Admin Endpoints
Admin-only endpoints for managing users, pricing plans, and system settings.
Admin Endpoints
These endpoints require a **Firebase ID Token** and the user must have `role: "admin"` in their Firestore profile.
List API Keys
Retrieve all API keys across all clients.
GET /api/admin/apikeys
Auth: Firebase ID Token + Admin role
Response:
[
{
"id": "doc-id",
"userId": "client-uid",
"clientName": "Client Name",
"name": "Production Key",
"maskedKey": "whatapi_live_***abcd",
"status": "active",
"createdAt": "2026-06-01T00:00:00.000Z",
"expiresAt": null,
"scopes": [
"send_text",
"send_media",
"send_bulk"
],
"rate_limit": 1000,
"plan": "growth",
"api_calls": 42
}
]Create API Key
Generate a new API key for a client.
POST /api/admin/apikeys
Auth: Firebase ID Token + Admin role
Request Body:
userIdstringYesThe client user to assign this key tonamestringYesHuman-readable name for the keyexpiresAtstringNoISO date string for key expirationscopesarrayNoPermissions (default: `["send_text","send_media","send_bulk"]`)Response:
{
"id": "new-doc-id",
"userId": "client-uid",
"clientName": "Client Name",
"name": "Production Key",
"maskedKey": "whatapi_live_***abcd",
"rawKey": "whatapi_live_a1b2c3d4...",
"status": "active",
"createdAt": "2026-07-02T00:00:00.000Z",
"expiresAt": null,
"scopes": [
"send_text",
"send_media",
"send_bulk"
]
}Update API Key
Modify an existing API key's name or status.
PATCH /api/admin/apikeys
Auth: Firebase ID Token + Admin role
Request Body:
idstringYesAPI key document IDnamestringNoUpdated namestatusstringNoactive or `revoked`Response:
{
"success": true
}Delete API Key
Permanently remove an API key.
DELETE /api/admin/apikeys?id=<doc-id>
Auth: Firebase ID Token + Admin role
Query Parameters:
idstringYesAPI key document ID to deleteResponse:
{
"success": true
}Validate API Key
Check whether an API key is valid without requiring authentication.
POST /api/admin/apikeys/validate
Auth: None (public)
Request Body:
rawKeystringYesThe full API key string to validateResponse (valid):
{
"valid": true,
"id": "doc-id",
"name": "Production Key",
"userId": "client-uid",
"clientName": "Client Name",
"createdAt": "2026-06-01T00:00:00.000Z",
"expiresAt": null,
"scopes": [
"send_text",
"send_media",
"send_bulk"
]
}Response (invalid):
{
"valid": false,
"error": "Invalid API key"
}List Sessions
Retrieve all WhatsApp sessions with their assignment status.
GET /api/admin/sessions
Auth: None
Response:
[
{
"id": "session-uuid",
"name": "Main WhatsApp",
"status": "CONNECTED",
"phone": "923001234567",
"assignedTo": "client-uid-or-null",
"clientName": "Client Name or null",
"createdAt": "2026-06-01T00:00:00.000Z",
"lastActivity": "2026-07-02T12:00:00.000Z"
}
]Create Session
Create a new WhatsApp session on OpenWA.
POST /api/admin/sessions/create
Auth: None
Request Body:
sessionNamestringYesName for the new WhatsApp sessionassignToUserIdstringNoUser ID to immediately assign this session toResponse:
{
"success": true,
"session": {
"id": "session-uuid",
"name": "Main WhatsApp",
"status": "created"
}
}Assign Session
Assign an existing WhatsApp session to a user.
POST /api/admin/sessions/assign
Auth: None
Request Body:
sessionIdstringYesSession ID to assignuserIdstringYesUser ID to assign the session toResponse:
{
"success": true
}