The XSender API exposes a small, focused HTTP surface for sending Email, SMS, and WhatsApp messages from any external system: backends, CRMs, mobile apps, no-code platforms, e-commerce stores, and automation tools such as Zapier or Make.
This page is the canonical reference for: authentication, base URL, headers, request and response format, rate limits, errors, and the /api/email/send, /api/sms/send, /api/whatsapp/send endpoints.
Every request is made against the installation's own domain:
https://YOUR-XSENDER-DOMAIN/apiReplace YOUR-XSENDER-DOMAIN with the host where you installed XSender (for example app.example.com). All examples below use a placeholder.
Every request must include your API key in the request header:
| Header | Value |
|---|---|
Api-key | Your unique API key |
Content-Type | application/json |
User Panel → Settings → API Key. Each user has their own key tied to their account, gateways, contacts, and plan limits.Admin Panel → Settings → API Key. Admin-scope key uses the admin's configured gateways and bypasses user plan checks.Security: treat the API key like a password. Rotate it whenever you suspect compromise. Use TLS (HTTPS) for every request — XSender refuses plain-HTTP API traffic by default.
All endpoints return JSON with a consistent envelope:
{
"success": true,
"message": "Human readable status",
"data": [ /* per-endpoint payload */ ]
}On failure, success is false and an appropriate HTTP status code is returned. See Errors below.
POST /api/email/sendSends one or many emails through the gateway you select via gateway_identifier, or — if omitted — the user's default email gateway.
{
"contact": [
{
"email": "[email protected]",
"subject": "Welcome to Acme",
"message": "Hi Alice,\nThanks for signing up.",
"sender_name": "Acme Support",
"gateway_identifier": "smtp-primary"
}
]
}{
"contact": [
{ "email": "[email protected]", "subject": "Hi Alice", "message": "..." },
{ "email": "[email protected]", "subject": "Hi Bob", "message": "..." },
{ "email": "[email protected]", "subject": "Hi Carol", "message": "..." }
]
}{
"contact": [
{
"email": "[email protected]",
"subject": "Reminder",
"message": "Don't forget…",
"schedule_at": "2026-06-01 09:00:00"
}
]
}schedule_at must be in Y-m-d H:i:s format in the XSender server's timezone.
{
"contact": [
{
"email": "[email protected]",
"subject": "Your invoice",
"message": "Please find your invoice attached.",
"attachments": [
{ "type": "image", "url": "https://cdn.example.com/img/logo.png" },
{ "type": "file", "url": "https://cdn.example.com/inv/2026-05.pdf" }
]
}
]
}curl -X POST https://YOUR-XSENDER-DOMAIN/api/email/send \
-H "Api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"contact": [
{ "email": "[email protected]", "subject": "Hello", "message": "Hi from XSender" }
]
}'{
"success": true,
"message": "New Email Request Sent, Please Check The Email History For Final Status",
"data": [
{
"uid": "c8d1b339-1887-45bb-aee4-8cdc3e98e0a1",
"email": "[email protected]",
"status": "Pending",
"created_at": "2026-05-23 12:00 PM"
}
]
}Each uid can be used later with GET /api/get/email/{uid} to fetch the final delivery state (Sent, Delivered, Opened, Bounced, Failed, etc.).
POST /api/sms/send{
"contact": [
{
"number": "+15555550123",
"body": "Your verification code is 482915",
"sms_type": "plain",
"gateway_identifier": "twilio-primary"
}
]
}sms_type is one of plain, otp, marketing. gateway_identifier picks a specific SMS gateway; omit it to use the user's default. Scheduling, bulk, and response shape mirror the Email endpoint.
POST /api/whatsapp/send{
"contact": [
{
"number": "+15555550123",
"message": "Your order *#A1023* has shipped.",
"session_name": "store-main"
}
]
}{
"contact": [
{
"number": "+15555550123",
"message": "Order confirmation",
"media": "image",
"url": "https://cdn.example.com/orders/A1023.png",
"session_name": "store-main"
}
]
}session_name targets a specific connected WhatsApp session (Node device or WhatsApp Cloud API gateway). Omit it to use the user's primary session. Supported media values: image, video, audio, document.
For simple integrations (such as some IoT devices), each send endpoint also accepts GET:
GET /api/email/[email protected]&subject=Hi&message=Hello
GET /api/sms/send?number=+15555550123&body=Code+482915
GET /api/whatsapp/send?number=+15555550123&message=HelloSame Api-key header is required. Do not place the API key in the query string.
GET /api/get/{channel}/{uid}GET /api/get/email/c8d1b339-1887-45bb-aee4-8cdc3e98e0a1
GET /api/get/sms/aa1bd670-861f-4607-9695-2710cffa1234
GET /api/get/whatsapp/1ea910b9-bafb-41b1-82a5-bb8c750e5678Returns the dispatch record with current status, gateway response, timestamps, and (for email) tracking events.
Default: 60 requests / minute / API key against the api middleware. Webhook endpoints are exempt from this throttle. Bulk sends count as one API request regardless of recipient count, so prefer batching to many small calls.
When throttled, XSender returns HTTP 429 with header Retry-After indicating seconds until you may retry.
| HTTP | Meaning | Resolution |
|---|---|---|
| 400 | Validation error | Read errors array; fix payload. |
| 401 | Missing / invalid Api-key | Confirm header and key value. |
| 402 | Plan limit exhausted | Buy more credit or upgrade plan. |
| 404 | Gateway / session not found | Check gateway_identifier or session_name. |
| 422 | Business-rule rejection (e.g. opt-out, suppression list) | Inspect message body. |
| 429 | Throttled | Honour Retry-After. |
| 500 | Server error | Retry; if it persists, share the response body with support. |