Developer terms.
The rules for calling the Message REST API, the WebSocket, and the SDKs. Authentication, rate limits, acceptable use, deprecation policy, security responsibilities, and dispute resolution.
01Scope and who this binds
These Developer Terms (the "Terms") bind anyone who calls the Message REST API, connects to the WebSocket, installs the Message SDKs, or otherwise accesses the Message platform programmatically (each, a "Developer").
The Terms supplement the main Terms of Service, the Acceptable Use Policy, the Privacy Policy, and where applicable the Data Processing Addendum. If a conflict exists, these Terms control with respect to the API, SDK, and other developer surfaces; the main agreements control for everything else.
By generating an API key, calling the API, or installing an SDK, you accept these Terms on behalf of yourself and any organisation you represent.
02Authentication and credentials
Today the platform authenticates Developers using a workspace JWT issued to a signed-in user. We are introducing long-lived API keys and OAuth 2.1 client credentials (with optional PKCE) for installable apps; see the changelog at /developers for the rollout.
You must keep credentials confidential. Do not embed an API key in client-side code that ships to end users; use the public widget snippet instead. Do not share keys across organisations. Rotate keys promptly on any suspected exposure, on team departures, and at least every 12 months. We may revoke a credential that we suspect has leaked.
You are responsible for everything done with your credentials, even if a third party uses them, until you revoke and notify us in writing.
03Rate limits and quotas
Default rate limits are 1,000 requests per minute per workspace across the REST API, with per-endpoint sub-limits documented at /developers/get-started/errors-rate-limits-versioning. WebSocket connections are limited to 200 concurrent per workspace by default. Bulk endpoints carry their own quotas (e.g. /messages/bulk is 50 requests per minute).
Limits are enforced with HTTP 429 responses and Retry-After headers. Respect Retry-After; do not retry faster than the header indicates. We may grant higher limits to enterprise customers on request to [email protected]; we may also temporarily lower a limit on a specific endpoint during a security or stability incident.
Sustained abuse of the limits (for example, retrying through 429s without backoff or running a fleet of clients to bypass the per-workspace cap) is grounds for suspension.
04Acceptable use of the API
The full Acceptable Use Policy applies to API usage. In addition, the following are specifically prohibited for Developers:
- Scraping or harvesting data from other customers' workspaces, including through misconfigured shares or any side channel.
- Resale of API access (selling your own workspace's API output to third parties as a service) without an active Reseller agreement under the Partner Program Terms.
- Using the API or any export to train AI models that compete with Message AI, voice cloning, or our agent assist. Customer-owned data exported from a Developer's own workspace may be used to train models that operate inside that workspace; it may not be used to train models offered for sale to third parties.
- Circumventing rate limits, billing meters, or feature gates with multiple workspaces, header spoofing, or proxy chains.
- Sending unsolicited messages (chat, SMS, voice) through the platform, including programmatically; consent is your responsibility and the AUP applies in full.
- Probing for vulnerabilities outside the scope of our published security testing policy at /trust. Authorised testing is welcome under that policy.
05Test and production environments
We provide a sandbox workspace mode for development. Sandbox workspaces are clearly labeled in the dashboard, do not bill, and are wiped on a published rotation. Do not put real customer data in a sandbox workspace.
Production data must be on a production workspace. Webhooks, AI inference, and call routing have separate sandbox base URLs documented in the developer guide. We may share aggregated sandbox usage statistics with you for debugging.
You are responsible for keeping your application's configuration (base URLs, keys, feature flags) consistent across environments. We are not responsible for outages caused by an application pointing at the wrong environment.
06Data ownership
API usage does not change data ownership. Customer Data remains the customer's; Message Data (platform IP, the inference stack, internal logs we use to operate the service) remains ours. When a Developer is also the customer, the Developer is the owner of the Customer Data and these Terms do not transfer any rights to us beyond those needed to run the service.
When a Developer is a third party building an app for another customer, the customer owns the Customer Data routed through the Developer's app, and the Developer must reflect that ownership in any agreement with the customer. The Developer's own application code, logos, and content remain the Developer's.
07Confidentiality of API surfaces
We will publish documentation for stable endpoints at /developers. We may also release beta endpoints, preview headers, or unannounced parameters. Beta surfaces are marked as such in the docs or in the response. They are confidential and may change or disappear without notice.
You will not reverse-engineer beta endpoints, you will not publicly document a beta surface without our consent, and you will not file a public bug report quoting a beta endpoint signature. Stable endpoints are not confidential; you may discuss them, document them in your own product, and write a SDK against them.
Vulnerability reports are always welcome on any surface (stable or beta) at [email protected]; coordinated disclosure terms are described in our security policy at /trust.
08SDK licensing
The open-source Message SDKs (JavaScript, Python, Go, the WordPress plugin, the WooCommerce extension) are released under the MIT License. The license text and copyright notice are included in each repository. You may copy, modify, and distribute the SDKs under MIT, with the standard preservation of license and copyright.
Third-party dependencies in each SDK ship under their own licenses; the SDK README lists the dependency licenses in effect at the time of release. Do not ship the SDK to a jurisdiction or end-user that the SDK's underlying export-control posture forbids.
The closed-source pieces (server-side AI inference code, voice cloning stack, internal admin) are not open source and are not licensed under MIT. Reverse engineering, decompilation, or extraction of those components is prohibited.
09Sub-licensing restrictions
The license to use the Message platform is granted to you and to the workspace owners you operate on behalf of. You may not sub-license API access, white-label the platform, or sell a packaged offering that exposes our API to your customers, except under one of the following:
- A Reseller agreement under the Partner Program Terms.
- A signed Marketplace listing under the Marketplace Terms of Use, in which case you may expose Message-powered features to end users through your app within the scope of the listing.
- An enterprise OEM agreement, signed separately, that explicitly grants sub-licensing or white-label rights.
10Developer security responsibilities
You are responsible for the security of any application you build on the Message platform. Specifically:
- Store credentials only on a server you control, never on a user device. Use a secrets manager.
- Encrypt at rest any Customer Data your app caches outside Message, with AES-256 or equivalent.
- Use TLS 1.2 or higher for all transport, including webhooks.
- Validate webhook signatures using the published HMAC scheme. Reject any payload that fails verification.
- Rotate keys at least every 12 months and immediately on staff departure or suspected exposure.
- Patch known CVEs in your dependency tree within 30 days of disclosure (7 days for critical severity).
- Log security-relevant events (auth, key use, admin actions) in your own application and retain logs for at least 12 months.
If you discover a security incident affecting Customer Data routed through your app, notify us at [email protected] within 24 hours of becoming aware.
11Indemnification
You will defend, indemnify, and hold harmless Message, our affiliates, and our staff against any third-party claim arising out of (a) your application or product, (b) your use of the API or SDKs in breach of these Terms or the AUP, (c) any content you transmit through the platform that infringes a third party's rights, and (d) any security incident attributable to your failure to follow section 10.
We will defend, indemnify, and hold harmless Developers against any third-party claim that the Message platform itself, used in conformance with the documentation, infringes a third party's intellectual property rights. This indemnity is subject to the limits in the main Terms of Service.
The party seeking indemnification must give prompt notice of the claim, let the indemnifying party control the defense and settlement (subject to no admission of fault and no payment without consent), and provide reasonable cooperation.
12Disclaimers and warranties
The API and the SDKs are provided "as is" and "as available." We disclaim all implied warranties to the maximum extent permitted by law, including merchantability, fitness for a particular purpose, and non-infringement. We do not warrant that the API will be uninterrupted, error-free, or compatible with every client library, language version, or operating system you choose.
Beta endpoints, preview parameters, and unstable headers may change or be withdrawn. AI outputs are probabilistic and may be wrong; you are responsible for any business decision made on an AI output. Voice and call quality depends on third-party carrier networks that we do not control.
The disclaimers do not limit any warranty or remedy that cannot be excluded under applicable consumer law.
13Suspension and termination
We may suspend or terminate API access in three situations:
- Convenience. Either party may terminate API access on 30 days' written notice. The underlying workspace contract continues unless terminated separately.
- Standard cause. If your integration is breaking platform stability (excessive errors, retry storms, malformed payloads that crash a service worker) we will give you 7 days to fix it. If you do not fix it in that window, we suspend the integration.
- Immediate cause. Security incidents, AUP violations, illegal activity, sanctions violations, and credible third-party claims of harm result in immediate suspension. We will tell you why and what we need to restore access.
On termination you must stop calling the API, revoke keys, delete any cached Customer Data you no longer have a basis to hold, and stop distributing any SDK redistributable that is no longer licensed (the MIT SDKs may continue under MIT).
14Versioning and deprecation
The REST API is versioned through a stable URL path or an Accept-Version header (whichever the endpoint documents). We add fields and endpoints in a backward-compatible way without bumping the major version; removals, renames, and behavior changes require a major bump.
When we deprecate an endpoint, header, or field, we will publish the deprecation in the changelog at /developers, return a Sunset and Deprecation header on every response, and continue to serve the deprecated surface for at least 12 months from the deprecation date. Security-driven removals (a vulnerable endpoint that we must shut off) override this notice, but we will keep the window as long as we safely can.
You are expected to keep your integration on a version we support. We will not patch behavior for end-of-life versions.
15Support tiers
Developer support is bundled with the customer plan that the workspace is on. Standard plans get email support during business hours. Growth plans get priority email and Slack Connect. Enterprise plans get a named technical account manager and 24/7 paging for production incidents.
Open-source SDK issues are handled in the public repository on GitHub. For platform issues that touch Customer Data, use the in-app support channel; do not paste customer data into the public GitHub.
We monitor the [email protected] inbox 24/7. Treat anything you would describe as a security issue as a 24/7 contact, regardless of plan.
16Governing law and disputes
These Terms are governed by the laws of the State of Texas. The parties consent to the exclusive personal jurisdiction of the state and federal courts in Harris County, Texas, for any matter not subject to arbitration.
Disputes that the parties cannot resolve in 30 days will be finally settled by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, with a seat in Houston, Texas. Either party may seek injunctive relief from a court to protect IP, confidential information, or platform security without first arbitrating. Class actions and consolidated proceedings are not permitted.
Notices to Message go to [email protected] with a hard copy to Message.com LLC, 363 N Sam Houston Pkwy E Ste 125, Houston, TX 77060, United States.
Building on Message?
Read the developer guide, then start a workspace. The first 14 days are free, no credit card. Email [email protected] for OEM or enterprise terms.
Start free trial →