Developers

Authentication

The Qwetty API uses Bearer API keys for authentication. Every request to the API must include a valid API key in the Authorization header.

Authorization Header

Include your API key as a Bearer token:

Code
Authorization: Bearer YOUR_API_KEY

Example Request

Code
curl -X GET "https://api.qwetty.com/api/v1/chats" \
  -H "Authorization: Bearer qk_live_abc123..."

API Key Properties

Property	Description
Organization-scoped	Each API key belongs to an organization. All data access is limited to that organization.
Expiration	Keys can have an optional expiration date. Expired keys are automatically rejected.
Activation	Keys can be activated or deactivated. Deactivated keys are rejected even if not expired.
Permissions	Keys can be configured with granular permissions (e.g., read chats, send messages).
Channel scopes	Keys can be restricted to specific channels.
IP whitelist	Keys can be restricted to specific IP addresses.
Usage tracking	Request count and last-used timestamp are tracked automatically.

Error Responses

When authentication fails, the API returns a 401 Unauthorized response:

Missing or malformed header


Code
{
  "error": "Missing or invalid Authorization header"
}

This occurs when:

The Authorization header is missing
The header does not start with Bearer

Invalid or expired key


Code
{
  "error": "Invalid or expired API key"
}

This occurs when:

The API key does not exist
The API key has been deactivated
The API key has expired

Best Practices

Keep keys secret — Never expose API keys in client-side code, public repositories, or logs
Use environment variables — Store API keys in environment variables, not in source code
Rotate regularly — Create new keys and deactivate old ones periodically
Set expiration dates — Use expiration dates to limit the window of exposure if a key is compromised
One key per integration — Use separate API keys for different integrations to isolate access
Use IP whitelists — Restrict keys to known server IPs for added security
Set minimal permissions — Only grant the permissions each integration actually needs

Next steps

API Keys — Learn how to create and manage API keys
Send Your First Message — End-to-end API tutorial
API Reference — Explore all available endpoints

Last modified on April 20, 2026

Developer Overview API Keys

API Key Properties

Property

Description

Organization-scoped

Each API key belongs to an organization. All data access is limited to that organization.

Expiration

Keys can have an optional expiration date. Expired keys are automatically rejected.

Activation

Keys can be activated or deactivated. Deactivated keys are rejected even if not expired.

Permissions

Keys can be configured with granular permissions (e.g., read chats, send messages).

Channel scopes

Keys can be restricted to specific channels.

IP whitelist

Keys can be restricted to specific IP addresses.

Usage tracking

Request count and last-used timestamp are tracked automatically.

Error Responses

When authentication fails, the API returns a 401 Unauthorized response:

Missing or malformed header

Code

{
  "error": "Missing or invalid Authorization header"
}

This occurs when:

The Authorization header is missing

The header does not start with Bearer

Invalid or expired key

Code

{
  "error": "Invalid or expired API key"
}

This occurs when:

The API key does not exist

The API key has been deactivated

The API key has expired

Best Practices

Keep keys secret — Never expose API keys in client-side code, public repositories, or logs

Use environment variables — Store API keys in environment variables, not in source code

Rotate regularly — Create new keys and deactivate old ones periodically

Set expiration dates — Use expiration dates to limit the window of exposure if a key is compromised

One key per integration — Use separate API keys for different integrations to isolate access

Use IP whitelists — Restrict keys to known server IPs for added security

Set minimal permissions — Only grant the permissions each integration actually needs