Skip to content
WhatIsUp.dev
Esta página está disponible solo en inglés por ahora.

API keys

WhatIsUp.dev uses bearer tokens for API auth. Sign up, grab a key from the dashboard, drop it in an Authorization: Bearer … header, you're done.

Lifecycle

Keys are auto-provisioned on signup; rotation is issue-then-revoke.

Format

Keys look like:

zpk_live_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH
  • zpk_live_ and zpk_test_ are the two prefixes. They're a hint for tooling; the gateway doesn't gate features by prefix.
  • The tail is 32 random URL-safe bytes. Keys are stored hashed — the plaintext is shown to you exactly once at creation. We never log it and we cannot show it to you again.

Scope

Every key belongs to a customer. By default, a key can act on every channel under that customer. You can also issue a channel-scoped key by passing channel_id at create time — that key can only send messages from / read deliveries for that one channel. Channel keys are useful for least-privilege apps (e.g. a marketing tool that should only ever post from one number).

Authentication header

Authorization: Bearer zpk_live_…

Don't put the key in URL query strings — they leak to logs, referrer headers, and CI screenshots.

Rotation

Issue a new key, swap your env, then revoke the old one. There's no separate "rotate without downtime" endpoint because issue-then-revoke covers it: both keys are valid in the overlap window.

Issue a new key (the existing key authenticates this call):

curl -sX POST "$WHATISUP_API/v1/api-keys" \
  -H "Authorization: Bearer $WHATISUP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"app-2026-q2"}'

Then your app reads the new key from env and redeploys. After the new key is in use, revoke the old one:

curl -sX DELETE "$WHATISUP_API/v1/api-keys/key_01J..." \
  -H "Authorization: Bearer $WHATISUP_API_KEY"

Rate limits

Every authenticated request charges 1 token from a per-customer bucket. The defaults give you a 60-request burst and ~1 request / second sustained — plenty for most workloads.

The response includes:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 47

…and on rejection:

HTTP/1.1 429 Too Many Requests
Retry-After: 4
{"error": {"code": "rate_limited", "message": "…"}}

If you bump up against the limit a lot, talk to us before sharding API keys — we'd rather raise your bucket.

Audit log

Every issue, every revoke, every authentication failure leaves an entry in the audit log. View it from the dashboard's Activity tab. Audit entries survive the resource they reference, so the trail outlives what it points at.