Authentication
The WhatsApp API uses API keys for secure authentication. All API requests require a valid API key.
How It Works
- Purchase a Plan - Get your admin API key from TweekersNut Network
- Create Sessions - Use admin key to create WhatsApp sessions
- Get Session Keys - Each session receives a unique API key (shown only once)
- Send Messages - Use session key for all messaging operations
- Admin Key (
wamk_...) - Manage sessions, create new sessions, view all data - Session Key (
wask_...) - Send messages, manage specific session only
API Key Types
| Prefix | Type | Access Level | When You Get It |
|---|---|---|---|
wamk_ | Admin Key | All sessions + management | After purchasing a plan |
wask_ | Session Key | Specific session only | When creating a session |
Admin Key (wamk_...)
Your admin key allows you to:
- ✅ Create new sessions
- ✅ List all your sessions
- ✅ Delete sessions
- ✅ View usage statistics
- ✅ Access any of your sessions
You receive this after purchasing a plan.
Session Key (wask_...)
Each session has its own unique key that allows you to:
- ✅ Send messages from that session
- ✅ Get session status
- ✅ Manage that specific session
- ❌ Cannot access other sessions
- ❌ Cannot create new sessions
You receive this when creating a session (shown only once).
How to Use API Keys
Include your API key in the request header:
X-API-Key Header (Recommended)
curl -H "X-API-Key: wask_your_session_key" \
https://api.chatwhatsapp.in/sessions/{id}/status
Authorization Bearer Header (Alternative)
curl -H "Authorization: Bearer wask_your_session_key" \
https://api.chatwhatsapp.in/sessions/{id}/status
Always use the X-API-Key header for better security and consistency.
Creating Sessions
Use your admin key to create new sessions.
Create a Session
curl -X POST https://api.chatwhatsapp.in/sessions/create \
-H "X-API-Key: wamk_your_admin_key" \
-H "Content-Type: application/json" \
-d '{
"name": "customer-support",
"webhookUrl": "https://yourdomain.com/webhook"
}'
Response:
{
"success": true,
"session": {
"id": "e67a00be-ed45-4356-9488-049cabb9895d",
"name": "customer-support",
"state": "starting",
"createdAt": "2026-02-01T12:00:00.000Z"
},
"apiKey": "wask_d5726b79a64573672bd70fa06f3632ea3c6af7781588d98e",
"warning": "IMPORTANT: Save this API key securely! It will NOT be shown again."
}
The session API key (wask_...) is shown only once. If you lose it, you'll need to delete the session and create a new one.
Using Your Session Key
Once you have the session key, use it to send messages:
curl -X POST https://api.chatwhatsapp.in/sessions/e67a00be-ed45-4356-9488-049cabb9895d/send \
-H "X-API-Key: wask_d5726b79a64573672bd70fa06f3632ea3c6af7781588d98e" \
-H "Content-Type: application/json" \
-d '{
"to": "919876543210",
"text": "Hello from my session!"
}'
Managing Your Sessions
Use your admin key to manage all your sessions:
List All Sessions
curl -H "X-API-Key: wamk_your_admin_key" \
https://api.chatwhatsapp.in/sessions
Delete a Session
curl -X DELETE https://api.chatwhatsapp.in/sessions/{session_id} \
-H "X-API-Key: wamk_your_admin_key"
View Usage Statistics
curl -H "X-API-Key: wamk_your_admin_key" \
https://api.chatwhatsapp.in/admin/usage
Security Best Practices
1. Keep Keys Secret
Never expose API keys in:
- Client-side code (JavaScript, mobile apps)
- Public repositories
- Log files
- Error messages
2. Use Environment Variables
Store keys in environment variables:
# .env
WHATSAPP_API_KEY=wask_your_key_here
// PHP
$apiKey = getenv('WHATSAPP_API_KEY');
// Node.js
const apiKey = process.env.WHATSAPP_API_KEY;
# Python
import os
api_key = os.getenv('WHATSAPP_API_KEY')
3. Use HTTPS
Our API uses HTTPS by default to encrypt all data in transit:
https://api.chatwhatsapp.in/sessions/{id}/send
4. Regenerate Lost Keys
If you lose a session key:
- Delete the old session using your admin key
- Create a new session
- Save the new session key securely
5. Monitor Your Usage
Check your API usage regularly via your dashboard or API:
curl -H "X-API-Key: wamk_your_admin_key" \
https://api.chatwhatsapp.in/admin/usage
Common Authentication Errors
Missing API Key (401)
{
"success": false,
"error": "API key required. Please provide an API key via X-API-Key header."
}
Solution: Include your API key in the X-API-Key header.
Invalid API Key (401)
{
"success": false,
"error": "Invalid API key"
}
Solution: Verify you're using the correct API key. Check for typos or extra spaces.
Wrong Session Access (403)
{
"success": false,
"error": "This API key can only access its own session"
}
Solution: Use the session's own API key, or use your admin key to access any session.
Rate Limit Exceeded (429)
{
"success": false,
"error": "Rate limit exceeded. Please wait 45 seconds before trying again.",
"retryAfter": 45
}
Solution: Wait for the specified time or upgrade your plan for higher limits.
Quick Reference
Key Comparison
| Feature | Admin Key (wamk_...) | Session Key (wask_...) |
|---|---|---|
| Create sessions | ✅ Yes | ❌ No |
| Send messages | ✅ All sessions | ✅ Own session only |
| List sessions | ✅ Yes | ❌ No |
| Delete sessions | ✅ Yes | ❌ No |
| View usage | ✅ Yes | ❌ No |
When to Use Which Key
- Creating a new session → Use admin key
- Sending messages → Use session key
- Managing sessions → Use admin key
- Checking session status → Use either key
- Viewing statistics → Use admin key
Next Steps
- Getting Started Guide - Create your first session
- Send Messages - Learn to send different message types
- Set Up Webhooks - Receive incoming messages
- Code Examples - See implementation examples