WAHooks
Concepts

API Tokens

Authenticate API requests with long-lived tokens

API tokens provide a simple way to authenticate with the WAHooks API from your application, scripts, or CI/CD pipelines.

Token format

Tokens follow the format wh_ + 48 hex characters:

wh_your_api_token_here

Security

  • Tokens are hashed with SHA-256 before storage — WAHooks never stores the raw token
  • The raw token is shown only once at creation time
  • Tokens never expire but can be revoked at any time
  • Each API request with a token updates the lastUsedAt timestamp

Usage

Pass the token as a Bearer token in the Authorization header:

curl https://api.wahooks.com/api/connections \
  -H "Authorization: Bearer wh_..."

Or use an SDK:

const client = new WAHooks({ apiKey: 'wh_...' });
client = WAHooks(api_key="wh_...")

Token vs JWT

The WAHooks API accepts two types of authentication:

API Token (wh_...)Supabase JWT
LifetimeUntil revoked1 hour
Use caseSDKs, scripts, CI/CDDashboard, CLI
CreationAPI or CLILogin flow
RefreshNot neededAutomatic

Best practices

  • Create separate tokens for each application or environment
  • Revoke tokens immediately if they're compromised
  • Never commit tokens to version control — use environment variables
  • Use descriptive names so you know which token is used where
Edit on GitHub

Webhooks

Real-time event delivery to your application

Webhook Signatures

Verify that webhooks are from WAHooks

On this page

Token formatSecurityUsageToken vs JWTBest practices