Moorsyl Docs

API Keys

Authenticate requests with secret or publishable API keys.

Every request to Moorsyl is authenticated with an API key passed in the x-api-key header. Keys are scoped to an organization and come in two types.

Key types

TypePrefixUse caseSafe in browser / mobile?
Secretsk_live_…All API calls — SMS, Verify, admin operationsNo — server-side only
Publishablepk_live_…Verify only — call directly from a browser or native appYes

Secret keys

Secret keys have full access to your organization: sending SMS, managing webhooks, and reading message history. Treat them like passwords — never expose them in client-side code.

Publishable keys

Publishable keys (pk_…) are safe to embed in frontend JavaScript or mobile apps because they are restricted to the Verify endpoints only. They cannot send arbitrary SMS messages or access organization data.

Use a publishable key when you want to call POST /api/verify/send or POST /api/verify/check directly from a browser or native app without routing through your own backend.

Create an API key

  1. Open app.moorsyl.com and select your organization
  2. Go to API Keys in the sidebar
  3. Click Create API Key
  4. Choose the key type: Secret or Publishable
  5. Give it an optional name (e.g. production-backend, ios-app)
  6. Copy the key — it is shown only once

Use a key in requests

Pass the key in the x-api-key header on every request:

curl -X POST https://api.moorsyl.com/api/sms \
  -H "x-api-key: sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "to": "+22236551999", "from": "moorsyl", "body": "Hello!" }'

Disable a key

Keys can be disabled from the dashboard without deleting them. A disabled key returns 401 on all requests. This is useful when rotating keys — disable the old key after the new one is in use.

  1. Go to API Keys
  2. Click the menu on the key you want to disable
  3. Select Disable

Rate limiting

Secret keys are not subject to IP-based rate limiting — they are expected to come from trusted backend servers.

Publishable keys are rate-limited per IP address at the Cloudflare edge to prevent abuse. If a client hits the limit it receives a 429 response. The limit resets automatically.

Both key types are also subject to organization-level rate limits configured in your Verify settings. See Verify → Rate limits.

Best practices

  • Store secret keys in environment variables — never commit them to source control
  • Use separate keys for each environment (development, staging, production)
  • Use publishable keys for all client-side Verify calls
  • Disable keys you no longer need rather than leaving them active
  • Rotate secret keys periodically or immediately if you suspect exposure

Getting Started

Send SMS, verify phone numbers, and react to events — all from one API.

SMS API

Send text messages to any Mauritanian phone number with a single API call.

On this page

Key typesSecret keysPublishable keysCreate an API keyUse a key in requestsDisable a keyRate limitingBest practices