Auth model
Authenticated endpoints accept:X-Api-Key(recommended for server integrations)- Bearer session token (dashboard / user sessions)
messages:send).
Integrator-focused permissions
| Domain | Example paths | Typical permissions |
|---|---|---|
| Messages | /v1/messages* | messages:send, messages:read |
| Channels | /v1/channels* | channels:read, channels:write |
| Contacts | /v1/contacts* | contacts:read, contacts:write |
| Templates | /v1/templates* | templates:read, templates:write |
| Media | /v1/media/*, /v1/messages/uploads/* | messages:send |
| Developer webhooks | /v1/settings/developer/webhooks* | org settings access (configure in app) |
| WABA | /v1/waba* | waba:read, waba:write |
| API keys | /v1/api-keys* | api_keys:read, api_keys:write |
Roles (app)
- Member — day-to-day messaging and contacts.
- Admin — member + API keys, invitations, destructive ops.
- Owner — admin + organization-level actions.