Authentication
API keys for requests and signing secrets for webhooks.
Wabery uses two secrets: an API key to authenticate your requests, and a signing secret to verify the webhooks Wabery sends you.
Get a project key with the CLI
The fastest way to get a project-scoped key is the CLI:
npm i -g @wabery/cli
wabery login # opens the browser, choose a project, then saves the key locallywabery login creates an API key for the project you select and stores it in
your local CLI config, so the CLI and the MCP server are
authenticated automatically. Use wabery doctor to confirm it works. Create
projects in the dashboard, then create or rotate keys under API keys.
API keys
Keys are prefixed by environment:
| Prefix | Use |
|---|---|
wab_live_ | Production traffic on your connected channels. |
wab_test_ | The shared sandbox number, for development. |
For your own services, set WABERY_API_KEY (it overrides the CLI config) and
authenticate every request with a Bearer token:
curl https://api.wabery.com/v1/messages \
-H "Authorization: Bearer $WABERY_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "channel_id": "channel_...", "conversation_id": "conversation_...", "text": "Hi" }'The SDK reads the key for you:
import { Wabery } from "@wabery/sdk";
const wabery = new Wabery();wab_live_ keys are server-side secrets. Don't expose them in client code,
mobile apps, or git history. Rotate immediately if one leaks.
Webhook signing secret
Each webhook endpoint has a signing secret. Wabery signs every delivery so you
can confirm it really came from Wabery and wasn't tampered with — the signature
arrives in the x-wabery-signature header as sha256=<hex>. See
Webhooks & events for verification.
Scopes
API keys can be scoped to limit blast radius:
- Read-only — read contacts, conversations, and messages.
- Scoped — a specific subset of resources/actions.
- Full developer access — send messages, manage flows and channels.
Use the narrowest scope that works for each integration.