API Security

Best practices for securing your Wazera API integration.

API Key Security

• Store API keys as environment variables, never in source code
• Use different keys for development and production
• Apply minimum required scopes to each key
• Rotate keys regularly (at least every 90 days)
• Revoke keys immediately if compromised

HTTPS Only

All API requests must use HTTPS. HTTP requests are rejected.

Webhook Verification

Always verify webhook signatures before processing:

$expected = hash_hmac('sha256', $payload, $secret);
if (!hash_equals($expected, $signature)) {
    abort(401);
}

Rate Limiting

Implement client-side rate limiting to avoid hitting API limits:

// Use Laravel's rate limiter
RateLimiter::attempt('wazera-api', 60, function () {
    Wazera::sendMessage([...]);
});

IP Allowlisting

For enterprise plans, you can restrict API key usage to specific IP addresses. Configure this in the dashboard under API Keys settings.

Audit Logging

All API operations are logged with:

• Timestamp
• API key used (prefix only)
• Endpoint accessed
• Response status
• IP address

View audit logs in the dashboard under Logs.