Server-side keys
Create one key per deployment / service. Each key is a server-side secret you can rotate or revoke independently. Creation returns the key and its signing secret exactly once.
Endpoints
/internal/api-keysDashboard Onlydashboard sessionList the keys in your workspace (the actual secret is never returned — only id, name, scopes, lastUsedAt).
Requires an authenticated dashboard session — your wac_live_ API key cannot call this endpoint. Use it from inside the dashboard, or wrap it behind your own server.
/internal/api-keysDashboard Onlyowner / admin / developerCreate a new key. The full secret is shown exactly once in the response — store it immediately.
Requires an authenticated dashboard session — your wac_live_ API key cannot call this endpoint. Use it from inside the dashboard, or wrap it behind your own server.
/internal/api-keys/:idDashboard Onlyowner / admin / developerRevoke a key. In-flight requests are rejected within seconds.
Requires an authenticated dashboard session — your wac_live_ API key cannot call this endpoint. Use it from inside the dashboard, or wrap it behind your own server.
Create a key
POST /internal/api-keys
Authorization: <dashboard session>
Content-Type: application/json
{
"name": "Production server"
}Response (shown once)
{
"id": "key_01H…",
"name": "Production server",
"prefix": "wac_live_ZfU…",
"apiKey": "wac_live_01H…ABCDEF",
"signingSecret": "whsec_01H…",
"scopes": ["messages:send"],
"createdAt": "2026-05-28T06:16:00Z"
}Both apiKey (wac_live_…) and signingSecret (whsec_…) are returned once — store both. The signing secret is what you HMAC mutating requests with (see Authentication).
Scopes
messages:send— the scope every key is issued with. It authorizesPOST /v1/messagesandGET /v1/templates.