Authentication
API keys for requests and signing secrets for webhooks.
Wabery uses API keys to authenticate requests and a signing secret to verify the webhooks Wabery sends you.
Get a project key with the CLI
The fastest way to get a project-scoped key is the CLI:
npm i -g @wabery/cli
wabery login # opens the browser, choose a project, then saves the key locallywabery login creates an API key for the project you select and stores it in
your local CLI config, so the CLI and the MCP server are
authenticated automatically. Use wabery doctor to confirm it works. Create
projects in the dashboard, then create or rotate keys under API keys.
API keys
Keys are prefixed by environment:
| Prefix | Use |
|---|---|
wab_live_ | Production traffic on your connected channels. |
wab_test_ | The shared sandbox number, for development. |
wab_pub_ | Browser-safe publishable key for registration intents. |
For your own services, set WABERY_API_KEY (it overrides the CLI config) and
authenticate every request with a Bearer token:
curl https://api.wabery.com/v1/messages \
-H "Authorization: Bearer $WABERY_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "channel_id": "channel_...", "conversation_id": "conversation_...", "text": "Hi" }'The SDK reads the key for you:
import { Wabery } from "@wabery/sdk";
const wabery = new Wabery();wab_live_ and wab_test_ keys are server-side secrets. Don't expose them in
client code, mobile apps, or git history. Rotate immediately if one leaks.
Publishable keys
Publishable keys (wab_pub_...) are safe to use in browser widgets, but only on
the registration-intent endpoints. Send them in
the x-wabery-publishable-key header, not as a Bearer token:
curl https://api.wabery.com/v1/registration-intents \
-H "x-wabery-publishable-key: $WABERY_PUBLISHABLE_KEY" \
-H "Content-Type: application/json" \
-d '{ "customer_reference": "user_123" }'The SDK and CLI do this automatically when apiKey / WABERY_API_KEY starts
with wab_pub_.
Webhook signing secret
Each webhook endpoint has a signing secret. Wabery signs every delivery so you
can confirm it really came from Wabery and wasn't tampered with — the signature
arrives in the x-wabery-signature header as sha256=<hex>. See
Webhooks & events for verification.
Scopes
API keys can be scoped to limit blast radius:
- Read-only — read contacts, conversations, and messages.
- Scoped — a specific subset of resources/actions.
- Full developer access — send messages, manage flows and channels.
Use the narrowest scope that works for each integration.