Skip to main content
The API authenticates with a bearer token — a whk_-prefixed API key you create in your dashboard. Send it in the Authorization header:
curl https://api.webhook.co/v1/whoami \
  -H "Authorization: Bearer $WEBHOOK_API_KEY"
The SDKs take the key at construction and attach it for you:
import { WebhookClient } from "@webhook-co/sdk";
const webhook = new WebhookClient({ apiKey: process.env.WEBHOOK_API_KEY! });
Keep the key server-side. The SDKs never print it (they redact it from errors and debug output), but it’s still a credential — treat it like a password.

Scopes

Keys are scoped. A key missing a required scope for an action gets a 403 FORBIDDEN — mint a key with the right scopes from the dashboard rather than over-provisioning. Resolve a key’s identity and scopes with whoami:
const me = await webhook.whoami();
console.log(me.orgId, me.scopes);

Base URL

The default is https://api.webhook.co. Point the SDKs at a self-host or dev origin with the base-URL option — it must be https (loopback http is allowed for local dev), so a misconfiguration can’t downgrade your key onto a plaintext connection.