Use this matrix when creating API keys with least privilege.

Auth model

Authenticated endpoints accept:
  • X-Api-Key (recommended for server integrations)
  • Bearer session token (dashboard / user sessions)
Permissions use resource actions (for example messages:send).

Integrator-focused permissions

DomainExample pathsTypical permissions
Messages/v1/messages*messages:send, messages:read
Channels/v1/channels*channels:read, channels:write
Contacts/v1/contacts*contacts:read, contacts:write
Templates/v1/templates*templates:read, templates:write
Media/v1/media/*, /v1/messages/uploads/*messages:send
Developer webhooks/v1/settings/developer/webhooks*org settings access (configure in app)
WABA/v1/waba*waba:read, waba:write
API keys/v1/api-keys*api_keys:read, api_keys:write

Roles (app)

  • Member — day-to-day messaging and contacts.
  • Admin — member + API keys, invitations, destructive ops.
  • Owner — admin + organization-level actions.
If a call returns 403, widen the key’s permissions in the app or use a role with the required action. See the API reference for available endpoints.