Authentication

The Wappfy API supports two authentication methods. All requests must include one of these.

API Key (recommended)

Pass your API key in the X-Api-Key header:

curl https://api.wappfy.io/api/instances \
  -H "X-Api-Key: wappfy_sk_abc123def456..."

Creating an API key

API keys are created via the dashboard or the API. Keys are scoped to a user and have the same permissions as the user’s account.

curl -X POST https://api.wappfy.io/api/api-keys \
  -H "Authorization: Bearer YOUR_SUPABASE_JWT" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Production Key" }'

The key value is only returned once at creation time. Store it securely.

Bearer Token (Supabase JWT)

Pass a Supabase access token in the Authorization header:

curl https://api.wappfy.io/api/instances \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

JWT tokens are short-lived and must be refreshed. They are typically used by the frontend dashboard, not for server-to-server integrations.

Security best practices

Use API keys for server-to-server

API keys don’t expire and are easier to manage for backend integrations.

Rotate keys regularly

If a key is compromised, delete it and create a new one.

Use HTTPS always

All API requests must use HTTPS. HTTP requests will be rejected.

Don't expose keys in frontend code

API keys should only be used in server-side code, never in client-side JavaScript.

Error responses

Status	Description
`401`	Missing or invalid authentication token
`403`	Insufficient permissions for this resource

Getting Started

Guides

Authentication

Authentication

API Key (recommended)

Creating an API key

Bearer Token (Supabase JWT)

Security best practices

Error responses

Getting Started

Guides

​Authentication

​API Key (recommended)

​Creating an API key

​Bearer Token (Supabase JWT)

​Security best practices

​Error responses

Authentication

API Key (recommended)

Creating an API key

Bearer Token (Supabase JWT)

Security best practices

Error responses