Authentication

Admin JWT

Used by the dashboard. Obtain with email + password:

curl -X POST "$PUBLIC_API_URL/v1/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@example.com","password":"ChangeMe123!"}'

Response:

{
  "token": "eyJhbGciOi...",
  "user": { "id":"...", "email":"admin@example.com", "role":"admin" }
}

Send subsequent admin requests with:

Authorization: Bearer <token>

The admin JWT controls: account CRUD, webhook CRUD, AI settings, manual replies, browsing all data.

Per-account API token

Each WhatsApp account in the dashboard gets its own token (prefix wapi_). The raw token is shown once at creation — store it.

Send WHAPI-style requests with:

Authorization: Bearer wapi_xxxx

These endpoints are scoped to that one account:

• GET /api/v1/me

• POST /api/v1/messages/text

• POST /api/v1/messages/media

• GET /api/v1/chats, /api/v1/chats/:id, /api/v1/chats/:id/messages

• GET /api/v1/contacts, /api/v1/groups, /api/v1/channels

• POST /api/v1/ai/chat/test

Rotating tokens

Hit POST /api/v1/accounts/:id/token/regenerate (admin JWT). The old token immediately stops working.

Security notes

• Tokens are stored as SHA-256 hashes server-side — they can never be recovered.

• AI provider API keys are encrypted at rest with AES-256-GCM using ENCRYPTION_KEY.

• Per-token rate limit applies (default 120 req/min) — tunable via RATE_LIMIT_*.

• Always run behind TLS in production (Cloudflare or your reverse proxy).