Samva
Samva
DashboardAPISamva DocumentationQuickstart GuideAuthentication

Authentication

Secure your API requests and manage user authentication

Samva uses two authentication methods:

  • API Keys for server-to-server communication
  • Better Auth for dashboard and user authentication

Security First: All API requests must be authenticated. We use industry-standard security practices to protect your data.

API Key Authentication

Creating API Keys

  1. Log in to the Samva Dashboard
  2. Navigate to Developers → API Keys
  3. Click Create API Key
  4. Set permissions and expiry (optional)
  5. Copy the key immediately - it won't be shown again

Using API Keys

Include your API key in the X-API-Key header:

// TypeScript SDK
import { createSamvaClient } from 'samva';

const samva = createSamvaClient({
  apiKey: 'sk_live_your_api_key_here'
});
# REST API
curl -H "X-API-Key: sk_live_your_api_key_here" \
  https://samva.app/api/v1/messages

API Key Types

TypePrefixUsageRate Limits
Livesk_live_Production useStandard limits
Testsk_test_Development & testingReduced limits
Restrictedsk_restricted_Limited permissionsBased on config

Best Practices

Use Environment Variables

Never hardcode API keys in your source code

Rotate Keys Regularly

Update your API keys every 90 days

Use Restricted Keys

Create keys with minimal required permissions

Monitor Usage

Track API key usage in the dashboard

User Authentication (Better Auth)

Overview

The Samva Dashboard uses Better Auth with:

  • Email/Password authentication
  • Multi-factor authentication (MFA)
  • Organization-based multi-tenancy

Sign Up Flow

// Sign up with email and password
const response = await fetch('/api/auth/signup', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    email: 'user@example.com',
    password: 'secure_password',
    name: 'John Doe',
    organization: 'Acme Corp'
  })
});

// Verify email
await fetch('/api/auth/verify-email', {
  method: 'POST',
  body: JSON.stringify({
    token: 'verification_token_from_email'
  })
});

Login Flow

// Login with email/password
const response = await fetch('/api/auth/login', {
  method: 'POST',
  credentials: 'include',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    email: 'user@example.com',
    password: 'your_password'
  })
});

Session Management

// Check current session
const session = await fetch('/api/auth/session', {
  credentials: 'include'
});

// Logout
await fetch('/api/auth/logout', {
  method: 'POST',
  credentials: 'include'
});

Organization & Multi-Tenancy

Organization Structure

Each Samva account belongs to an organization:

interface Organization {
  id: string;
  name: string;
  credits: number;       // Prepaid credits
  settings: {
    default_sender_ids: Record<string, string>;
    webhook_url?: string;
    ip_whitelist?: string[];
  };
}

Team Management

Team members can be invited through the dashboard:

  1. Navigate to Settings → Team
  2. Click Invite Member
  3. Enter their email and select a role (Admin, Developer, or Viewer)
  4. The invited user receives an email with an invitation link

Security Features

Rate Limiting

API requests are rate-limited per API key:

PlanRequests/SecondRequests/HourRequests/Day
Free101,00010,000
Starter5010,000100,000
Business10050,0001,000,000
EnterpriseCustomCustomCustom

Rate limit headers in responses:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640995200

IP Whitelisting

Restrict API access to specific IP addresses:

  1. Navigate to Settings → Organization → Security
  2. Enable IP Whitelisting
  3. Add allowed IP addresses or CIDR ranges
Example whitelist:
- 203.0.113.0/24
- 198.51.100.42

Webhook Signatures

Verify webhook authenticity:

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = hmac.update(payload).digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(digest)
  );
}

// In your webhook handler
app.post('/webhooks/samva', (req, res) => {
  const signature = req.headers['x-samva-signature'];
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.WEBHOOK_SECRET
  );
  
  if (!isValid) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook...
});

Error Handling

Authentication Errors

Error CodeDescriptionSolution
401Invalid or missing API keyCheck your API key
403Insufficient permissionsUse a key with required permissions
429Rate limit exceededReduce request frequency
498Token expiredRefresh your session

Common Issues

Invalid API Key Format

{
  "error": "INVALID_API_KEY",
  "message": "API key must start with sk_live_ or sk_test_"
}

Organization Not Found

{
  "error": "ORG_NOT_FOUND",
  "message": "No organization associated with this API key"
}

Next Steps

API Reference

Explore all API endpoints

Quickstart Guide

Send your first email

Webhooks

Configure webhook endpoints

Quickstart Guide

Send your first email with Samva in 5 minutes

API Reference

Complete reference for all Samva API endpoints

On this page

API Key AuthenticationCreating API KeysUsing API KeysAPI Key TypesBest PracticesUser Authentication (Better Auth)OverviewSign Up FlowLogin FlowSession ManagementOrganization & Multi-TenancyOrganization StructureTeam ManagementSecurity FeaturesRate LimitingIP WhitelistingWebhook SignaturesError HandlingAuthentication ErrorsCommon IssuesNext Steps