Bearer Token
All endpoints require an API token sent via HTTP header:
Authorization: Bearer invx_XXXXXXXXXX_....
Tokens belong to one account and one company. The API uses these values as the execution context.
Testing token
Use GET /api/ping to validate a token (recommended):
curl -sS https://api.invoxweb.com/api/ping \ -H "Authorization: Bearer YOUR_TOKEN"
Expected response:
{
"ok": true,
"account_id": 5,
"company_id": 3,
"scope": "cf"
}
Scopes
Tokens can include a scope that indicates which integrations/modules are allowed.
Current example used in your system: cf (Contact Form 7 integration).
Recommended approach
Use scope as a coarse permission flag (integration/module level), and apply per-endpoint checks
in the route handler if needed.
// Example (route-level scope check)
if (($api['scope'] ?? '') !== 'cf') {
http_response_code(403);
echo json_encode(['ok'=>false,'error'=>'forbidden_scope']);
exit;
}
Security notes
- Never expose tokens in client-side code (browser JS).
- Prefer server-to-server calls (CF7 server, bots, backends).
- Rotate tokens when compromised. Keep old tokens disabled (
is_active=0). - Use
expires_atfor temporary integrations when possible.
Legacy tester endpoint
You may also validate tokens using querystring (debug only):
GET https://api.invoxweb.com/api/inbox-test?token=invx_...
Not recommended for production tooling because it may leak tokens via logs/history.