Authentication
ChatYug External API requests are authenticated with a Bearer API key prefixed ck_.
Authorization header
Include the key on every External API request (except the public health check at GET /api/external/test):
Authorization: Bearer ck_your_api_key_here
Key format
Keys use the prefix ck_ followed by 64 hexadecimal characters. Example shape:
ck_a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456
Validate your key
Returns userId, wabaId, businessName, and phoneNumbers[] for the key’s WABA. See Testing & IDs for a full response example.
One key, one WABA
Each API key is scoped to a single WhatsApp Business Account. Use the phone number IDs from GET /me as phoneNumberId in send requests.
Webhook secret is separate
The API key authenticates outbound requests from your server to ChatYug. Inbound webhooks use a separate secret configured in the portal. See Webhook Setup and Signature Verification.
Expired or revoked keys
Expired keys return 401. Revoked keys stop working immediately. Generate a replacement through the portal approval workflow — see API Keys.