Security model

Authenticate each surface with the right credential.

StateSet Voice separates tenant runtime traffic from platform administration, Twilio callback verification, browser admin sessions, and short-lived media stream access.

Request API key Start building Endpoint guides Authentication Production readiness

Runtime APIBearer tenant keys

Admin APIx-admin-key

TelephonyTwilio signatures

SpecsOpenAPI 3.1

Credential types

Credential	Use
Tenant bearer token	Public tenant API calls such as outbound calls, sessions, call logs, and automation endpoints.
Admin API key	Tenant configuration, API keys, agents, rollout governance, diagnostics, and phone routes.
Admin session cookie	Browser admin workflows after username/password login is configured.
Twilio signature	Incoming Twilio webhook callbacks before returning TwiML or acknowledging status events.
Stream token	Short-lived credential used during Twilio Media Streams WebSocket setup.

Tenant request

curl -sS "https://voice.stateset.app/api/v1/call-logs?limit=10" \
  -H "Authorization: Bearer ${STATESET_VOICE_API_KEY}"

Admin request

curl -sS "https://voice.stateset.app/api/v1/admin/tenants" \
  -H "x-admin-key: ${STATESET_ADMIN_API_KEY}"

Operational rules

Keep tenant API keys and admin API keys in separate secret stores and CI scopes.
Use one tenant credential per environment or integration boundary.
Verify Twilio signatures in production and rotate stream-token secrets with a previous-secret overlap window.