Authentication
Every request (except register, login, health, and the Stripe webhook) needs a
Authorization: Bearer <token> header. Two token types work:
| Token | Looks like | Source | Use for |
|---|---|---|---|
| Personal Access Token (PAT) | wap_pat_<hex>.<secret> | POST /v1/account/keys | server-to-server, long-lived |
| Session JWT | a JWT | POST /v1/auth/login | the dashboard / short-lived browser sessions |
The secret half of a PAT is shown once at creation — store it securely. Manage keys
with GET/POST /v1/account/keys and DELETE /v1/account/keys/{key_id}.
Requests are rate-limited per tenant/key (HTTP 429 + Retry-After). This is separate
from the per-number anti-ban pacing described in Protection.