api docs
Authentication
Learn how to authenticate API requests using API keys and Firebase ID tokens.
Authentication
Whatapi uses two authentication methods depending on the endpoint.
API Key Authentication (Public API)
All **v1 message endpoints** require an API key passed via the `Authorization` header as a Bearer token:
Authorization: Bearer whatapi_live_your_api_key_here
API keys are generated by administrators from the dashboard. Each key has:
- A unique identifier
- Assigned **scopes** (send_text, send_media, send_bulk)
- A **rate limit** (daily request cap based on plan)
- An optional **expiration date**
- An **active/revoked** status
Key format: `whatapi_live_<48-character-hex>`
Firebase ID Token Authentication (Dashboard API)
Client endpoints (`/api/client/*`) and **admin endpoints** (`/api/admin/*`) require a Firebase ID token passed via the `Authorization` header:
Authorization: Bearer <firebase-id-token>
These tokens are obtained by signing in through the Whatapi dashboard login flow. Tokens are automatically refreshed by the Firebase SDK.
Public Endpoints
The following endpoints do not require authentication:
POST /api/admin/apikeys/validate— Validate an API keyGET /api/admin/sessions— List sessions (intended for internal use)POST /api/admin/sessions/create— Create a sessionPOST /api/admin/sessions/assign— Assign a sessionGET /api/shopify/callback— Shopify OAuth callbackPOST /api/shopify/webhook— Shopify webhook receiverGET /api/shopify/test— Health check
