Authentication

All API requests to the WhatsGate API require authentication using an API token. This page explains how to authenticate your requests.

API Tokens

API tokens are used to authenticate your requests to the WhatsGate API. Each token is associated with your account and has access to all the devices linked to that account.

Creating an API Token

To create an API token, follow these steps:

Log in to your WhatsGate dashboard
Navigate to the "API Tokens" section in the sidebar
Click the "Create Token" button
Enter a name for your token (e.g., "Production API", "Testing", etc.)
Click "Create" to generate your token

For more detailed instructions, see the Creating an API Token guide.

Using Your Token

To authenticate your API requests, include your token in the Access-Token header:

Access-Token: {api_token}

Example Request

bash

curl -X POST \
  https://{subdomain}.whatsgate.net/api/send/text \
  -H 'Access-Token: {api_token}' \
  -H 'Content-Type: application/json' \
  -d '{
    "sender_device": "123456789",
    "phone": "987654321",
    "message": "Hello, this is a test message"
}'

Authentication Errors

If your authentication fails, you'll receive a 403 Forbidden response with an error message:

json

{
  "message": "an Access-Token is required"
}

json

{
  "message": "invalid Access-Token"
}

Security Best Practices

To keep your API tokens secure:

Never share your tokens: Keep your API tokens confidential and never share them publicly
Use environment variables: Store tokens in environment variables, not in your code
Create separate tokens: Use different tokens for different applications or environments
Regenerate tokens periodically: Regularly regenerate your tokens for enhanced security
Delete unused tokens: Remove tokens you no longer need to minimize security risks

Token Permissions

Currently, all API tokens have full access to all API endpoints and devices associated with your account. More granular permissions may be added in future updates.

Token Expiration

API tokens do not expire automatically. They remain valid until you delete them or regenerate them.

MCP Authentication

WhatsGate also exposes a tenant MCP server for AI clients. See MCP Setup for the full configuration guide.

https://{subdomain}.whatsgate.net/mcp/whatsgate

Use the same API token as a bearer token in your private MCP client:

Authorization: Bearer {api_token}

The dashboard links to the MCP documentation. The documentation uses placeholders only; do not put real API tokens in public docs or shared screenshots.

Next Steps

Now that you understand how to authenticate your API requests, you can:

Authentication ​

API Tokens ​

Creating an API Token ​

Using Your Token ​

Example Request ​

Authentication Errors ​

Security Best Practices ​

Token Permissions ​

Token Expiration ​

MCP Authentication ​

Next Steps ​