Authentication

Every Bird API request authenticates with a Bearer token.

Bearer token header

curl https://api.bird.com/v1/emails \
  -H "Authorization: Bearer bird_live_xxxxxxxx"

The same header works on every endpoint — emails, SMS, voice, WhatsApp, verifications, flows, TTS, templates, and every configuration resource.

Test keys vs live keys

• bird_test_* — sends only to the sanctioned test recipients (delivered@bird.dev, +15005550006, +15005550010, +15005550009). Free. Full feature parity with live.
• bird_live_* — production traffic. Billed by usage. Unlocked when you add a payment method and verify a sender.

User-Agent requirement

All API requests must include a User-Agent header. Requests without this header are rejected with 403. Our SDKs set it automatically; if you're calling the API directly, identify your app.

curl https://api.bird.com/v1/emails \
  -H "Authorization: Bearer bird_live_xxxxxxxx" \
  -H "User-Agent: acme-checkout/1.4.0" \
  -H "Content-Type: application/json" \
  -d '{ "to": "delivered@bird.dev", "from": "Bird Test <onboarding@bird.dev>", "subject": "Hi", "text": "Hello." }'

Rate limits

The default limit is 100 requests per second per team. Higher limits are available on Scale and above. When you hit the limit the API returns 429 rate_limited with a Retry-After header — see /docs/errors.

Scopes

Keys are scoped at creation. Use the narrowest scope that covers the work.

Rotating keys

Keys rotate without downtime. The dashboard issues a new key, keeps the old one valid for a 24-hour overlap window, and surfaces the cutover so you can update your environment before revoking the previous key.

MCP keys

MCP clients (Claude, Cursor, Cline) use scoped keys that can read everything and send only to the sanctioned test recipients. See /docs/mcp for the install flow.