API requests are authenticated using an API token. Tokens can be generated in the PhishingBox portal by navigating to Administration > API > Token. Once generated, the token should be included in API requests using the api-token HTTP header. The documentation also shows that requests using JSON should include the content-type header with a value of application/json.
API tokens should be treated like passwords because they grant access to API functionality for the account. Administrators should avoid sharing tokens publicly, storing them in unsecured locations, or exposing them in screenshots, tickets, or code repositories. If a token is no longer needed, or if there is concern that it may have been exposed, it should be removed and replaced with a new one.