🔒 Security

We do not recommend exposing the API on any public networks!

Either protect the API with Api Key or deny access by using firewalls.

👉 Security options are available in WAHA Plus version only.

Swagger Security

Username and password

If you want to hide the project Swagger panel under the password - run the following command to hide under admin/admin login and password.

docker run -it -e WHATSAPP_SWAGGER_USERNAME=admin -eWHATSAPP_SWAGGER_PASSWORD=admin devlikeapro/waha-plus

Open http://localhost:3000/ and enter admin / admin in the inputs:

Disable Swagger

You also can hide swagger completely by setting WHATSAPP_SWAGGER_ENABLED=false environment variable.

Swagger White Label

You can also set Swagger White Label options instead of hiding the Swagger panel.

Dashboard Security

When running WAHA you can set the following environment variables to configure the dashboard:

  • WAHA_DASHBOARD_ENABLED=true - enable or disable the dashboard, by default true. Set to false to disable the dashboard.
  • WAHA_DASHBOARD_USERNAME=waha - username used to log in, by default waha.
  • WAHA_DASHBOARD_PASSWORD=waha - password used to log in, by default waha.

Read more about Dashboard ->

API security

You can protect the API by requiring Api Key in a request’s headers.

Set Api Key

Set WHATSAPP_API_KEY=yoursecretkey environment variable for that:

docker run -it -e WHATSAPP_API_KEY=yoursecretkey devlikeapro/waha-plus

Use Api-Key in Swagger

After you set api key - to authorize on swagger use Authorize button at the top:

Add X-Api-Key header

To authorize requests - set X-Api-Key header to yoursecretkey for all requests that go to WAHA.


Example for Python requests library:

import requests

headers = {
  'Content-type': 'application/json',
  'X-Api-Key': 'yoursecretkey',
requests.get("http://localhost:3000/api/sessions", headers=headers)

Webhook security

To make sure that you get a webhook from your WAHA instance - you can use HMAC authentication. Read more about it on Webhooks page ->


After you set up the security options - you should set up HTTPS to protect the data in transit and prevent Man-in-the-middle attacks.

That’s fine to run it on the local network without HTTPS, but for the production environment, it’s a must-have.

Environment variables

WAHA supports HTTPS out of the box.

You can set up the following environment variables to enable HTTPS:

  • WAHA_HTTPS_ENABLED=true: Set this variable to true to enable HTTPS. By default, it’s false.
  • WAHA_HTTPS_PATH_KEY=/path/to/key.pem: The path to the key file for HTTPS. By default ./.secrets/privkey.pem
  • WAHA_HTTPS_PATH_CERT=/path/to/cert.pem: The path to the certificate file for HTTPS. By default ./.secrets/cert.pem
  • WAHA_HTTPS_PATH_CA=/path/to/ca.pem: The path to the CA file for HTTPS. By default ./.secrets/chain.pem

How to set up HTTPS

Here’s available options how you can set up HTTPS:

  1. Self-signed certificate - generate a self-signed certificate and use it for HTTPS.
  2. Let’s Encrypt - use Certbot to get a free certificate from Let’s Encrypt.
  3. Using reverse proxy - use Nginx or Apache as a reverse proxy and set up HTTPS there.

👉 Here’s Step by step guide on how to set up HTTPS for WAHA