Authentication
All API requests require an API key passed as the x-api-key header.
Getting Your API Key
- Log in to the Convoup dashboard
- Navigate to Developers > API Keys
- Click Create API Key
- Optionally scope the key to a specific WABA (WhatsApp Business Account)
- Copy the key - it is shown only once
Store your API key in an environment variable, never in source code:
.env
CONVOUP_API_KEY=your-api-key-here
CONVOUP_WABA_ID=your-waba-id-here # optional
Using the API Key
With the SDK
Pass the key in the client constructor:
TypeScript
import { Convoup } from 'convoup';
const client = new Convoup({
apiKey: process.env.CONVOUP_API_KEY!,
});
With cURL
Include it in the x-api-key header:
bash
curl -X POST https://api.convoup.com/api/v1/templates \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{ ... }'
WABA Scoping
If your API key is scoped to multiple WABAs, pass the wabaId in the client constructor:
TypeScript
const client = new Convoup({
apiKey: 'your-api-key',
wabaId: 'waba-id-123', // required when key has access to multiple WABAs
});
If your key is scoped to exactly one WABA, the server resolves it automatically and wabaId is optional.
Key Behavior Summary
| Scenario | wabaId required? |
|---|---|
| Key scoped to 1 WABA | No (auto-resolved) |
| Key scoped to multiple WABAs | Yes |
| Key with org-wide access | Yes |
Security Best Practices
- Never commit API keys to source control
- Use environment variables or a secrets manager
- Rotate keys periodically via the dashboard
- Scope keys to the minimum WABA access needed
- If a key is compromised, revoke it immediately in the dashboard
Error Codes
| Code | Status | Meaning |
|---|---|---|
UNAUTHORIZED | 401 | API key is missing or invalid |
WABA_NOT_FOUND | 404 | WABA ID is invalid or the key doesn't have access |
