Authentication

Whatapi uses two authentication methods depending on the endpoint.

API Key Authentication (Public API)

All **v1 message endpoints** require an API key passed via the `Authorization` header as a Bearer token:

Authorization: Bearer whatapi_live_your_api_key_here

API keys are generated by administrators from the dashboard. Each key has:

  • A unique identifier
  • Assigned **scopes** (send_text, send_media, send_bulk)
  • A **rate limit** (daily request cap based on plan)
  • An optional **expiration date**
  • An **active/revoked** status

Key format: `whatapi_live_<48-character-hex>`

Firebase ID Token Authentication (Dashboard API)

Client endpoints (`/api/client/*`) and **admin endpoints** (`/api/admin/*`) require a Firebase ID token passed via the `Authorization` header:

Authorization: Bearer <firebase-id-token>

These tokens are obtained by signing in through the Whatapi dashboard login flow. Tokens are automatically refreshed by the Firebase SDK.

Public Endpoints

The following endpoints do not require authentication:

  • POST /api/admin/apikeys/validate — Validate an API key
  • GET /api/admin/sessions — List sessions (intended for internal use)
  • POST /api/admin/sessions/create — Create a session
  • POST /api/admin/sessions/assign — Assign a session
  • GET /api/shopify/callback — Shopify OAuth callback
  • POST /api/shopify/webhook — Shopify webhook receiver
  • GET /api/shopify/test — Health check