Authentication & Authorization
Iron Messages uses Bearer API keys by default.
Obtaining credentials
- Create a sandbox project.
- Generate an API key.
- Record the key once; you won’t be able to retrieve it again.
Configuring credentials
You can provide credentials in either of these ways:
- HTTP header (recommended):
Authorization: Bearer <API_KEY>- Environment variable (SDKs):
IRON_API_KEY
Supported auth methods
- API key (Bearer): supported for all endpoints.
- OAuth 2.0: not supported in this demo (non-goal).
Scopes / permissions
| Scope | Allows |
|---|---|
messages:write |
Publish messages |
messages:read |
Poll / fetch messages |
messages:ack |
Acknowledge messages |
If a scope is missing, you will receive 403 insufficient_scope.
Token lifetimes and rotation
- API keys are long-lived.
- Rotate keys regularly (recommended: every 90 days).
- Treat API keys like passwords: do not commit them to source control.
Environment separation
Use different keys per environment.
| Environment | Base URL |
|---|---|
| Sandbox | https://sandbox.api.iron.example |
| Production | https://api.iron.example |
Next: Getting Started · Reference · Changelog · Support