Skip to content
Smooven Docs

Authentication

Smooven uses a Dual-Key authentication model that separates client-side identity from server-side operations.

The two keys

Section titled “The two keys”
KeyHeaderUse caseVisibility
App IDX-App-IDClient-side SDK registration, player identityPublic (safe for frontend code)
Secret KeyAuthorization: Bearer <key>Server-to-server API calls, sending notificationsPrivate (never expose in client code)

Server-side authentication

Section titled “Server-side authentication”

For all API calls that trigger notifications, use the Secret Key as a Bearer token:

Terminal window
curl -X POST https://api.smooven.io/v1/agent/notify \
  -H "Authorization: Bearer sk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{ "channel": "sms", "to": "+61400000000", "message": "Test" }'

Client-side authentication

Section titled “Client-side authentication”

When registering players (users) from your frontend or mobile app, use the App ID:

// Browser or React Native
const response = await fetch('https://api.smooven.io/v1/players/register', {
  method: 'POST',
  headers: {
    'X-App-ID': 'app_live_xyz789...',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    external_id: 'user_123',
    channels: {
      push: { device_token: 'fcm_token_here' },
      email: 'user@example.com',
    },
  }),
});

Key management

Section titled “Key management”

Generating keys

Section titled “Generating keys”

Navigate to Settings > API Keys in the Smooven dashboard. Each project gets one App ID and one Secret Key by default. Enterprise plans support multiple keys with scoped permissions.

Rotating keys

Section titled “Rotating keys”

You can rotate your Secret Key from the dashboard at any time. The previous key remains active for 24 hours to allow for a smooth transition. App IDs cannot be rotated (they are permanent identifiers for your project).

Environment separation

Section titled “Environment separation”

Use separate Smooven projects for development, staging, and production. Each project gets its own key pair, ensuring test traffic never mixes with production data.

Security details

Section titled “Security details”

All API traffic is encrypted using TLS 1.3. Smooven’s key exchange layer adds quantum-safe encryption using a hybrid of classical ECDH and CRYSTALS-Kyber (ML-KEM). This protects against both current and future quantum computing threats.

For more details, see Dual-Key Authentication and Quantum-Safe Encryption.