How do I authenticate requests?
Send Authorization: Bearer <token> with every public API v2 request. The token is generated from the Whats91 customer dashboard.
Authenticate public v2 requests with managed Whats91 bearer tokens.
Authentication
Summary
Learn how Whats91 authenticates public API v2 requests with bearer tokens and how sender selection works across request bodies and URL parameters.
Prerequisites
- A generated Whats91 public API token
- Content-Type: application/json for JSON requests
Related documentation
Public v2 APIs use managed Whats91 bearer tokens. Generate tokens in the customer dashboard, store them server-side, and send them in the Authorization header on every request.
Bearer Token Authentication
HTTP Header
Authorization: Bearer w91_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxWhere Tokens Are Accepted
| Endpoint | Preferred location | Compatibility fallback |
|---|---|---|
| POST /api/v2/send | Authorization header | JSON or multipart field authToken, auth_token, or token |
| POST /api/v2/chat | Authorization header | JSON or multipart field authToken, auth_token, or token |
| GET /api/v2/templates | Authorization header | Query authToken, auth_token, or token |
| GET /api/v2/templates/{identifier} | Authorization header | Query authToken, auth_token, or token |
| POST /api/v2/templates | Authorization header | JSON or multipart field authToken, auth_token, or token |
| POST /api/v2/messages | Authorization header | JSON body authToken, auth_token, or token |
| POST /api/v2/{phoneNumberId}/messages | Authorization header | JSON body authToken, auth_token, or token |
Sender Selection
senderId is the WhatsApp sender phone number. It is optional when the token scope or selected/default sender can resolve the sender. Use senderId when a global token can access multiple numbers. Number-scoped tokens can only use their assigned WhatsApp number. For Meta-compatible sends, POST /api/v2/{phoneNumberId}/messages is the most explicit sender selection.
Sender selection example
{
"senderId": "919999999999",
"to": "918888888888",
"type": "text",
"text": "Hello from Whats91"
}Do not expose bearer tokens in browser code, mobile apps, public repositories, or support tickets. Treat every token as a server-side secret.
Frequently Asked Questions
Can I use dashboard session cookies for API calls?
No. Public integrations should use bearer tokens, not dashboard session cookies.
How does Whats91 select the sender?
Whats91 resolves the sender from the token, senderId, phoneNumberId, or route-specific sender value depending on the endpoint.