Dial x402

API Keys (Long-Lived Bearer)

Mint dial_live_* keys from the dashboard for bots and scripts that cannot refresh a Privy session every hour.

API Keys (Long-Lived Bearer)

Use dial_live_* API keys when you need a credential that survives restarts, cron jobs, and server-side clients (Elixir, Python, Node) without re-implementing Privy session refresh.

Mint keys from /dashboard/billing under the API Keys card. The secret is shown once at creation — copy it immediately.

Quickstart

curl -X POST https://x402.dial.wtf/api/v1/messaging/send \
  -H "Authorization: Bearer dial_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"from":"pool","to":"+15125551234","body":"hello from my bot"}'

SDK

import { DialClient } from "@dial/api";

const dial = new DialClient({
  baseUrl: "https://x402.dial.wtf",
  auth: { apiKey: process.env.DIAL_API_KEY! },
});

Scopes

Each key carries an allow-list. Privy dashboard sessions bypass scope checks; API keys do not.

ScopeRoutes
sms:sendPOST /api/v1/messaging/send, POST /api/v1/numbers/mine/send
numbers:buyPOST /api/v1/numbers/buy, /buy/us, /buy/intl, POST /api/v1/numbers/mine/renew
numbers:readGET /api/v1/numbers/mine, GET /api/v1/numbers/mine/messages, GET /api/v1/messaging/threads, GET /api/v1/messaging/threads/:counterparty
lookup:readPOST /api/v1/lookup
dehashed:searchPOST /api/v1/dehashed/search, POST /api/v1/dehashed/search-with-credits
esim:orderPOST /api/v1/esim/checkout
verifications:startPOST /api/v1/verifications/start

Missing scope → 403 with { "error": "missing_scope", "required": "…" }.

API keys vs Bearer (Privy) vs x402

Use casePick
Browser / dashboard sessionPrivy bearer (auto-refreshed ~hourly)
Long-running bot, cron, partner backenddial_live_* API key
One-off agent payment, no accountx402 per request

Rotation (zero downtime)

  1. Mint a new key with the same scopes in /dashboard/billing.
  2. Deploy or update your .env with the new secret.
  3. Revoke the old key from the dashboard.
  4. Confirm traffic stopped on the old prefix via audit logs.

Security

  • Treat keys like passwords — never commit them to git.
  • If leaked, revoke immediately and rotate.
  • Keys cannot mint other keys (dashboard Privy session required for CRUD).

Bearer Token (Credits Auth)

Where the Bearer token comes from, how to grab one from the dashboard, and how to use it on credits-mode API endpoints.

API Stability

Our deprecation promise, the rolling sunset window, and the live stability scorecard.

On this page

API Keys (Long-Lived Bearer)QuickstartSDKScopesAPI keys vs Bearer (Privy) vs x402Rotation (zero downtime)Security