the API Key and API Secret immediately — the secret is shown only once.
If you lose your secret, revoke the existing key and generate a new pair.
Authenticate Requests
Pass your credentials in the Authorization header as a colon-separated pair:
curl -X GET "https://api.justcall.io/v2/calls" \
-H "Authorization: {api_key}:{api_secret}" \
-H "Content-Type: application/json"
Example: Verify Your Credentials
curl -X GET "https://api.justcall.io/v2/account" \
-H "Authorization: abc123def456:sec789xyz000" \
-H "Content-Type: application/json"
A successful response returns your account details:
{
"status": "success",
"data": {
"account_id": 12345,
"email": "admin@yourcompany.com",
"plan": "Pro"
}
}
An invalid key returns 401 Unauthorized:
{
"status": "error",
"message": "Invalid API key or secret."
}
Token Refresh
JustCall API credentials do not expire automatically. To rotate your credentials:
- Go to Settings → API & Webhooks.
- Click Revoke next to your current key.
- Click Generate API Key to create a new pair.
- Update your integration with the new credentials before the old key stops working.
Plan your rotation during a maintenance window so your integration does not experience downtime.
Security Best Practices
| Practice | Why it matters |
|---|---|
| Store credentials in environment variables, never in source code | Prevents accidental exposure in version control |
| Use server-side requests only | Embedding keys in client-side JavaScript exposes them to anyone viewing page source |
| Restrict API key access to specific IPs (if supported by your plan) | Limits the blast radius if credentials leak |
| Rotate keys quarterly | Reduces the window of exposure for compromised credentials |
| Monitor API usage in Settings → API & Webhooks | Detects unexpected spikes that may indicate unauthorized use |
| Revoke unused keys immediately | Eliminates unnecessary attack surface |
Troubleshooting
401 Unauthorized — Double-check that you are sending both the API key and secret, separated by a colon, in the Authorization header. Confirm there are no trailing spaces.
403 Forbidden — Your account plan may not include API access, or the endpoint requires Admin-level credentials. Contact support if you believe this is an error.