Authentication

API keys for requests and signing secrets for webhooks.

Wabery uses API keys to authenticate requests and a signing secret to verify the webhooks Wabery sends you.

Get a project key with the CLI

The fastest way to get a project-scoped key is the CLI:

npm i -g @wabery/cli
wabery login   # opens the browser, choose a project, then saves the key locally

wabery login creates an API key for the project you select and stores it in your local CLI config, so the CLI and the MCP server are authenticated automatically. Use wabery doctor to confirm it works. Create projects in the dashboard, then create or rotate keys under API keys.

API keys

Keys are prefixed by environment:

PrefixUse
wab_live_Production traffic on your connected channels.
wab_test_The shared sandbox number, for development.
wab_pub_Browser-safe publishable key for registration intents.

For your own services, set WABERY_API_KEY (it overrides the CLI config) and authenticate every request with a Bearer token:

curl https://api.wabery.com/v1/messages \
  -H "Authorization: Bearer $WABERY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "channel_id": "channel_...", "conversation_id": "conversation_...", "text": "Hi" }'

The SDK reads the key for you:

import { Wabery } from "@wabery/sdk";

const wabery = new Wabery();

wab_live_ and wab_test_ keys are server-side secrets. Don't expose them in client code, mobile apps, or git history. Rotate immediately if one leaks.

Publishable keys

Publishable keys (wab_pub_...) are safe to use in browser widgets, but only on the registration-intent endpoints. Send them in the x-wabery-publishable-key header, not as a Bearer token:

curl https://api.wabery.com/v1/registration-intents \
  -H "x-wabery-publishable-key: $WABERY_PUBLISHABLE_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "customer_reference": "user_123" }'

The SDK and CLI do this automatically when apiKey / WABERY_API_KEY starts with wab_pub_.

Webhook signing secret

Each webhook endpoint has a signing secret. Wabery signs every delivery so you can confirm it really came from Wabery and wasn't tampered with — the signature arrives in the x-wabery-signature header as sha256=<hex>. See Webhooks & events for verification.

Scopes

API keys can be scoped to limit blast radius:

  • Read-only — read contacts, conversations, and messages.
  • Scoped — a specific subset of resources/actions.
  • Full developer access — send messages, manage flows and channels.

Use the narrowest scope that works for each integration.

Authentication | Wabery Docs | Wabery