Skip to content

Obtain an API token

Overview

An API token is a Bearer (user session) token issued to a customer's user. Each user manages their own tokens — admins can revoke any user's tokens.

Get a token from your provisioned account

  1. Log in to the admin console: https://app.zorio.vn
  2. Go to SettingsAPI Tokens.
  3. Click Create new token → name it and pick a permission scope.
  4. Copy the token immediately — it's only shown once. If lost → revoke and create a new one.

Token security

  • DO NOT commit tokens to git.
  • DO NOT embed tokens in frontend code.
  • Store tokens in a vault / secret manager (1Password, AWS Secrets Manager, ...).
  • A token can be revoked at any time → your CRM must handle 401 gracefully.

Use the token in requests

Every HTTP request to the API must include two headers:

Authorization: Bearer <YOUR_TOKEN>
Accept: application/json

cURL example

bash
curl -X GET 'https://app.zorio.vn/api/pbx/extensions' \
  -H 'Authorization: Bearer 1|abcdefghijklmnopqrstuvwxyz0123456789' \
  -H 'Accept: application/json'

Node.js example

js
const response = await fetch('https://app.zorio.vn/api/pbx/extensions', {
  headers: {
    Authorization: 'Bearer ' + process.env.ZORIO_TOKEN,
    Accept: 'application/json',
  },
});
const json = await response.json();

Token rotation

Rotate every 90 days — industry standard.

When a token is revoked

The API returns HTTP 401 with body:

json
{ "message": "Unauthenticated." }

Your CRM should catch 401 → show a "Token expired" message and direct the user to the admin console to get a fresh token.

Cấp phép theo điều khoản sử dụng của Zorio.