Skip to Content
API ReferenceAuthentication

Authentication

Every request to the Loopwave API must include an API key. Keys are created by an admin in the dashboard and carry scopes that limit what they can do.

Creating an API key

  1. Open API Keys (admin)

    In the dashboard, go to Settings → API Keys. Only admins can manage keys.

  2. Name it and choose scopes

    Give the key a recognizable name and select the scopes it needs. A key with * (all scopes) is created by default if you don’t narrow it.

  3. Copy the key now

    The full key (it looks like lw_live_...) is shown exactly once at creation. Store it in a secrets manager — you can’t retrieve it again later.

Loopwave stores only a hash of your key, so it can never show you the full value a second time. If you lose it, revoke the key and create a new one.

Passing the key

Send the key with every request, using either header:

Authorization header
curl https://YOUR_DOMAIN/api/v1/health \
  -H "Authorization: Bearer lw_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
X-API-Key header
curl https://YOUR_DOMAIN/api/v1/health \
  -H "X-API-Key: lw_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

A missing or invalid key returns 401 invalid_api_key.

Scopes

Each key holds a set of scopes. A key with * passes every check; otherwise the exact scope for an endpoint must be present, or the request returns 403 insufficient_scope.

ScopeGrants
messages:writeSend messages (POST /messages).
chats:readList chats and read message threads.
contacts:readList contacts.
contacts:writeCreate contacts.
tickets:readList tickets.
tickets:writeCreate tickets.
broadcasts:writeCreate and queue broadcasts.
*All of the above.

Grant the least privilege a key needs. A server that only sends notifications should hold just messages:write; a read-only reporting job needs only the *:read scopes it uses. broadcasts:write is intentionally separate because broadcasts carry the highest ban risk.

Managing keys

Admins can rename, enable/disable, re-scope, and revoke keys at any time. Disabling or revoking a key takes effect immediately — the next request with that key returns 401. Loopwave also records each key’s last-used time so you can spot unused credentials.

License and writes

The API respects your license. Read endpoints always work. Write endpoints (sending messages, creating contacts/tickets/broadcasts) are blocked with 402 when the license is expired or revoked in enforce mode. See Licensing.

Send your first message

Put your key to work in a one-line curl.

OverviewQuickstart