🔒 Security

We do not recommend exposing the API on any public networks!

Either protect the API with Api Key or deny access by using firewalls.

👉 Security options are available in WAHA Plus version only.

Swagger Security #

Username and password #

If you want to hide the project Swagger panel under the password - run the following command to hide under admin/admin login and password.

docker run -it -e WHATSAPP_SWAGGER_USERNAME=admin -eWHATSAPP_SWAGGER_PASSWORD=admin devlikeapro/whatsapp-http-api-plus

Open http://localhost:3000/ and enter admin / admin in the inputs:

Disable Swagger #

You also can hide swagger completely by setting WHATSAPP_SWAGGER_ENABLED=false environment variable.

Dashboard Security #

When running WAHA you can set the following environment variables to configure the dashboard:

• WAHA_DASHBOARD_ENABLED=true - enable or disable the dashboard, by default true. Set to false to disable the dashboard.
• WAHA_DASHBOARD_USERNAME=waha - username used to log in, by default waha.
• WAHA_DASHBOARD_PASSWORD=waha - password used to log in, by default waha.

Read more about Dashboard ->

API security #

You can protect the API by requiring Api Key in a request’s headers.

Set Api Key #

Set WHATSAPP_API_KEY=yoursecretkey environment variable for that:

docker run -it -e WHATSAPP_API_KEY=yoursecretkey devlikeapro/whatsapp-http-api-plus

Use Api-Key in Swagger #

After you set api key - to authorize on swagger use Authorize button at the top:

Add X-Api-Key header #

To authorize requests - set X-Api-Key header to yoursecretkey for all requests that go to WAHA.

Python #

Example for Python requests library:

import requests

headers = {
  'Content-type': 'application/json',
  'X-Api-Key': 'yoursecretkey',
}
requests.get("http://localhost:3000/api/sessions", headers=headers)

Webhook security #

To make sure that you get a webhook from your WAHA instance - you can use HMAC authentication. Read more about it on Webhooks page ->