API Usage Policy

This API Usage Policy governs the technical implementation and integration of the RESTful API endpoints and developer gateways offered by BlackSMS ("we," "our," or "us"), available at https://blacksms.in.

1. API Key Security & Authentication

Every account is provided with unique API credentials (keys and tokens) to authenticate outbound requests. Security of these credentials is the sole responsibility of the customer:

• No Client-Side Exposure: You must never expose your BlackSMS API keys in client-side code (such as React, Vue, Angular, mobile application source code, or frontend JavaScript). API requests must always be routed through your secure backend servers.
• HTTPS Mandate: All API requests must be transmitted securely over HTTPS. Unencrypted HTTP requests will be automatically rejected by our edge firewalls.
• Key Rotation: We recommend rotating your API keys every 90 days. If you suspect any unauthorized credential exposure, you must regenerate your API keys immediately through the dashboard.

2. Rate Limiting & TPS (Transactions Per Second)

To maintain gateway stability and prevent service degradation, BlackSMS enforces rate limits on all API endpoints. Standard accounts are capped at a default limit of 10 Transactions Per Second (TPS). If your application exceeds this threshold, the API will return a 429 Too Many Requests HTTP response code. If your business requires higher capacity, you must request a custom TPS allocation from our technical support team.

3. Payload and Parameter Restrictions

All API payloads must adhere to our structural validation criteria:

• DLT ID Mapping: Every outbound message request must contain valid, matching parameters for dlt_entity_id and dlt_template_id. Requests missing these parameters will fail validation.
• Character Encoding: Outbound messages must be formatted in GSM 7-bit encoding or UTF-8 (for Unicode/regional language messages). Character limits per SMS credit (160 for GSM, 70 for Unicode) are strictly enforced.

4. Abuse and Automated Thread Restrictions

You may not use multithreaded requests or script loops to flood our API with concurrent connection attempts that mimic a Distributed Denial of Service (DDoS) attack. If our automated network filters detect anomalous volume increases or malformed request payloads, the originating IP address will be blacklisted automatically.

5. API Modifications

BlackSMS reserves the right to update or modify our API endpoints, request/response structures, and query parameters. We will provide developers with at least 30 days of advance notice before deprecating any API version to ensure smooth migration.