Limited Time: Start your 14-day free trial, no credit card required
Walytic Logo
Help Center
Plans & Billing

API keys and the external API

Generate keys, authenticate, send messages programmatically. Quick walkthrough plus the most common pitfalls.

3 min readUpdated May 2, 2026api · api keys · rest

Why use the API

Walytic's UI covers most workflows: campaigns, flows, Unibox, contacts. The API exists for cases the UI doesn't fit:

  • Sending from your own backend (e.g., order confirmation right after a Stripe webhook fires)
  • Programmatic CRM sync (creating contacts when a new lead enters your sales pipeline)
  • Custom dashboards that pull message logs into your own analytics stack
  • Multi-tenant resellers where you abstract Walytic behind your own product

Generate an API key

Sidebar → SettingsAPI KeysGenerate New Key.

Copy the key. It's shown ONCE. Walytic stores only a hash; if you lose the plaintext, generate a new one.

Authenticate

Every request includes the key in an Authorization header:

Authorization: Bearer wlt_live_<your_key>

API keys are scoped to your workspace, not your user. They survive role changes and team member removals.

Send a message

curl -X POST https://api.walytic.com/v1/messages \
  -H "Authorization: Bearer wlt_live_<key>" \
  -H "Content-Type: application/json" \
  -d '{
    "sessionId": "919876543210",
    "to": "919999999999",
    "text": "Hi, your order #1234 is confirmed."
  }'

The response includes a Walytic message ID and the status. The actual WhatsApp message ID arrives via webhook once the message is delivered (or fails).

Receive webhooks

Inbound messages and delivery events fire to a webhook URL you configure under Settings → Webhooks. Each event is signed with HMAC-SHA256 over the raw body. Verify the signature before acting on the payload.

{
  "event": "message.received",
  "sessionId": "919876543210",
  "from": "919999999999",
  "text": "got it, thanks!",
  "timestamp": 1714602000
}

Rate limits

  • 60 requests per minute per API key (sliding window).
  • Bursts up to 100 are allowed within a 5-second window before throttling kicks in.
  • Throttled requests get HTTP 429 with a Retry-After header.

If your use case needs higher limits (e.g., enterprise data import), email support.

Quotas

API messages count toward your monthly message quota same as in-app sends. There's no separate API metering.

Full reference

The complete REST API reference (every endpoint, every parameter, every response code) is at api-reference or as Postman collection at /documentation.

Common pitfalls

  • Wrong session ID format. Use the connected number with country code, no +, no spaces. e.g., 919876543210, not +919876543210.
  • Forgot to register webhook URL. API sends work without webhooks, but you'll never see delivery status updates.
  • Using a stale key. Rotated keys stop working immediately. Update both your code and any Zapier/Make integrations after rotating.
  • Sending to non-WhatsApp numbers. API returns an error; the recipient's number isn't on WhatsApp. Validate before queueing high volume.

Need more help?

Browse the rest of the help center or contact support directly.

Help CenterOpen Walytic