Authentication
All org-facing API endpoints require a Bearer token.
API Keys
Generate keys from Dashboard > Settings > API Keys. Two types:
| Type | Prefix | Purpose |
|---|---|---|
| Live | bzzz_live_ | Production notifications, logged to history |
| Test | bzzz_test_ | Safe testing, sends to max 1 device, not logged |
Using your key
Pass it in the Authorization header:
bash
curl -X POST https://api.bzzz.sh/v1/notify \
-H "Authorization: Bearer bzzz_live_abc123..." \
-H "Content-Type: application/json" \
-d '{ "body": "Hello!", "target": "all" }'Key security
- Keys are shown once at creation. Store them securely.
- We store a SHA-256 hash, never the raw key.
- Only the first 17 characters (prefix) are visible in the dashboard.
- Revoke compromised keys immediately from Settings.
Dashboard authentication
The dashboard at app.bzzz.sh uses email and password authentication with session cookies. API keys are not used for dashboard access.
Rate limits
| Endpoint | Limit |
|---|---|
POST /v1/notify | 120 requests/min per API key |
POST /v1/devices | 30 requests/min per IP |
Each /v1/notify call delivers to all matched subscribers in a single request. So 120 requests/min means 120 separate broadcasts, each of which can reach thousands of devices.
Exceeding the limit returns 429 Too Many Requests.