Appearance
Authentication
All API requests to the WhatsGate API require authentication using an API token. This page explains how to authenticate your requests.
API Tokens
API tokens are used to authenticate your requests to the WhatsGate API. Each token is associated with your account and has access to all the devices linked to that account.
Creating an API Token
To create an API token, follow these steps:
- Log in to your WhatsGate dashboard
- Navigate to the "API Tokens" section in the sidebar
- Click the "Create Token" button
- Enter a name for your token (e.g., "Production API", "Testing", etc.)
- Click "Create" to generate your token
For more detailed instructions, see the Creating an API Token guide.
Using Your Token
To authenticate your API requests, include your token in the Access-Token
header:
Access-Token: your_api_token_here
Example Request
bash
curl -X POST \
https://{subdomain}.whatsgate.net/api/send/text \
-H 'Access-Token: your_api_token_here' \
-H 'Content-Type: application/json' \
-d '{
"sender_device": "123456789",
"phone": "987654321",
"message": "Hello, this is a test message"
}'
Authentication Errors
If your authentication fails, you'll receive a 403 Forbidden
response with an error message:
json
{
"message": "an Access-Token is required"
}
or
json
{
"message": "invalid Access-Token"
}
Security Best Practices
To keep your API tokens secure:
- Never share your tokens: Keep your API tokens confidential and never share them publicly
- Use environment variables: Store tokens in environment variables, not in your code
- Create separate tokens: Use different tokens for different applications or environments
- Regenerate tokens periodically: Regularly regenerate your tokens for enhanced security
- Delete unused tokens: Remove tokens you no longer need to minimize security risks
Token Permissions
Currently, all API tokens have full access to all API endpoints and devices associated with your account. More granular permissions may be added in future updates.
Token Expiration
API tokens do not expire automatically. They remain valid until you delete them or regenerate them.
Next Steps
Now that you understand how to authenticate your API requests, you can: