EZ Texting

Authentication

The EZ Texting API supports two authentication methods: HTTP Basic Authentication for simplicity, and OAuth2 for token-based access. Both use your existing EZ Texting credentials.

HTTP Basic Authentication

The simplest way to authenticate. Use your username and password, base64-encoded in the Authorization header. Most HTTP clients handle this automatically.

Good for scripts, quick tests, and low-risk internal use. For production traffic we recommend OAuth2 so credentials are never on the wire for every request.

curl --request GET \
     --url https://a.eztexting.com/v1/contacts \
     --header 'accept: application/json' \
     --user 'your_username:your_password'

OAuth2 Authentication

For production apps, OAuth2 gives you short-lived access tokens plus a long-lived refresh token. Credentials are used exactly once (to mint a token); all subsequent requests use the bearer token.

1. Create a token

POST your credentials to /v1/tokens/create. The body takes two fields:appKey (your EZ Texting username or email address) and appSecret(your password). You'll receive an access token and a refresh token. The access token expires after 5400 seconds (90 minutes); the refresh token is valid for 60 days.

Why the odd names? The fields are appKey and appSecret for historical reasons — the values are still just your regular EZ Texting username (or email) and password.
curl -X POST https://a.eztexting.com/v1/tokens/create \
  -H "Content-Type: application/json" \
  -d '{
    "appKey": "your_username_or_email",
    "appSecret": "your_password"
  }'

2. Use the token

Send the access token in the Authorization header with the Bearer scheme. When it expires, you'll get a 401 Unauthorized — that's your cue to refresh.

curl https://a.eztexting.com/v1/contacts \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."

3. Refresh the token

Use the refresh token to mint a new access token without re-sending the user's password. The response shape is identical to token creation.

curl -X POST https://a.eztexting.com/v1/tokens/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
  }'

4. Revoke a token

Revoke either type immediately by POSTing to /v1/tokens/revoke with the token and its type hint: ACCESS_TOKEN or REFRESH_TOKEN. Do this on logout, on suspected compromise, or when rotating secrets.

curl -X POST https://a.eztexting.com/v1/tokens/revoke \
  -H "Content-Type: application/json" \
  -d '{
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
    "type": "ACCESS_TOKEN"
  }'

Security tips

Keep secrets out of your code. Store credentials as environment variables. Treat API tokens with the same care as passwords. Rotate if you ever suspect a leak.
  • Always use HTTPS. Basic Auth is base64-encoded, not encrypted.
  • Prefer OAuth2 for any server-to-server or multi-tenant scenario.
  • Don't check credentials into version control.
  • Revoke tokens immediately on compromise or offboarding.