API Reference
Get Started

API Keys

How API keys work across dashboard and public v1 routes.

Overview

API keys authenticate most protected /v1/* routes. Keys use the wbk_ prefix. Full key material is shown once at creation time.

Treat API keys like passwords. Rotate quickly if leaked and scope them to least privilege.

Create keys

The dashboard route for key creation is POST/api/developer/createApiKey (JWT/session auth).

POST/api/developer/createApiKey
Auth: Dashboard JWT/sessionBilling: FreeBehavior: Creates key and returns plaintext secret once
Create via dashboard APIbash
# Dashboard route (JWT/session auth)
curl -X POST https://prod-backup-backend.wubble.ai/api/developer/createApiKey \
  -H "Authorization: Bearer <dashboard_jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "keyName": "Production backend",
    "scopes": ["audio:generate","analytics:read"],
    "expiresInDays": 90
  }'

POST/v1/apikeys exists, but route logic enforces JWT and rejects API-key callers with 403.

List and revoke keys

Integrations can list/revoke keys on v1 using API-key or JWT context.

GET/v1/apikeys
Auth: API key or dashboard JWTBilling: FreeBehavior: List keys for the current account
DELETE/v1/apikeys/:keyId
Auth: API key or dashboard JWTBilling: FreeBehavior: Revokes the selected key
GET /v1/apikeysbash
# Integration route (API key auth)
curl -s 'https://prod-backup-backend.wubble.ai/v1/apikeys?page=1&limit=20&include_inactive=false' \
  -H "Authorization: Bearer wbk_your_api_key"
DELETE /v1/apikeys/:keyIdbash
curl -X DELETE https://prod-backup-backend.wubble.ai/v1/apikeys/<keyId> \
  -H "Authorization: Bearer wbk_your_api_key"

Scopes

Route-level scope checks are enforced server-side. full_access bypasses granular checks.

Effective scope mappingtext
full_access        # bypasses route-specific scope checks
audio:generate    # required for /v1/music*, /v1/speech*, /v1/sound-effects*
analytics:read    # required for /v1/credits, /v1/usage, /v1/requests/*
webhooks:manage   # required for /v1/webhooks*

Storage & rotation

Safe storage basics
// ✅ server-side only
const apiKey = process.env.WUBBLE_API_KEY;
await fetch('https://prod-backup-backend.wubble.ai/v1/credits', {
  headers: { Authorization: `Bearer ${apiKey}` },
});

// ❌ never ship keys in browser bundles
// ❌ never commit keys to git
Environment and secret managers

Use env vars, cloud secrets, and server-side injection.

Rotation workflow

Create new key, deploy, verify traffic, then revoke old key.

Was this page helpful?
Previous
PlaygroundNext