API keys
Manage the bearer tokens used to authenticate to this API. Conceptually covered in Concepts → API keys; this page is the wire shape.
List keys
Returns every active key for the authenticated customer. The key material itself is not in the response — only the prefix and metadata.
| Field | Type | Required | Notes |
|---|---|---|---|
| id | string · uuid | required | |
| customer_id | string · uuid | required | |
| instance_id | string · uuid | required · nullable | |
| name | string | required | |
| prefix | string | required | |
| scopes | array<string> | optional | |
| last_used_at | string · ISO 8601 | required · nullable | |
| expires_at | string · ISO 8601 | required · nullable | |
| created_at | string · ISO 8601 | required | |
| revoked_at | string · ISO 8601 | required · nullable |
curl -s "$WHATISUP_API/v1/api-keys" \
-H "Authorization: Bearer $WHATISUP_API_KEY"Issue a new key
| Field | Type | Required | Notes |
|---|---|---|---|
| name | string | required | |
| instance_id | string · uuid | optional | |
| scopes | array<string> | optional | |
| expires_at | string · ISO 8601 | optional |
curl -sX POST "$WHATISUP_API/v1/api-keys" \
-H "Authorization: Bearer $WHATISUP_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"app-2026-q2"}'Pass instance_id to bind the key to a single instance. That key will only be able to send messages from / read deliveries for that one instance — useful for least-privilege apps.
| Field | Type | Required | Notes |
|---|---|---|---|
| id | string · uuid | required | |
| customer_id | string · uuid | required | |
| instance_id | string · uuid | required · nullable | |
| name | string | required | |
| prefix | string | required | |
| scopes | array<string> | optional | |
| last_used_at | string · ISO 8601 | required · nullable | |
| expires_at | string · ISO 8601 | required · nullable | |
| created_at | string · ISO 8601 | required | |
| revoked_at | string · ISO 8601 | required · nullable | |
| secret | string | required |
The secret field is the only time we'll show the full key. Save it before you
move on. We can revoke it; we cannot recover it.
The prefix (e.g. zpk_live_abcd1234) is what shows up in the key list and in the dashboard. Keep it; you'll use it to identify the key when revoking.
Revoke a key
Soft-delete: the row is marked deleted, the key stops working immediately, audit log records the event. Returns 204 No Content.
curl -sX DELETE "$WHATISUP_API/v1/api-keys/key_01J..." \
-H "Authorization: Bearer $WHATISUP_API_KEY"What you can't do
- Reveal an existing key's secret. Lost it = revoke + issue. By design.
- Re-bind a key to a different instance. Make a new one; revoke the old. The bind is at issue-time only.