Bearer tokens with per-key scoped permissions.
Each API key has explicit scopes. Pick the smallest set that works.
| Scope | What it grants | |---|---| | messaging | Send outbound WhatsApp messages | | contacts | Read + write contacts | | conversations | Read conversations + messages | | flows | List + trigger flows | | templates | Read templates | | webhooks | Manage webhook subscriptions | | analytics | Read aggregated metrics | | gitops | Pull + push flows via CLI/SDK | | otp | Send/verify OTPs (legacy) |
/settings/api-keys → Create. The secret is shown once — copy it then. The DB only stores a SHA-256 hash + prefix.
lastUsedAt regularly