Authentication
Learn how to authenticate your applications with the TWS OS platform. All API requests must be made over HTTPS and authenticated using bearer tokens.
Never share your API keys or expose them in client-side code (e.g., in a browser or mobile app). All API calls should originate from secure server-side environments.
Base URL
All API requests in production are served from our high-availability subdomain:
API Keys
When you create an account in TWS OS, you are issued two types of API keys:
Secret Key (tws_live_...)
Used for server-side authentication (e.g., executing custom actions, editing contacts, initiating workflow triggers). These keys hold broad administrative permissions.
Publishable Key (tws_pub_...)
Can be safely used in front-end widgets (e.g., embedded lead capture forms, scheduling widgets). These are restricted solely to read-only intake routing queries.
Header Authentication
Authenticate your API requests by including your secret key in the Authorization HTTP header.
Authorization: Bearer <tws_live_your_secret_key> Content-Type: application/json X-TWS-Practice-ID: practice_68c92a95c
Making Your First Request
Here is an example structure using curl to verify your access key:
curl -X GET https://pos.texaswebservice.com/api/v1/ping \
-H "Authorization: Bearer tws_live_6f3e1a0b9d8c7e6" \
-H "X-TWS-Practice-ID: practice_68c92a95c"
Response Payload
A successful request returns a `200 OK` status and the workspace organization settings payload:
{
"status": "success",
"message": "Authorized successfully",
"workspace": {
"practice_id": "practice_68c92a95c",
"name": "Houston Derma Specialty Clinic",
"owner": "Chad Black",
"environment": "live",
"stripe_connect_status": "active",
"capabilities": [
"workflows",
"ai_intake",
"communications_sms_email",
"invoice_management"
]
}
}