Authentication

Learn how to authenticate your API requests and manage API keys.

Overview

All WebKasa API requests require authentication using an API key. API keys are scoped to specific permissions and tied to your organization.

API keys follow this format:

wk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
└──────────────────────────────────┘
           64 character key

Include your API key in one of these ways:

curl -X GET "https://api.webkasa.app/api/v1/events" \
  -H "Authorization: Bearer wk_live_your_api_key_here"

curl -X GET "https://api.webkasa.app/api/v1/events" \
  -H "X-API-Key: wk_live_your_api_key_here"

When creating an API key, select the minimum scopes needed for your integration:

Parameter	Type	Description
events:read	`string`	View events and event details
events:write	`string`	Create, update, and delete events
registrations:read	`string`	View event registrations
registrations:write	`string`	Create and manage registrations
bookings:read	`string`	View bookings and schedules
bookings:write	`string`	Create, update, and cancel bookings
posts:read	`string`	View blog posts and categories
posts:write	`string`	Create, update, and delete blog posts
comments:read	`string`	View event comments
comments:write	`string`	Create and delete comments
users:read	`string`	View user profiles
sites:read	`string`	View site information
*:read	`string`	All read operations
*	`string`	All operations (full access)

•Never expose API keys in client-side code. Always call the API from your server.
•Use environment variables to store API keys, not hardcoded strings.
•Rotate keys periodically and immediately if you suspect compromise.
•Use minimum necessary scopes. Don't request * if you only need read access.

If authentication fails, you'll receive one of these responses:

401 Unauthorized

{
  "error": "API key is required",
  "code": "UNAUTHORIZED"
}

403 Forbidden

{
  "error": "Insufficient permissions. Required scope: events:write",
  "code": "FORBIDDEN"
}