Authentication

Mobile App Integration Guide

The API uses Bearer token authentication. There are two types of API key: a User API Key (no Android device needed) and a Per-Device Token (tied to a registered Android phone).

Token Types

Choose the token type that matches your free SMS marketing integration:

User API Key - for direct API access (no phone needed)

No device required

The simplest way to integrate. Generate a personal API key from the web panel Settings page and use it to queue SMS, WhatsApp messages, and campaigns via any HTTP client. No Android device or SIM card is required when messages are sent via connected SMS providers or credits.

  1. Log in to the web panel and go to Settings.
  2. Scroll to the API Key section and click Generate Key.
  3. Copy the key and use it in the Authorization: Bearer header of your requests.
*
You can regenerate your key at any time from Settings > API Key. The old key is invalidated immediately, so update all integrations before regenerating.

Per-Device Token - for the Android app

Android device required

Each Android phone registered in the Devices section gets its own token. This token is used by the Android app to poll the message queue, report delivery status, and sync the inbox. It is tied to a specific device and SIM card.

  1. Go to Devices > Add Device in the web panel.
  2. Scan the QR code with the Android app. The app calls claim_device and the token is stored automatically.
  3. The app uses Authorization: Bearer {token} for all subsequent requests.

Sending the Token

Authorization header (preferred)

HTTP
Authorization: Bearer YOUR-API-KEY

X-API-Token header

HTTP
X-API-Token: YOUR-API-KEY

?token= query parameter (fallback, useful when headers are stripped by proxies)

URL
https://api.rcszilla.com/?endpoint=queue_sms&token=YOUR-API-KEY
*
Tokens are stored and compared in uppercase. The API normalizes your token automatically.

Legacy Token

Older builds used a single shared mobile_app_token per user stored in settings. This still works for backward compatibility, but the User API Key or per-device tokens are strongly preferred.

*
Migration note: If your app was built before multi-device support was added, it may be using the legacy single token. To migrate, open the Devices page in the web panel, generate a per-device token, and update the app configuration.

Device Token Lifecycle

  1. Admin opens Devices > Add Device in the web panel and a one-time registration token (QR code) is generated.
  2. App scans the QR and calls claim_device with that token.
  3. Server creates the device row. The same token is now the permanent per-device API token.
  4. App stores the token securely (Android EncryptedSharedPreferences recommended).
  5. All subsequent requests use Authorization: Bearer {token}.
  6. Admin can regenerate the token at any time from the Devices page. The old token is immediately invalidated.