api docs
api docs

Authentication

Learn how to authenticate API requests using API keys and Firebase ID tokens.

Authentication

Whatapi uses two authentication methods depending on the endpoint.

API Key Authentication (Public API)

All **v1 message endpoints** require an API key passed via the `Authorization` header as a Bearer token:

Authorization: Bearer whatapi_live_your_api_key_here

API keys are generated by administrators from the dashboard. Each key has:

  • A unique identifier
  • Assigned **scopes** (send_text, send_media, send_bulk)
  • A **rate limit** (daily request cap based on plan)
  • An optional **expiration date**
  • An **active/revoked** status

Key format: `whatapi_live_<48-character-hex>`

Firebase ID Token Authentication (Dashboard API)

Client endpoints (`/api/client/*`) and **admin endpoints** (`/api/admin/*`) require a Firebase ID token passed via the `Authorization` header:

Authorization: Bearer <firebase-id-token>

These tokens are obtained by signing in through the Whatapi dashboard login flow. Tokens are automatically refreshed by the Firebase SDK.

Public Endpoints

The following endpoints do not require authentication:

  • POST /api/admin/apikeys/validate — Validate an API key
  • GET /api/admin/sessions — List sessions (intended for internal use)
  • POST /api/admin/sessions/create — Create a session
  • POST /api/admin/sessions/assign — Assign a session
  • GET /api/shopify/callback — Shopify OAuth callback
  • POST /api/shopify/webhook — Shopify webhook receiver
  • GET /api/shopify/test — Health check