> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sinjapp.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Tenant API Key Authentication

> Authenticate Sinjapp Business Tenant API requests using your tenant domain and X-Api-Key header, and keep API keys secure on your server.

All Tenant API requests use an API key created from the tenant dashboard.

Requests must be sent to the exact tenant workspace domain, for example `https://{tenant}.sinjapp.org/api/v1`. The API key does not replace the tenant domain; the domain identifies the workspace before the key is checked.

```http theme={null}
X-Api-Key: {tenant_api_key}
Accept: application/json
```

Keep tenant API keys on your server. Do not expose them in browser-only code or mobile apps distributed to end users.

If the request host is not a known tenant domain, the API returns:

```json theme={null}
{
  "message": "Tenant could not be identified for this domain."
}
```

## Test Your API Key

Use `/me` to confirm the key belongs to the expected tenant workspace.

<CodeGroup>
  ```bash cURL theme={null}
  curl "https://{tenant}.sinjapp.org/api/v1/me" \
    -H "X-Api-Key: {tenant_api_key}" \
    -H "Accept: application/json"
  ```

  ```js JavaScript theme={null}
  const response = await fetch('https://{tenant}.sinjapp.org/api/v1/me', {
    headers: {
      'X-Api-Key': tenantApiKey,
      'Accept': 'application/json',
    },
  })

  const context = await response.json()
  ```

  ```php PHP theme={null}
  <?php

  $response = file_get_contents('https://{tenant}.sinjapp.org/api/v1/me', false, stream_context_create([
      'http' => [
          'method' => 'GET',
          'header' => [
              'X-Api-Key: ' . $tenantApiKey,
              'Accept: application/json',
          ],
          'timeout' => 30,
      ],
  ]));

  $context = json_decode($response, true);
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      "https://{tenant}.sinjapp.org/api/v1/me",
      headers={
          "X-Api-Key": tenant_api_key,
          "Accept": "application/json",
      },
      timeout=30,
  )

  context = response.json()
  ```
</CodeGroup>

## Scopes

When creating an API key, choose the smallest set of scopes your integration needs.

| Scope             | Use                                                  |
| ----------------- | ---------------------------------------------------- |
| `messages.send`   | Send messages and create sender numbers              |
| `messages.read`   | Read message logs                                    |
| `contacts.lookup` | Check whether a Sinjapp account can receive messages |
| `usage.read`      | Read usage and limits                                |
| `*`               | Full tenant API access                               |

Sinjapp Business only shows the full API key when it is created or when the tenant dashboard explicitly allows showing an encrypted key.
