Documentation

Get an API key

Sign-up dan login itu flow dashboard (bukan API). Buat dapetin API key:

1. Register akun lewat dashboard
2. Login → buka Settings → copy API key
3. Dari sini ke depan, semua call programmatic pake header X-API-Key

Quickstart (after you have a key)

1. Create device → POST /devices
2. Connect → POST /devices/<id>/connect. Subscribe SSE di /devices/<id>/events, dapet QR, scan pake WA HP lu.
3. Send → POST /messages/send-text atau /messages/send-media.

Authentication

Semua programmatic endpoint butuh header:

X-API-Key: <your-64-char-hex-key>

Verify key lu valid: GET /auth/me. Rotate (invalidasi yang lama): POST /auth/rotate-key.

Webhooks

Each webhook delivery is an HTTP POST with these headers:

Content-Type:        application/json
X-Webhook-Event:     message.received | message.status | device.status
X-Webhook-Signature: <hmac-sha256-hex of body using your webhook secret>
X-Webhook-Timestamp: 1746480000000

Body shape:

{
  "event": "message.received",
  "timestamp": 1746480000000,
  "data": {
    "deviceId": "cmosh123abc",
    "remoteJid": "[email protected]",
    "fromMe": false,
    "type": "conversation",
    "content": { "conversation": "Halo!" },
    "timestamp": 1746479998
  }
}

Verify in Node:

import { createHmac, timingSafeEqual } from "node:crypto";

app.post("/wa/webhook", express.json(), (req, res) => {
  const sig = req.headers["x-webhook-signature"];
  const body = JSON.stringify(req.body);
  const expected = createHmac("sha256", WEBHOOK_SECRET).update(body).digest("hex");

  if (!timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
    return res.status(401).end();
  }

  const { event, data } = req.body;
  // ... handle event
  res.status(200).end();
});

Rate limits

• Outbound messages: 30 per minute per device
• Response headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
• Exceeded → HTTP 429

For AI agents

If you're integrating this gateway from an LLM-powered project, point your model at one of these URLs: