Skip to main content
Every request to the Xobito API must include a bearer token. Tokens are generated per-workspace in the dashboard and scoped to specific abilities.

Token format

Xobito API tokens always start with apitk_ and are followed by 64 random characters: 
apitk_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The plaintext token is shown once, at the moment of creation. Xobito stores only a hash — we cannot recover it later. If you lose a token, revoke it and generate a new one.

Generating a token

1

Open API Management

In your dashboard, go to Settings → API Management.
2

Create a token

Click Create Token and fill in:
  • Name — a human-readable label.
  • Abilities — the scopes this token is allowed to call (see below).
  • Rate limits — optional per-token override.
  • Monthly quota — optional cap on total calls per calendar month.
  • Expiry — optional expires_at date. Leave blank for no expiry.
3

Copy the token

The plaintext token is displayed once. Copy it into your password manager or secrets vault immediately.

Using a token

Send the token in the Authorization header on every request: 
curl https://dash.xobito.com/api/v1/acme/contacts \
  -H "Authorization: Bearer apitk_your_token_here" \
  -H "Accept: application/json"

Abilities (scopes)

A token’s abilities array controls which endpoints it can call. These are the only valid ability strings:
AbilityGrants
contacts.createCreate contacts
contacts.readList / read contacts
contacts.updateUpdate contacts
contacts.deleteDelete contacts
statuses.createCreate contact statuses
statuses.readList / read statuses
statuses.updateUpdate statuses
statuses.deleteDelete statuses
sources.createCreate contact sources
sources.readList / read sources
sources.updateUpdate sources
sources.deleteDelete sources
groups.createCreate groups
groups.readList / read groups
groups.updateUpdate groups
groups.deleteDelete groups
templates.readList / read WhatsApp templates
templatebots.readRead template bot definitions
messagebots.readRead message bot definitions
messages.sendSend text, template, media messages; validate phone numbers; check message status
messages.send is a single ability that covers all send endpoints (text, template, media), phone validation, and the message-status endpoint. There is no separate messages.read ability.

Errors

Missing token

HTTP 401: 
{
  "status": "error",
  "message": "API token is required"
}

Invalid token

HTTP 401: 
{
  "status": "error",
  "message": "Invalid API token"
}

Missing ability

HTTP 403: 
{
  "status": "error",
  "message": "Token does not have the required ability: contacts.create"
}
The message always includes the specific ability that was required.

Revoking a token

In Settings → API Management, toggle is_active to false on the token. Inactive tokens are rejected with 401 Invalid API token on their next request. Expired tokens (past expires_at) are rejected automatically.

Security checklist

Store tokens in a secrets manager — never commit them to source control.
Give each integration its own token with the minimum abilities it needs.
Rotate tokens on a regular cadence or when a team member leaves.
Revoke tokens immediately if you suspect leakage.