> ## Documentation Index
> Fetch the complete documentation index at: https://docs.whatabot.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API Key authentication for sessions and OAuth tokens for iframe embedding.

## API Key Authentication

All v1 endpoints use **API Key** authentication. Pass your key in the `X-Api-Key` header:

```bash theme={null}
curl -X POST "https://api.whatabot.app/api/v1/sessions/flows/{flowId}/create" \
  -H "X-Api-Key: wh_your_api_key_here"
```

API keys are prefixed with `wh_` and scoped to a workspace. Each key can have a `callbackUrl` where session responses are delivered via [Webhook](/en/api-reference/webhooks).

### How to create an API Key

1. Go to the whatabot **Dashboard**
2. Navigate to the **Workspaces** screen
3. Click **Edit** on the desired workspace
4. Go to the **API** tab
5. Click **Create API Key**, set a name and the `callbackUrl`
6. Copy the generated key (starts with `wh_`)

<video autoPlay muted loop playsInline src="https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/gr9obbkmjpjj/b/whatabot-stg/o/4/flows/8b7aa7d7-e8ad-434a-a7b8-495fa480d671_71e2c99e-19ad-4d82-9370-d92642b3ae86.mp4" />

<Warning>
  The API key is only shown once. Store it in a secure location.
</Warning>

***

## Iframe Authentication

To embed the whatabot flow editor in your app via iframe, you need an OAuth client (`clientId` + `clientSecret`).

See the full [Embed Authentication](/en/embed/authentication) guide for instructions on how to create the client and the authentication flow.
