Telecom API Authentication: Get Your API Token and Start Integrating

Complete Guide to Simple Telecom API Authentication — Generate, Secure, and Use Your Bearer Token

Illustration related to call tracking and phone numbers

Key Authentication Steps

  • Generate API tokens from the Simple Telecom console
  • Secure Bearer token authentication with st_ format
  • Include tokens in the Authorization header of every request
  • Revoke compromised tokens immediately from the console
  • Understand rate limiting headers and error responses

How Simple Telecom API Authentication Works

Every request to the Simple Telecom API must be authenticated using a Bearer token. This is a standard HTTP authentication method where you include a secret token in the Authorization header of your requests. The API uses Bearer tokens to verify your identity, determine which services you have access to, and enforce rate limits.

Your API token is a string that starts with st_ followed by a unique identifier. It’s generated from the Simple Telecom console and is unique to your account. One token gives you access to all services on your account — all your 1300, 1800, and CTN numbers. You can generate multiple tokens for different team members or applications, and revoke them independently if needed.

Authentication is the first step in any API integration. Once you have your token, you can use any of the API endpoints: the Services API to list your numbers, the CDR API to retrieve call records, and the Routing API to manage call forwarding and recording.

How to Generate Your API Token

Generating an API token is a simple process that takes less than a minute. Follow these steps:

Step 1: Log in to your Simple Telecom console at console.simpletelecom.com.au using your account credentials.

Step 2: Navigate to Settings → API Access. This section is where all API authentication settings are managed.

Step 3: Click ‘Generate API Token’. Your token will be displayed once — it will be in the format st_... followed by a unique string of characters. Copy it immediately and store it securely.

Step 4: Your token is now active. You can start using it in API requests right away. If you ever need to disable API access, you can revoke the token from the same screen.

Important: The token is shown only once when you generate it. If you lose it, you’ll need to revoke the old token and generate a new one. There’s no way to retrieve a previously generated token.

Using Your Token in API Requests

Once you have your token, include it in every API request using the Authorization header. The format is: Authorization: Bearer st_your_token_here. Here’s a cURL example:

curl -X GET "https://api.simpletelecom.com.au/v1/api/services" -H "Authorization: Bearer st_your_token_here"

In JavaScript using fetch: const response = await fetch(url, { headers: { 'Authorization': 'Bearer st_your_token_here' } });

In PHP: curl_setopt($ch, CURLOPT_HTTPHEADER, ['Authorization: Bearer st_your_token_here']);

If you don’t include a valid token, the API returns a 401 Unauthorized response with the error code unauthorized and a message indicating the Authorization header is missing or invalid. A blank token in the console means API access is disabled — simply generate a new token to re-enable it.

Illustration related to call tracking and phone numbers and pricing

Token Security Best Practices

Your API token is a secret credential — treat it as carefully as you would a password. Here are essential security practices:

Never share your token publicly. Don’t include it in client-side code, public repositories, screenshots, or logs. If you accidentally expose a token, revoke it immediately from the console and generate a new one.

Use environment variables. Store your API token in environment variables or a secrets manager, not in your source code. In a local development environment, use a .env file that’s excluded from version control. In production, use your platform’s secrets management service.

Generate separate tokens for different applications. If you have multiple integrations — a CRM integration, a reporting dashboard, and a routing automation script — generate a unique token for each. This way, if one token is compromised, you can revoke it without affecting your other integrations.

Rotate tokens periodically. Generate new tokens and revoke old ones on a regular schedule, such as every 90 days. This limits the window of exposure if a token is leaked without your knowledge.

Customer service icon

Set your business apart from your competitors.

Business professional using phone services

Understanding Rate Limiting

The API enforces rate limiting to ensure fair usage across all customers. When you make API requests, the response headers include your current rate limit status:

X-RateLimit-Limit: The maximum number of requests allowed in the current time window. X-RateLimit-Remaining: The number of requests remaining in the current window. X-RateLimit-Reset: A Unix timestamp indicating when the limit resets.

If you exceed the rate limit, the API returns a 429 Too Many Requests response. Your integration should handle this by checking the rate limit headers and implementing retry logic with backoff. For example, if you receive a 429 response, wait until the reset time and retry the request.

For most use cases — querying CDRs every 5–15 minutes, making occasional routing updates — rate limits are more than sufficient. If you need higher limits for a specific application, contact API support to discuss your requirements.

Troubleshooting Authentication Issues

Authentication issues are the most common problem when starting with the API. Here are the most frequent issues and how to resolve them:

401 Unauthorized: Your token is missing, invalid, or expired. Double-check that you’ve included the Authorization: Bearer header with the correct format. If you recently regenerated your token, update all integrations with the new token.

403 Forbidden: Your token is valid but you’re trying to access a service that doesn’t belong to your account. Check that you’re using the correct service ID or number.

Blank token in console: If the API Access screen shows a blank token field, API access is currently disabled. Click ‘Generate API Token’ to create a new token.

For persistent issues, contact api-support@simpletelecom.com.au with the details of the error response you’re receiving.

User profile icon

Frequently Asked Questions

Frequently Asked Questions About API Authentication

What if I lose my API token?

If you lose your token, revoke the old one from the console and generate a new one. The token is only shown once when generated, so always store it securely immediately after creation.

How many API tokens can I have?

You can generate multiple tokens for different applications or team members. Each token can be revoked independently, giving you granular control over API access.

Can I use the same token from multiple servers?

Yes. A single token can be used from multiple IP addresses or servers simultaneously. The rate limit applies per token, not per IP address.

How do I revoke a token?

Go to Settings → API Access in your Simple Telecom console. You’ll see a list of active tokens with a revoke option next to each one. Clicking revoke immediately invalidates the token.

Does the token expire?

Tokens do not expire automatically, but we recommend rotating them periodically (every 90 days) as a security best practice. Revoke the old token and generate a new one.