Authentication
Whatapi uses two authentication methods depending on the endpoint.
API Key Authentication (Public API)
All **v1 message endpoints** require an API key passed via the `Authorization` header as a Bearer token:
Authorization: Bearer whatapi_live_your_api_key_here
API keys are generated by administrators from the dashboard. Each key has:
- A unique identifier
- Assigned **scopes** (send_text, send_media, send_bulk)
- A **rate limit** (daily request cap based on plan)
- An optional **expiration date**
- An **active/revoked** status
Key format: `whatapi_live_<48-character-hex>`
Firebase ID Token Authentication (Dashboard API)
Client endpoints (`/api/client/*`) and **admin endpoints** (`/api/admin/*`) require a Firebase ID token passed via the `Authorization` header:
Authorization: Bearer <firebase-id-token>
These tokens are obtained by signing in through the Whatapi dashboard login flow. Tokens are automatically refreshed by the Firebase SDK.
Public Endpoints
The following endpoints do not require authentication:
POST /api/admin/apikeys/validate— Validate an API keyGET /api/admin/sessions— List sessions (intended for internal use)POST /api/admin/sessions/create— Create a sessionPOST /api/admin/sessions/assign— Assign a sessionGET /api/shopify/callback— Shopify OAuth callbackPOST /api/shopify/webhook— Shopify webhook receiverGET /api/shopify/test— Health check